Mercurial > p > roundup > code

view .github/workflows/anchore.yml @ 8408:e882a5d52ae5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
refactor: move RateLimitExceeded to roundup.cgi.exceptions RateLimitExceeded is an HTTP exception that raises code 429. Move it to roundup.cgi.exceptions where all the other exceptions that result in http status codes are located. Also make it inherit from HTTPException since it is one. Also add docstrings for all HTTP exceptions and order HTTPExceptions by status code. BREAKING CHANGE: if somebody is importing RateLimitExceeded they will need to change their import. I consider it unlikely anybody is using RateLimitExceeded. Detectors and extensions are unlikely to raise RateLimitExceeded. So I am leaving it out of the upgrading doc. Just doc in change log.
author John Rouillard <rouilj@ieee.org>
date Sun, 10 Aug 2025 21:27:06 -0400
parents 1357dfcb81eb
children fd72487d0054
line wrap: on
line source

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow checks out code, builds an image, performs a container image
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
# code scanning feature.  For more information on the Anchore scan action usage
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
name: Anchore Container Scan

on:
  push:
    branches: [ "master" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "master" ]
  #schedule:
    #- cron: '38 21 * * 6'

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  Anchore-Build-Scan:
    if: "!contains(github.event.head_commit.message, 'no-github-ci')"
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
    runs-on: ubuntu-latest
    steps:
    - name: Checkout the code
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Build the Docker image
      run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
    - name: List the Docker image
      run: docker image ls
    - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
      uses: anchore/scan-action@be7a22da4f22dde446c4c4c099887ff5b256526c # 6.3.0
      id: scan
      with:
        image: "localbuild/testimage:latest"
        fail-build: true
    - name: Upload Anchore Scan Report
      if: always()
      uses: github/codeql-action/upload-sarif@b1e4dc3db58c9601794e22a9f6d28d45461b9dbf # v2.22.0
      with:
        sarif_file: ${{ steps.scan.outputs.sarif }}
    - name: Inspect action SARIF report
      if: always()
      run: cat ${{ steps.scan.outputs.sarif }}
Roundup Issue Tracker: http://roundup-tracker.org/