Bump aws-actions/amazon-ecr-login from 9238dd443b7a5941caf19ffbe68be34d4dbd61df to 0a67558866f6caa88dc86a206959e1c086db6f71 #591
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Infra: CVE checks" | |
| on: | |
| pull_request: | |
| types: [ "opened", "reopened", "synchronize" ] | |
| push: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| schedule: | |
| # * is a special character in YAML so you have to quote this string | |
| - cron: '0 8 15 * *' | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-cves: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 # infered from @v4 | |
| with: | |
| token: ${{ github.token }} | |
| - name: Set up JDK | |
| uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # infered from @v4 | |
| with: | |
| java-version: '21' | |
| distribution: 'zulu' | |
| cache: 'gradle' | |
| - name: Build project | |
| id: build | |
| run: | | |
| ./gradlew clean build \ | |
| -x test \ | |
| -Pbuild-docker-images=true \ | |
| -Pinclude-frontend=true \ | |
| -Pversion=latest | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # infered from @v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # infered from @v3 | |
| - name: Cache Docker layers | |
| uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # infered from @v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Build docker image | |
| uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # infered from @v6 | |
| with: | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: api | |
| platforms: linux/amd64 | |
| push: false | |
| load: true | |
| tags: | | |
| ghcr.io/kafbat/kafka-ui:latest | |
| build-args: | | |
| JAR_FILE=build/libs/api-latest.jar | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache | |
| - name: Run CVE checks | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # infered from @v0.29.0 | |
| with: | |
| image-ref: "ghcr.io/kafbat/kafka-ui:latest" | |
| format: "table" | |
| exit-code: "1" | |
| notify: | |
| needs: check-cves | |
| if: ${{ always() && needs.build-and-test.result == 'failure' && github.event_name == 'schedule' }} | |
| uses: ./.github/workflows/infra_discord_hook.yml | |
| with: | |
| message: "Attention! CVE checks run failed! Please fix them CVEs :(" | |
| secrets: | |
| DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL_CVE }} |