Mercurial > p > roundup > code

annotate .github/workflows/anchore.yml @ 8506:b6c6891754e9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
bug: fix mis-commit of perf tests and crash fix for setTranslation The commit included more than it should have. It included some memory dump code that is not part of production. Also removed WIP for fixing crash bug when translation unable to create .mo file - issue2551405
author John Rouillard <rouilj@ieee.org>
date Thu, 25 Dec 2025 12:14:53 -0500
parents 839caadf6cad
children 80f34a0821f5
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 # This workflow uses actions that are not certified by GitHub.
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 # They are provided by a third-party and are governed by
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 # separate terms of service, privacy policy, and support
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4 # documentation.
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
5
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6 # This workflow checks out code, builds an image, performs a container image
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 # code scanning feature. For more information on the Anchore scan action usage
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 # and parameters, see https://github.com/anchore/scan-action. For more
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
10 # information on Anchore's container image scanning tool Grype, see
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 # https://github.com/anchore/grype
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12 name: Anchore Container Scan
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
13
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14 on:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15 push:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
16 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17 pull_request:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
18 # The branches below must be a subset of the branches above
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19 branches: [ "master" ]
7940
85c47edfc383 test: disable cron job running anchore
John Rouillard <rouilj@ieee.org>
parents: 7728
diff changeset
20 #schedule:
85c47edfc383 test: disable cron job running anchore
John Rouillard <rouilj@ieee.org>
parents: 7728
diff changeset
21 #- cron: '38 21 * * 6'
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
22
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23 permissions:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
24 contents: read
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
25
6956
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
26 concurrency:
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
27 group: ${{ github.workflow }}-${{ github.ref }}
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
28 cancel-in-progress: true
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
29
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30 jobs:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
31 Anchore-Build-Scan:
7194
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
32 if: "!contains(github.event.head_commit.message, 'no-github-ci')"
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
33 permissions:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
34 contents: read # for actions/checkout to fetch code
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
35 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
36 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
37 runs-on: ubuntu-latest
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
38 steps:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
39 - name: Checkout the code
8489
4e0944649af7 chore: update actions/checkout from 6.0.0 to 6.1.1 pull74
John Rouillard <rouilj@ieee.org>
parents: 8482
diff changeset
40 uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
41 - name: Build the Docker image
7147
7f4d20ebae4a another try. Use same shell that builds roundup image to update base.
John Rouillard <rouilj@ieee.org>
parents: 7146
diff changeset
42 run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
7273
6bffcc837bf7 Add list of docker to allow checking size.
John Rouillard <rouilj@ieee.org>
parents: 7270
diff changeset
43 - name: List the Docker image
6bffcc837bf7 Add list of docker to allow checking size.
John Rouillard <rouilj@ieee.org>
parents: 7270
diff changeset
44 run: docker image ls
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
45 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
8496
839caadf6cad build: bump anchore/scan-action from 7.2.1 to 7.2.2 (PR #75)
John Rouillard <rouilj@ieee.org>
parents: 8489
diff changeset
46 uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # 7.2.2
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
47 id: scan
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
48 with:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
49 image: "localbuild/testimage:latest"
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
50 fail-build: true
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
51 - name: Upload Anchore Scan Report
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
52 if: always()
8336
1357dfcb81eb chore: update actions to current versions.
John Rouillard <rouilj@ieee.org>
parents: 7940
diff changeset
53 uses: github/codeql-action/upload-sarif@b1e4dc3db58c9601794e22a9f6d28d45461b9dbf # v2.22.0
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
54 with:
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
55 sarif_file: ${{ steps.scan.outputs.sarif }}
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
56 - name: Inspect action SARIF report
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
57 if: always()
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
58 run: cat ${{ steps.scan.outputs.sarif }}
Roundup Issue Tracker: http://roundup-tracker.org/