chore: bump github.com/aquasecurity/trivy from 0.64.0 to 0.64.1 (#1190) #23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "[Blocking] Build" | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release-* | |
| tags: | |
| - v* | |
| paths-ignore: | |
| - "**.md" | |
| - "website/**" | |
| - "docs/**" | |
| - "demo/**" | |
| pull_request: | |
| branches: | |
| - main | |
| - release-* | |
| paths-ignore: | |
| - "**.md" | |
| - "website/**" | |
| - "docs/**" | |
| - "demo/**" | |
| workflow_dispatch: | |
| env: | |
| TRIVY_VERSION: 0.59.1 | |
| BUILDKIT_VERSION: 0.19.0 | |
| TRIVY_DISABLE_VEX_NOTICE: "true" | |
| permissions: | |
| contents: read | |
| jobs: | |
| unit-test: | |
| name: Unit Test | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: read-all | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.3.1 | |
| with: | |
| egress-policy: audit | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| check-latest: true | |
| - name: Add containerd-snapshotter to docker daemon | |
| run: | | |
| echo '{"features": { "containerd-snapshotter": true }}' | sudo tee /etc/docker/daemon.json | |
| sudo systemctl restart docker | |
| - name: Unit test | |
| shell: bash | |
| env: | |
| CODECOV_OPTS: "-coverprofile=coverage.txt -covermode=atomic" | |
| run: make test | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| build: | |
| name: Build | |
| runs-on: ${{ matrix.os }} | |
| timeout-minutes: 5 | |
| permissions: | |
| packages: write | |
| contents: read | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.3.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| check-latest: true | |
| - name: Build copa | |
| shell: bash | |
| run: | | |
| make build | |
| make archive | |
| - name: Upload copa to build artifacts | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| path: dist/linux_amd64/release/copa_edge_linux_amd64.tar.gz | |
| - name: Load test cases for patch testing | |
| id: load-test-envs-matrix | |
| shell: bash | |
| run: echo "buildkitenvs=$(.github/workflows/scripts/buildkit-env-matrix.sh)" | tee -a "${GITHUB_OUTPUT}" | |
| - name: Load multiplatform test environments | |
| id: load-multiplatform-envs-matrix | |
| shell: bash | |
| run: echo "multiplatformenvs=[\"docker\",\"podman/container\"]" | tee -a "${GITHUB_OUTPUT}" | |
| outputs: | |
| buildkitenvs: ${{ steps.load-test-envs-matrix.outputs.buildkitenvs }} | |
| multiplatformenvs: ${{ steps.load-multiplatform-envs-matrix.outputs.multiplatformenvs }} | |
| test-patch-trivy: | |
| needs: build | |
| name: Test patch with trivy ${{ matrix.buildkit_mode }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: read-all | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| buildkit_mode: ${{fromJson(needs.build.outputs.buildkitenvs)}} | |
| steps: | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - run: docker system prune -a -f --volumes | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| check-latest: true | |
| - name: Install required tools | |
| shell: bash | |
| run: .github/workflows/scripts/download-tooling.sh | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - name: Extract copa | |
| shell: bash | |
| run: | | |
| tar xzf copa_edge_linux_amd64.tar.gz | |
| ./copa --version | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| - name: Run functional test | |
| shell: bash | |
| run: | | |
| set -eu -o pipefail | |
| . .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode}} | |
| go test -v ./integration/singlearch --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" -timeout 0 --report-file | |
| test-patch-no-report: | |
| needs: build | |
| name: Test patch no report ${{ matrix.buildkit_mode }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: read-all | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| buildkit_mode: ${{fromJson(needs.build.outputs.buildkitenvs)}} | |
| steps: | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - run: docker system prune -a -f --volumes | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| check-latest: true | |
| - name: Install required tools | |
| shell: bash | |
| run: .github/workflows/scripts/download-tooling.sh | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - name: Extract copa | |
| shell: bash | |
| run: | | |
| tar xzf copa_edge_linux_amd64.tar.gz | |
| ./copa --version | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| - name: Run functional test | |
| shell: bash | |
| run: | | |
| set -eu -o pipefail | |
| . .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode}} | |
| echo "COPA_BUILDKIT_ADDR=${COPA_BUILDKIT_ADDR}" >> "$GITHUB_ENV" | |
| go test -v ./integration/singlearch --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" -timeout 0 | |
| - name: Test RPM validation - noreplace files | |
| if: ${{ !startsWith(env.COPA_BUILDKIT_ADDR, 'podman-container://') }} | |
| shell: bash | |
| run: | | |
| set -eux -o pipefail | |
| if [[ -n "${COPA_BUILDKIT_ADDR}" && "${COPA_BUILDKIT_ADDR}" == docker://* ]]; then | |
| export DOCKER_HOST="${COPA_BUILDKIT_ADDR#docker://}" | |
| fi | |
| docker create --name test ghcr.io/project-copacetic/copacetic/test/openssl:test-rpm-patched /bin/sh | |
| tmp="$(mktemp)" | |
| docker cp test:/etc/pki/tls/openssl.cnf "${tmp}" | |
| if ! grep -q foo "${tmp}"; then | |
| echo "Error: openssl.cnf content replaced" >&2 | |
| rm "${tmp}" | |
| docker rm -f test | |
| exit 1 | |
| fi | |
| rm "${tmp}" | |
| docker rm -f test | |
| - name: Test RPM validation - symlink | |
| if: ${{ !startsWith(env.COPA_BUILDKIT_ADDR, 'podman-container://') }} | |
| shell: bash | |
| run: | | |
| set -eux -o pipefail | |
| if [[ -n "${COPA_BUILDKIT_ADDR}" && "${COPA_BUILDKIT_ADDR}" == docker://* ]]; then | |
| export DOCKER_HOST="${COPA_BUILDKIT_ADDR#docker://}" | |
| fi | |
| docker create --name test ghcr.io/project-copacetic/copacetic/test/openssl:test-rpm-patched /bin/sh | |
| tmp="$(mktemp)" | |
| symlink_path="/sbin" | |
| docker cp test:"$symlink_path" "${tmp}_symlink" | |
| if [ ! -L "${tmp}_symlink" ]; then | |
| echo "Error: The path $symlink_path is not a symlink." | |
| rm "${tmp}" "${tmp}_symlink" | |
| docker rm -f test | |
| exit 1 | |
| fi | |
| rm "${tmp}" "${tmp}_symlink" | |
| docker rm -f test | |
| - name: Test Debian validation - noreplace files | |
| if: ${{ !startsWith(env.COPA_BUILDKIT_ADDR, 'podman-container://') }} | |
| shell: bash | |
| run: | | |
| set -eux -o pipefail | |
| _cleanup() { | |
| docker rm -f "$DOCKER_CUSTOM_UNIX_ID" | |
| sudo rm -rf "$SOCK_DIR" | |
| } | |
| if [[ -n "${COPA_BUILDKIT_ADDR}" && "${COPA_BUILDKIT_ADDR}" == docker://* ]]; then | |
| export DOCKER_HOST="${COPA_BUILDKIT_ADDR#docker://}" | |
| trap '_cleanup' EXIT | |
| fi | |
| docker create --name test ghcr.io/project-copacetic/copacetic/test/openssl:test-debian-patched /bin/sh | |
| tmp="$(mktemp)" | |
| docker cp test:/etc/ssl/openssl.cnf "${tmp}" | |
| if ! grep -q foo "${tmp}"; then | |
| echo "Error: openssl.cnf content replaced" >&2 | |
| rm "${tmp}" | |
| docker rm -f test | |
| exit 1 | |
| fi | |
| rm "${tmp}" | |
| docker rm -f test | |
| test-plugin: | |
| needs: build | |
| name: Test plugin | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: read-all | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.3.1 | |
| with: | |
| egress-policy: audit | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| check-latest: true | |
| - name: Install scanner-plugin-template | |
| shell: bash | |
| run: | | |
| go install github.com/project-copacetic/scanner-plugin-template@latest | |
| mv $(go env GOPATH)/bin/scanner-plugin-template $(go env GOPATH)/bin/copa-fake | |
| mv $(go env GOPATH)/bin/copa-fake /usr/local/bin | |
| - name: Install required tools | |
| shell: bash | |
| run: .github/workflows/scripts/download-tooling.sh | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - name: Extract copa | |
| shell: bash | |
| run: | | |
| tar xzf copa_edge_linux_amd64.tar.gz | |
| ./copa --version | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| - name: Run e2e tests | |
| shell: bash | |
| run: | | |
| set -eu -o pipefail | |
| . .github/workflows/scripts/buildkitenvs/direct/tcp | |
| go test -v ./test/e2e/plugin --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" --scanner fake -timeout 0 | |
| test-push: | |
| needs: build | |
| name: Test push | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: read-all | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| check-latest: true | |
| - name: Add containerd-snapshotter to docker daemon | |
| run: | | |
| echo '{"features": { "containerd-snapshotter": true }}' | sudo tee /etc/docker/daemon.json | |
| sudo systemctl restart docker | |
| - name: Set up buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| with: | |
| install: true | |
| - name: Install oras CLI | |
| uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3 | |
| - name: Install required tools | |
| shell: bash | |
| run: .github/workflows/scripts/download-tooling.sh | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - name: Extract copa | |
| shell: bash | |
| run: | | |
| tar xzf copa_edge_linux_amd64.tar.gz | |
| ./copa --version | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| - name: Run e2e tests | |
| shell: bash | |
| run: | | |
| set -eu -o pipefail | |
| go test -v ./test/e2e/push --addr="docker://" --copa="$(pwd)/copa" | |
| test-patch-multiplatform: | |
| needs: build | |
| name: Test patch with multiplatform ${{ matrix.buildkit_mode }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: read-all | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| buildkit_mode: ${{fromJson(needs.build.outputs.multiplatformenvs)}} | |
| steps: | |
| - name: Change docker daemon config | |
| run: | | |
| echo '{"features": { "containerd-snapshotter": true }, "insecure-registries": ["localhost:5000"]}' | sudo tee /etc/docker/daemon.json | |
| sudo systemctl restart docker | |
| - name: Set up buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 | |
| with: | |
| install: true | |
| platforms: linux/amd64,linux/arm/v5,linux/arm64,linux/386,linux/mips64le | |
| - name: Install oras CLI | |
| uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3 | |
| - name: Set up local registry | |
| run: | | |
| docker run -d -p 5000:5000 --restart=always --name registry registry:2 | |
| # wait for the registry to be healthy | |
| for i in $(seq 1 60); do | |
| if curl -f http://localhost:5000/v2/_catalog; then | |
| break | |
| fi | |
| sleep 1 | |
| done | |
| - name: Test registry | |
| run: | | |
| set -eu -o pipefail | |
| docker pull nginx:latest | |
| docker tag nginx:latest localhost:5000/nginx:latest | |
| docker push localhost:5000/nginx:latest | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - run: docker system prune -a -f --volumes | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| check-latest: true | |
| - name: Install required tools | |
| shell: bash | |
| run: .github/workflows/scripts/download-tooling.sh | |
| - name: Install multiplatform tooling | |
| shell: bash | |
| run: .github/workflows/scripts/download-multiplatform-tooling.sh | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - name: Extract copa | |
| shell: bash | |
| run: | | |
| tar xzf copa_edge_linux_amd64.tar.gz | |
| ./copa --version | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| - name: Run functional test | |
| shell: bash | |
| run: | | |
| set -eu -o pipefail | |
| if [[ "${{ matrix.buildkit_mode }}" == "docker" ]]; then | |
| # For docker mode, use the default docker daemon | |
| export COPA_BUILDKIT_ADDR="docker://" | |
| else | |
| # For other modes, source the corresponding script in the same shell session | |
| . .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode }} | |
| fi | |
| go test -v ./integration/multiarch --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" -timeout 0 | |
| test-patch-multiplatform-plugin: | |
| needs: build | |
| name: Test multiplatform with plugin | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: read-all | |
| steps: | |
| - name: Change docker daemon config | |
| run: | | |
| echo '{"features": { "containerd-snapshotter": true }, "insecure-registries": ["localhost:5000"], "dns": ["8.8.8.8", "8.8.4.4"]}' | sudo tee /etc/docker/daemon.json | |
| echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf > /dev/null | |
| sudo systemctl restart docker | |
| - name: Set up buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 | |
| with: | |
| install: true | |
| platforms: linux/amd64,linux/arm64 | |
| - name: Install oras CLI | |
| uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3 | |
| - name: Set up local registry | |
| run: | | |
| docker run -d -p 5000:5000 --restart=always --name registry registry:2 | |
| # wait for the registry to be healthy | |
| for i in $(seq 1 60); do | |
| if curl -f http://localhost:5000/v2/_catalog; then | |
| break | |
| fi | |
| sleep 1 | |
| done | |
| - name: Test registry | |
| run: | | |
| set -eu -o pipefail | |
| docker pull nginx:latest | |
| docker tag nginx:latest localhost:5000/nginx:latest | |
| docker push localhost:5000/nginx:latest | |
| - name: Check out code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| check-latest: true | |
| - name: Install scanner-plugin-template | |
| shell: bash | |
| run: | | |
| go install github.com/project-copacetic/scanner-plugin-template@latest | |
| mv $(go env GOPATH)/bin/scanner-plugin-template $(go env GOPATH)/bin/copa-fake | |
| mv $(go env GOPATH)/bin/copa-fake /usr/local/bin | |
| - name: Install required tools | |
| shell: bash | |
| run: .github/workflows/scripts/download-tooling.sh | |
| - name: Install multiplatform tooling | |
| shell: bash | |
| run: .github/workflows/scripts/download-multiplatform-tooling.sh | |
| - name: Download copa from build artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: copa_edge_linux_amd64.tar.gz | |
| - run: docker system prune -a -f --volumes | |
| - name: Extract copa | |
| shell: bash | |
| run: | | |
| tar xzf copa_edge_linux_amd64.tar.gz | |
| ./copa --version | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | |
| - name: Run e2e multiplatform plugin tests | |
| shell: bash | |
| run: | | |
| set -eu -o pipefail | |
| go test -v ./test/e2e/multiplatform-plugin --addr=docker:// --copa="$(pwd)/copa" -timeout 0 |