fix(kafka-setup): workaround for pyyaml dependencies in kafka-setup #213
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Build, Scan, Test | |
on: | |
push: | |
branches: | |
- master | |
paths-ignore: | |
- "docs/**" | |
- "**.md" | |
pull_request: | |
branches: | |
- master | |
paths-ignore: | |
- "docs/**" | |
- "**.md" | |
release: | |
types: [published] | |
concurrency: | |
# Using `github.run_id` (unique val) instead of `github.ref` here | |
# because we don't want to cancel this workflow on master only for PRs | |
# as that makes reproducing issues easier | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} | |
cancel-in-progress: true | |
env: | |
DATAHUB_GMS_IMAGE: 'heruko/datahub-gms' | |
DATAHUB_FRONTEND_IMAGE: 'heruko/datahub-frontend-react' | |
DATAHUB_MAE_CONSUMER_IMAGE: 'heruko/datahub-mae-consumer' | |
DATAHUB_MCE_CONSUMER_IMAGE: 'heruko/datahub-mce-consumer' | |
DATAHUB_KAFKA_SETUP_IMAGE: 'heruko/datahub-kafka-setup' | |
DATAHUB_ELASTIC_SETUP_IMAGE: 'heruko/datahub-elasticsearch-setup' | |
DATAHUB_MYSQL_SETUP_IMAGE: 'heruko/datahub-mysql-setup' | |
DATAHUB_UPGRADE_IMAGE: 'heruko/datahub-upgrade' | |
INGEST_API_IMAGE: 'heruko/ingest-api' | |
jobs: | |
setup: | |
runs-on: ubuntu-latest | |
outputs: | |
tag: ${{ steps.tag.outputs.tag }} | |
unique_tag: ${{ steps.tag.outputs.unique_tag }} | |
publish: ${{ steps.publish.outputs.publish }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Compute Tag | |
id: tag | |
run: | | |
source .github/scripts/docker_helpers.sh | |
echo "tag=$(get_tag)" >> $GITHUB_OUTPUT | |
echo "unique_tag=$(get_unique_tag)" >> $GITHUB_OUTPUT | |
- name: Check whether publishing enabled | |
id: publish | |
env: | |
ENABLE_PUBLISH: ${{ secrets.DOCKER_PASSWORD }} | |
run: | | |
echo "Enable publish: ${{ env.ENABLE_PUBLISH != '' }}" | |
echo "publish=${{ env.ENABLE_PUBLISH != '' }}" >> $GITHUB_OUTPUT | |
gms_build: | |
name: Build and Push DataHub GMS Docker Image | |
runs-on: ubuntu-latest | |
needs: setup | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Pre-build artifacts for docker image | |
run: | | |
./gradlew :metadata-service:war:build -x test --parallel | |
mv ./metadata-service/war/build/libs/war.war . | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.DATAHUB_GMS_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/datahub-gms/Dockerfile | |
platforms: linux/amd64,linux/arm64/v8 | |
gms_scan: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
name: "[Monitoring] Scan GMS images for vulnerabilities" | |
runs-on: ubuntu-latest | |
needs: [setup, gms_build] | |
steps: | |
- name: Checkout # adding checkout step just to make trivy upload happy | |
uses: actions/checkout@v3 | |
- name: Download image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_GMS_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: ${{ env.DATAHUB_GMS_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
mae_consumer_build: | |
name: Build and Push DataHub MAE Consumer Docker Image | |
runs-on: ubuntu-latest | |
needs: setup | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Pre-build artifacts for docker image | |
run: | | |
./gradlew :metadata-jobs:mae-consumer-job:build -x test --parallel | |
mv ./metadata-jobs/mae-consumer-job/build/libs/mae-consumer-job.jar . | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.DATAHUB_MAE_CONSUMER_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/datahub-mae-consumer/Dockerfile | |
platforms: linux/amd64,linux/arm64/v8 | |
mae_consumer_scan: | |
name: "[Monitoring] Scan MAE consumer images for vulnerabilities" | |
runs-on: ubuntu-latest | |
needs: [setup, mae_consumer_build] | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
steps: | |
- name: Checkout # adding checkout step just to make trivy upload happy | |
uses: actions/checkout@v3 | |
- name: Download image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_MAE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: ${{ env.DATAHUB_MAE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
mce_consumer_build: | |
name: Build and Push DataHub MCE Consumer Docker Image | |
runs-on: ubuntu-latest | |
needs: setup | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Pre-build artifacts for docker image | |
run: | | |
./gradlew :metadata-jobs:mce-consumer-job:build -x test --parallel | |
mv ./metadata-jobs/mce-consumer-job/build/libs/mce-consumer-job.jar . | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.DATAHUB_MCE_CONSUMER_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/datahub-mce-consumer/Dockerfile | |
platforms: linux/amd64,linux/arm64/v8 | |
mce_consumer_scan: | |
name: "[Monitoring] Scan MCE consumer images for vulnerabilities" | |
runs-on: ubuntu-latest | |
needs: [setup, mce_consumer_build] | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
steps: | |
- name: Checkout # adding checkout step just to make trivy upload happy | |
uses: actions/checkout@v3 | |
- name: Download image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_MCE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: ${{ env.DATAHUB_MCE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
datahub_upgrade_build: | |
name: Build and Push DataHub Upgrade Docker Image | |
runs-on: ubuntu-latest | |
needs: setup | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Pre-build artifacts for docker image | |
run: | | |
./gradlew :datahub-upgrade:build -x test --parallel | |
mv ./datahub-upgrade/build/libs/datahub-upgrade.jar . | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.DATAHUB_UPGRADE_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.ACRYL_DOCKER_USERNAME }} | |
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/datahub-upgrade/Dockerfile | |
platforms: linux/amd64,linux/arm64/v8 | |
datahub_upgrade_scan: | |
name: "[Monitoring] Scan DataHub Upgrade images for vulnerabilities" | |
runs-on: ubuntu-latest | |
needs: [setup, datahub_upgrade_build] | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
steps: | |
- name: Checkout # adding checkout step just to make trivy upload happy | |
uses: actions/checkout@v3 | |
- name: Download image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_UPGRADE_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: ${{ env.DATAHUB_UPGRADE_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
frontend_build: | |
name: Build and Push DataHub Frontend Docker Image | |
runs-on: ubuntu-latest | |
needs: setup | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Pre-build artifacts for docker image | |
run: | | |
./gradlew :datahub-frontend:dist -x test -x yarnTest -x yarnLint --parallel | |
mv ./datahub-frontend/build/distributions/datahub-frontend-*.zip datahub-frontend.zip | |
env: | |
NODE_OPTIONS: "--max-old-space-size=3072" | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.DATAHUB_FRONTEND_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/datahub-frontend/Dockerfile | |
platforms: linux/amd64,linux/arm64/v8 | |
frontend_scan: | |
name: "[Monitoring] Scan Frontend images for vulnerabilities" | |
runs-on: ubuntu-latest | |
needs: [setup, frontend_build] | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
steps: | |
- name: Checkout # adding checkout step just to make trivy upload happy | |
uses: actions/checkout@v3 | |
- name: Download image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_FRONTEND_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
env: | |
TRIVY_OFFLINE_SCAN: true | |
with: | |
image-ref: ${{ env.DATAHUB_FRONTEND_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
format: "template" | |
template: "@/contrib/sarif.tpl" | |
output: "trivy-results.sarif" | |
severity: "CRITICAL,HIGH" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
kafka_setup_build: | |
name: Build and Push DataHub Kafka Setup Docker Image | |
runs-on: ubuntu-latest | |
needs: setup | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.DATAHUB_KAFKA_SETUP_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/kafka-setup/Dockerfile | |
platforms: linux/amd64,linux/arm64/v8 | |
mysql_setup_build: | |
name: Build and Push DataHub MySQL Setup Docker Image | |
runs-on: ubuntu-latest | |
needs: setup | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.DATAHUB_MYSQL_SETUP_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.ACRYL_DOCKER_USERNAME }} | |
password: ${{ secrets.ACRYL_DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/mysql-setup/Dockerfile | |
platforms: linux/amd64,linux/arm64/v8 | |
elasticsearch_setup_build: | |
name: Build and Push DataHub Elasticsearch Setup Docker Image | |
runs-on: ubuntu-latest | |
needs: setup | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.DATAHUB_ELASTIC_SETUP_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/elasticsearch-setup/Dockerfile | |
platforms: linux/amd64,linux/arm64/v8 | |
smoke_test: | |
name: Run Smoke Tests | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
test_strategy: ["no_cypress", "cypress_suite1", "cypress_rest"] | |
needs: | |
[ | |
setup, | |
gms_build, | |
frontend_build, | |
kafka_setup_build, | |
mysql_setup_build, | |
elasticsearch_setup_build, | |
mae_consumer_build, | |
mce_consumer_build, | |
datahub_upgrade_build, | |
] | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v3 | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v3 | |
with: | |
distribution: "zulu" | |
java-version: 11 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: "3.7" | |
cache: "pip" | |
- name: Install dependencies | |
run: ./metadata-ingestion/scripts/install_deps.sh | |
- name: Build datahub cli | |
run: | | |
./gradlew :metadata-ingestion:install | |
- name: Download GMS image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_GMS_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Download Frontend image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_FRONTEND_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Download Kafka Setup image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_KAFKA_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Download Mysql Setup image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_MYSQL_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Download Elastic Setup image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_ELASTIC_SETUP_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Download MCE Consumer image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_MCE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Download MAE Consumer image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_MAE_CONSUMER_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Download upgrade image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.DATAHUB_UPGRADE_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: run quickstart | |
env: | |
DATAHUB_TELEMETRY_ENABLED: false | |
DATAHUB_VERSION: ${{ needs.setup.outputs.unique_tag }} | |
run: | | |
./smoke-test/run-quickstart.sh | |
- name: sleep 60s | |
run: | | |
# we are doing this because gms takes time to get ready | |
# and we don't have a better readiness check when bootstrap is done | |
sleep 60s | |
- name: Smoke test | |
env: | |
RUN_QUICKSTART: false | |
DATAHUB_VERSION: ${{ needs.setup.outputs.unique_tag }} | |
CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} | |
CLEANUP_DATA: "false" | |
TEST_STRATEGY: ${{ matrix.test_strategy }} | |
run: | | |
echo "$DATAHUB_VERSION" | |
./smoke-test/smoke.sh | |
- name: store logs | |
if: failure() | |
run: | | |
docker ps -a | |
docker logs datahub-gms >& gms-${{ matrix.test_strategy }}.log | |
- name: Upload logs | |
uses: actions/upload-artifact@v3 | |
if: failure() | |
with: | |
name: docker logs | |
path: "*.log" | |
- name: Upload screenshots | |
uses: actions/upload-artifact@v3 | |
if: failure() | |
with: | |
name: cypress-snapshots-${{ matrix.test_strategy }} | |
path: smoke-test/tests/cypress/cypress/screenshots/ | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: Test Results (smoke tests) ${{ matrix.test_strategy }} | |
path: | | |
**/build/reports/tests/test/** | |
**/build/test-results/test/** | |
**/junit.*.xml | |
- name: Slack failure notification | |
if: failure() && github.event_name == 'push' | |
uses: kpritam/slack-job-status-action@v1 | |
with: | |
job-status: ${{ job.status }} | |
slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }} | |
channel: github-activities | |
ingestapi_build: | |
name: Build and Push Ingest API image | |
runs-on: ubuntu-latest | |
needs: setup | |
outputs: | |
image_tag: ${{ steps.docker_meta.outputs.tags }} | |
image_name: ${{ env.INGEST_API_IMAGE }} | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Build and push | |
uses: ./.github/actions/docker-custom-build-and-push | |
with: | |
images: | | |
${{ env.INGEST_API_IMAGE }} | |
tags: ${{ needs.setup.outputs.tag }} | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
publish: ${{ needs.setup.outputs.publish }} | |
context: . | |
file: ./docker/ingest-api/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
ingestapi_scan: | |
name: "[Monitoring] Scan ingest-api images for vulnerabilities" | |
runs-on: ubuntu-latest | |
needs: [setup, ingestapi_build] | |
steps: | |
- name: Download image | |
uses: ishworkh/docker-image-artifact-download@v1 | |
if: ${{ needs.setup.outputs.publish != 'true' }} | |
with: | |
image: ${{ env.INGEST_API_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ env.INGEST_API_IMAGE }}:${{ needs.setup.outputs.unique_tag }} | |
format: 'table' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' |