fix CVEs and bump go to 1.24.11 #601
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Precommit - Scan security vulnerabilities | |
| on: | |
| pull_request: | |
| branches: | |
| - "*" | |
| paths-ignore: | |
| - "docs/**" | |
| - "README.md" | |
| - "CHANGELOG.md" | |
| - "PROJECT" | |
| - "LICENSE" | |
| - "mesh-worker-service/README.md" | |
| - "tools/README.md" | |
| permissions: | |
| pull-requests: write | |
| issues: write | |
| jobs: | |
| build: | |
| name: Scan | |
| permissions: | |
| pull-requests: write | |
| issues: write | |
| runs-on: ubuntu-latest | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | |
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/[email protected] | |
| with: | |
| # this might remove tools that are actually needed, | |
| # if set to "true" but frees about 6 GB | |
| tool-cache: false | |
| # all of these default to true, but feel free to set to | |
| # "false" if necessary for your workflow | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: true | |
| docker-images: true | |
| swap-storage: true | |
| # the runner machine has a disk /dev/sdb1 which mounted to /mnt, and it has more free disk than /dev/sda1. | |
| # we can use it to save docker's data to avoid bookie error due to lack of disk. | |
| - name: change docker data dir | |
| run: | | |
| sudo service docker stop | |
| echo '{ "exec-opts": ["native.cgroupdriver=cgroupfs"], "cgroup-parent": "/actions_job", "data-root": "/mnt/docker" }' | sudo tee /etc/docker/daemon.json | |
| sudo service docker start | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| repository: ${{github.event.pull_request.head.repo.full_name}} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Set up GO 1.24.11 | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.24.11 | |
| id: go | |
| - name: InstallKubebuilder | |
| run: | | |
| curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz | tar -xz -C /tmp/ | |
| sudo mv /tmp/kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder | |
| export PATH=$PATH:/usr/local/kubebuilder/bin | |
| - name: Install operator-sdk | |
| run: | | |
| RELEASE_VERSION=v1.29.0 | |
| curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/${RELEASE_VERSION}/operator-sdk_linux_amd64" | |
| chmod +x operator-sdk_linux_amd64 && sudo mkdir -p /usr/local/bin/ && sudo mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk | |
| - name: Set up yq | |
| run: | | |
| sudo wget https://github.com/mikefarah/yq/releases/download/v4.30.4/yq_linux_amd64 -O /usr/bin/yq | |
| sudo chmod +x /usr/bin/yq | |
| yq --help | |
| - name: Build operator image | |
| run: | | |
| make generate | |
| make helm-crds | |
| image="function-mesh-operator:latest" | |
| IMG=${image} make docker-build-skip-test | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "function-mesh-operator:latest" | |
| format: "table" | |
| exit-code: "1" | |
| - name: Build runner images | |
| run: | | |
| PULSAR_IMAGE_TAG=3.2.2.6 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh | |
| - name: Run Trivy vulnerability scanner for java | |
| id: scan-java-runner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "pulsar-functions-java-runner:latest" | |
| format: "table" | |
| exit-code: "0" | |
| - name: Run Trivy vulnerability scanner for python | |
| id: scan-python-runner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "pulsar-functions-python-runner:latest" | |
| format: "table" | |
| exit-code: "0" | |
| - name: Run Trivy vulnerability scanner for go | |
| id: scan-go-runner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "pulsar-functions-go-runner:latest" | |
| format: "table" | |
| exit-code: "0" | |
| - name: Run Trivy vulnerability scanner for java with pulsarctl | |
| id: scan-java-pulsarctl-runner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "pulsar-functions-pulsarctl-java-runner:latest" | |
| format: "table" | |
| exit-code: "0" | |
| - name: Run Trivy vulnerability scanner for python with pulsarctl | |
| id: scan-python-pulsarctl-runner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "pulsar-functions-pulsarctl-python-runner:latest" | |
| format: "table" | |
| exit-code: "0" | |
| - name: Run Trivy vulnerability scanner for go with pulsarctl | |
| id: scan-go-pulsarctl-runner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "pulsar-functions-pulsarctl-go-runner:latest" | |
| format: "table" | |
| exit-code: "0" |