pin and upgrade actions/checkout #916
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "build-test" | |
on: # rebuild any PRs and main branch changes | |
pull_request: | |
branches: [main] | |
push: | |
branches: | |
- main | |
release: | |
types: | |
- created | |
- edited | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
jobs: | |
build: # make sure build/ci work properly and there is no faked build ncc built scripts | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- run: npm ci | |
- run: npm run package | |
- run: git status --porcelain | |
- run: git diff | |
- run: git diff --exit-code | |
test-on-fixture-dirs: | |
strategy: | |
matrix: | |
os: [ubuntu-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
path: ./ | |
- uses: ./ | |
with: | |
path: ./tests/fixtures/npm-project | |
- uses: ./ | |
with: | |
path: ./tests/fixtures/yarn-project | |
- uses: ./ | |
id: yarn-scan | |
with: | |
path: ./tests/fixtures/yarn-project | |
- uses: ./ | |
with: | |
path: ./tests/fixtures/yarn-project | |
artifact-name: SBOM.txt | |
test: | |
runs-on: ubuntu-latest | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Build images | |
run: | | |
for distro in alpine centos debian; do | |
docker build -t localhost:5000/match-coverage/$distro ./tests/fixtures/image-$distro-match-coverage | |
docker push localhost:5000/match-coverage/${distro}:latest | |
done | |
- run: npm ci | |
- run: npm test | |
test-as-action: # make sure the action works on a clean machine without building | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
path: ./ | |
- uses: ./download-syft # anchore/sbom-action/download-syft | |
id: syft | |
- run: | | |
echo "${{ steps.syft.outputs.cmd }}" | |
"${{ steps.syft.outputs.cmd }}" dir:. | |
- uses: ./ # anchore/sbom-action | |
id: dirscan | |
with: | |
artifact-name: sbom.spdx | |
output-file: dirscan-sbom.spdx | |
format: spdx | |
- run: | | |
echo DIR SCAN SBOM: | |
cat dirscan-sbom.spdx | |
- uses: ./ # anchore/sbom-action | |
id: imagescan | |
with: | |
image: alpine:latest | |
artifact-name: sbom.spdx | |
output-file: my.sbom | |
- run: | | |
echo IMAGE SCAN SBOM: | |
cat my.sbom | |
- uses: ./publish-sbom # anchore/sbom-action/publish-sbom | |
with: | |
sbom-artifact-match: sbom.spdx | |
- uses: ./publish-sbom # anchore/sbom-action/publish-sbom | |
with: | |
sbom-artifact-match: "^dont-match-anything$" | |
- uses: ./ # anchore/sbom-action with artifact retention | |
name: "One day artifact retention test" | |
id: one-day | |
with: | |
image: alpine:latest | |
upload-artifact-retention: 1 | |
artifact-name: one-day.sbom.spdx | |
output-file: one-day-sbom.spdx | |
format: spdx |