Add security.md #993
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# | |
# Copyright Red Hat | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
name: CI | |
# Triggers the workflow on push or pull request events but only for the main branch | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
# Only allow one job of this action to be ran at a time | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.number || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build-and-validate: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Setup Go environment | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
# The Go version to download (if necessary) and use. Supports semver spec and ranges. | |
go-version: 1.21 | |
- name: Generate Go sources, CRDs and schemas | |
run: | | |
bash ./docker-run.sh ./build.sh | |
if [[ ! -z $(git status -s) ]] | |
then | |
echo 'Command `bash ./docker-run.sh ./build.sh` did introduce changes, which should not be the case if it had been run as part of the PR. Please run it locally and check in the results as part of your PR.' | |
git --no-pager diff | |
exit 1 | |
fi | |
- name: Validate samples against schemas | |
run: bash ./docker-run.sh ./validate-samples.sh | |
- name: Check license headers | |
run: | | |
export PATH=$PATH:$(go env GOPATH)/bin | |
go install github.com/google/addlicense@latest | |
bash ./check_licenses.sh | |
- name: Run GO tests | |
run: go test -coverprofile cover.out -v ./... | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 | |
- name: Check typescript model generation | |
run: bash ./build/typescript-model/generate.sh | |
- name: Check GO mod state | |
run: | | |
go mod tidy | |
go mod vendor | |
git diff --exit-code || { echo 'Go mod is not clean. Execute "go mod tidy && go mod vendor" locally and commit changes to fix an issue'; exit 1; } | |
- name: Check GO format | |
run: | | |
go fmt -x ./... | |
git diff --exit-code || { echo 'Go sources need to be formatted. Execute "go fmt -x ./..." locally and commit changes to fix an issue'; exit 1; } | |
- name: Check Generator GO mod state | |
working-directory: generator | |
run: | | |
go mod tidy | |
go mod vendor | |
git diff --exit-code || { echo 'Go mod is not clean. Execute "go mod tidy && go mod vendor" locally in the 'generator' folder and commit changes to fix an issue'; exit 1; } | |
- name: Check Generator GO format | |
working-directory: generator | |
run: | | |
go fmt -x ./... | |
git diff --exit-code || { echo 'Go sources need to be formatted. Execute "go fmt -x ./..." locally in the 'generator' folder and commit changes to fix an issue'; exit 1; } | |
- name: Run Gosec Security Scanner | |
run: | | |
export PATH=$PATH:$(go env GOPATH)/bin | |
go install github.com/securego/gosec/v2/cmd/[email protected] | |
bash ./run_gosec.sh | |
if [[ $? != 0 ]] | |
then | |
echo "gosec scanner failed to run " | |
exit 1 | |
fi | |
- name: Upload SARIF file | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
# Path to SARIF file relative to the root of the repository | |
sarif_file: gosec.sarif |