Skip to content
This repository has been archived by the owner on Mar 20, 2024. It is now read-only.

Removed write-all (#91) #355

Removed write-all (#91)

Removed write-all (#91) #355

Workflow file for this run

name: 'Public-CI'
on: [push, pull_request]
permissions: # added using https://github.com/step-security/secure-repo
contents: read
jobs:
# Super-linter consists of several lint tools
# lint tools are assigned to the pipeline via the env field
# For more information, please see https://github.com/github/super-linter
super-linter:
permissions:
contents: read # for actions/checkout to fetch code
statuses: write # for github/super-linter to mark status of each linter run
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: super-linter
uses: github/super-linter@985ef206aaca4d560cb9ee2af2b42ba44adc1d55 # v4.10.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LINTER_RULES_PATH: /
VALIDATE_BASH: true
VALIDATE_GO: true
VALIDATE_DOCKERFILE_HADOLINT: true
VALIDATE_CLANG_FORMAT: true
VALIDATE_JSON: true
# Build stage executes binary builds for CNI and device-plugin
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
with:
go-version: 1.19
- name: Install libbpf and libxdp
run: |
sudo apt update
sudo apt install -y wget build-essential golang
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y clang
sudo apt install -y llvm
sudo apt install -y gcc-multilib
- name: Run build
run: make build
# go-static-tools scans code base and packages using go-vet, go mod verify and staticcheck
go-static-tools:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: 1.19
- name: Install libbpf and libxdp
run: |
sudo apt update
sudo apt install -y wget build-essential golang
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb
- name: Install staticcheck
run: go install honnef.co/go/tools/cmd/staticcheck@latest
- name: run static analysis
run: make static-ci
# unit-test stage
unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
with:
go-version: 1.19
- name: Install libbpf and libxdp
run: |
sudo apt update
sudo apt install -y wget build-essential golang
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y clang
sudo apt install -y llvm
sudo apt install -y gcc-multilib
- name: unit-tests
run: make test
# Trivy Scan
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Build Docker image
run: make docker
- name: Generate .tar image
run: docker save -o vul-image.tar afxdp-device-plugin:latest
- name: Run Trivy on tarballed image
uses: aquasecurity/trivy-action@master
with:
image-ref: /github/workspace/vul-image.tar
scan-type: 'fs'
ignore-unfixed: false
format: 'sarif'
output: 'trivy-image-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Print sarif file
run: cat < trivy-results.sarif
- name: Print image sarif file
run: cat trivy-image-results.sarif