modified trivy scan job #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline for Linkding Helm Chart | |
| on: | |
| push: | |
| branches: [ develop, master ] | |
| env: | |
| HELM_VERSION: "3.14.0" | |
| jobs: | |
| package: | |
| name: Package Helm Charts | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v3 | |
| with: | |
| version: ${{ env.HELM_VERSION }} | |
| - name: Package charts | |
| run: | | |
| mkdir -p packages | |
| for chart in charts/*/; do | |
| if [ -f "$chart/Chart.yaml" ]; then | |
| echo "Packaging chart: $chart" | |
| helm package "$chart" --destination packages | |
| fi | |
| done | |
| - name: Upload packages | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: helm-packages | |
| path: packages/ | |
| retention-days: 30 | |
| deploy: | |
| name: Deploy to GitHub Pages | |
| runs-on: ubuntu-latest | |
| needs: package | |
| if: github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master' | |
| permissions: | |
| contents: read | |
| pages: write | |
| id-token: write | |
| environment: | |
| name: github-pages | |
| url: ${{ steps.deployment.outputs.page_url }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Helm | |
| uses: azure/setup-helm@v3 | |
| with: | |
| version: ${{ env.HELM_VERSION }} | |
| - name: Download packages | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: helm-packages | |
| path: packages/ | |
| - name: Setup Pages | |
| uses: actions/configure-pages@v3 | |
| - name: Generate index.yaml | |
| run: | | |
| mkdir -p pages | |
| if [ -f "index.yaml" ]; then | |
| cp index.yaml pages/ | |
| fi | |
| helm repo index --url https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} --merge pages/index.yaml packages/ | |
| cp packages/*.tgz pages/ | |
| cp packages/index.yaml pages/ | |
| - name: Add index.html | |
| run: | | |
| cat <<EOF > pages/index.html | |
| <!DOCTYPE html> | |
| <html> | |
| <body> | |
| <h1>Linkding Helm Chart repostitory</h1> | |
| <p>To use this repo run the following command:</p> | |
| <pre> | |
| helm repo add linkding https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} | |
| </pre> | |
| </body> | |
| </html> | |
| EOF | |
| - name: Upload artifact | |
| uses: actions/upload-pages-artifact@v3 | |
| with: | |
| path: pages/ | |
| - name: Deploy to GitHub Pages | |
| id: deployment | |
| uses: actions/deploy-pages@v4 | |
| scan: | |
| name: Scan created Helm Chart | |
| runs-on: ubuntu-latest | |
| needs: [package, deploy] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Run Trivy security scan | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'config' | |
| hide-progres: false | |
| format: 'sarif' | |
| scan-ref: 'charts/' | |
| output: 'trivy-result.sarif' | |
| - name: Upload Trivy scan result to Github security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-result.sarif' |