From 065dcb1472e274d5e6e086e4a217274d5a95494f Mon Sep 17 00:00:00 2001 From: sbp-bvanb <126502840+sbp-bvanb@users.noreply.github.com> Date: Thu, 26 Sep 2024 11:05:05 +0200 Subject: [PATCH] fix: [#73] Use cached Trivy DBs to prevent bump into pull rate limiting issues (#74) --- .gitignore | 1 + README.md | 31 +++++++++++++++++++++---------- action.yml | 24 +++++++++++++++++++++++- 3 files changed, 45 insertions(+), 11 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..722d5e7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode diff --git a/README.md b/README.md index 151c495..b15d906 100644 --- a/README.md +++ b/README.md @@ -21,14 +21,17 @@ In summary, using this action will ensure that Golang code meets certain standards before it will be deployed to production as the assembly line will fail if an issue arises. -## usage +## Usage Create a `.github/workflows/golang.yml` file with the following content: -```bash +```yaml --- name: Golang -'on': push +"on": push +permissions: + contents: read + packages: read jobs: MCVS-golang-action: runs-on: ubuntu-20.04 @@ -38,18 +41,26 @@ jobs: with: golang-unit-tests-exclusions: |- \(cmd\/some-app\|internal\/app\/some-app\) + token: ${{ secrets.GITHUB_TOKEN }} ``` and a [.golangci.yml](https://golangci-lint.run/usage/configuration/). -| option | default | -| ---------------------------------- | ------- | -| code_coverage_expected | 80 | -| golang-unit-tests-exclusions | ' ' | -| golangci-lint-version | v1.55.2 | -| golang-number-of-tests-in-parallel | 4 | + + +| Option | Default | Required | Description | +| :--------------------------------- | :----------------------------------- | -------- | :--------------------------------------------------------------------------------------------------------------- | +| code_coverage_expected | 80 | | | +| golang-unit-tests-exclusions | ' ' | | | +| golangci-lint-version | v1.55.2 | | | +| golang-number-of-tests-in-parallel | 4 | | | +| token | ' ' | x | GitHub token that is required to push an image to the registry of the project and to pull cached Trivy DB images | +| trivy-action-db | ghcr.io/aquasecurity/trivy-db:2 | | Replace this with a cached image to prevent bump into pull rate limiting issues | +| trivy-action-java-db | ghcr.io/aquasecurity/trivy-java-db:1 | | Replace this with a cached image to prevent bump into pull rate limiting issues | + + -## integration +## Integration To execute integration tests, make sure that the code is located in a file with a `_integration_test.go` postfix, such as `some_integration_test.go`. diff --git a/action.yml b/action.yml index 24df7b8..8b555ca 100644 --- a/action.yml +++ b/action.yml @@ -15,11 +15,23 @@ inputs: description: | The Golangci-lint version that has to be installed and used. default: v1.55.2 - required: true golang-number-of-tests-in-parallel: description: | Number of test in parallel. default: "4" + trivy-action-db: + default: "ghcr.io/aquasecurity/trivy-db:2" + description: | + OCI repository to retrieve trivy-db from. + trivy-action-java-db: + description: | + OCI repository to retrieve trivy-java-db from. + default: "ghcr.io/aquasecurity/trivy-java-db:1" + token: + description: | + A token is required to allow the mcvs-golang-action to pull the + cached trivy DBs to prevent bump into pull rate limits. + required: true runs: using: "composite" steps: @@ -73,7 +85,17 @@ runs: path: "." severity-cutoff: high - uses: 030/trivyignore-validator-action@v0.1.2 + - name: Log in to GitHub Packages Docker registry + shell: bash + run: | + echo "${{ inputs.token }}" |\ + docker login ghcr.io -u ${{ github.actor }} --password-stdin - uses: aquasecurity/trivy-action@0.24.0 + env: + TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }} + TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }} + TRIVY_PASSWORD: ${{ inputs.token }} + TRIVY_USERNAME: ${{ github.actor }} with: scan-type: "fs" scan-ref: "."