chore(deps): update github/codeql-action action to v4.32.0 #548
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: [ "master" ] | |
| paths: | |
| - 'Dockerfile' | |
| - '.dockerignore' | |
| - 'src/**' | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - '.github/workflows/build.yaml' | |
| pull_request: | |
| branches: [ "master" ] | |
| paths: | |
| - 'Dockerfile' | |
| - '.dockerignore' | |
| - 'src/**' | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - '.github/workflows/build.yaml' | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| permissions: | |
| contents: read # Required to checkout the code | |
| jobs: | |
| check: | |
| name: Check | |
| permissions: | |
| contents: read # Required to checkout the code | |
| uses: TimSchoenle/actions/.github/workflows/rust-cargo-check.yaml@d26be78199d3532cf21c4cab6ca850dd45e5627e # workflows-rust-cargo-check-v1.1.3 | |
| coverage: | |
| name: Coverage | |
| permissions: | |
| contents: read # Required to checkout the code | |
| uses: TimSchoenle/actions/.github/workflows/rust-coverage-codecov.yaml@5933b5b32a3022bdcfdf1eebc8b459f5748763a4 # workflows-rust-coverage-codecov-v1.0.1 | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| test: | |
| name: Test | |
| permissions: | |
| contents: read # Required to checkout the code | |
| uses: TimSchoenle/actions/.github/workflows/rust-test.yaml@d681dc1bc16b10592a57a57d2845acbe97adb131 # workflows-rust-test-v1.0.1 | |
| fmt: | |
| name: Auto Format | |
| uses: TimSchoenle/actions/.github/workflows/rust-auto-format.yaml@0369062f8f6310d02d8df754bec56e02727f5a36 # workflows-rust-auto-format-v1.1.1 | |
| secrets: | |
| APP_ID: ${{ secrets.ACTIONS_MAINTENANCE_APP_ID }} | |
| PRIVATE_KEY: ${{ secrets.ACTIONS_MAINTENANCE_PRIVATE_KEY }} | |
| clippy: | |
| name: Clippy | |
| permissions: | |
| contents: read # Required to checkout the code | |
| checks: write # Required to annotate the commit with clippy warnings | |
| uses: TimSchoenle/actions/.github/workflows/rust-clippy.yaml@1a99a0b6267fad9f94b53277f3911c8d64f78026 # workflows-rust-clippy-v1.1.1 | |
| docker-build-test: | |
| name: Docker Build and Test | |
| runs-on: ubuntu-latest | |
| needs: check | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }}-docker | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read # Required to checkout the code | |
| security-events: write # Required to upload Trivy scan results | |
| pull-requests: write # Required to comment on PRs with image size | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 | |
| with: | |
| context: . | |
| push: false | |
| load: true | |
| tags: cloudflare-access-webhook-redirect:test | |
| build-args: | | |
| version=test | |
| release=test | |
| vendor=Timmi6790 | |
| VERSION=test | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Test Docker image runs | |
| run: | | |
| docker run --rm cloudflare-access-webhook-redirect:test --version || true | |
| docker run --rm cloudflare-access-webhook-redirect:test --help || true | |
| - name: Check image size | |
| id: size-check | |
| run: | | |
| SIZE=$(docker image inspect cloudflare-access-webhook-redirect:test --format='{{.Size}}' | awk '{print int($1/1024/1024)}') | |
| echo "size=${SIZE}" >> $GITHUB_OUTPUT | |
| echo "Image size: ${SIZE}MB" | |
| if [ $SIZE -gt 150 ]; then | |
| echo "::warning::Image size (${SIZE}MB) exceeds 150MB threshold" | |
| fi | |
| - name: Scan Docker image for vulnerabilities | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 | |
| with: | |
| image-ref: cloudflare-access-webhook-redirect:test | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Comment image size on PR | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| if: github.event_name == 'pull_request' | |
| env: | |
| SIZE: ${{ steps.size-check.outputs.size }} | |
| with: | |
| script: | | |
| const size = process.env.SIZE; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: `🐳 Docker image size: **${size}MB**` | |
| }); | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| needs: check | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }}-dependency-review | |
| cancel-in-progress: true | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4 |