chore: short-lived grype-db cache #1136
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Tests" | |
on: | |
workflow_dispatch: | |
pull_request: | |
push: | |
branches: | |
- main | |
jobs: | |
build: # make sure build/ci work properly and there is no faked build ncc built scripts | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- run: node --version | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
- run: npm ci | |
- run: npm run audit | |
- run: npm run build | |
- run: git status --porcelain | |
- run: git diff --ws-error-highlight=all | cat -v | |
- run: git diff --exit-code | |
test: | |
runs-on: ubuntu-latest | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Build images | |
run: | | |
for distro in alpine centos debian; do | |
docker build -t localhost:5000/match-coverage/$distro ./tests/fixtures/image-$distro-match-coverage | |
docker push localhost:5000/match-coverage/$distro:latest | |
done | |
- name: Inspect | |
run: | | |
docker images -a | |
for distro in alpine centos debian; do | |
docker buildx imagetools inspect localhost:5000/match-coverage/$distro:latest | |
done | |
- run: npm ci | |
- run: npm run audit | |
- run: npm test | |
test-download-action: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
path: ./ | |
- name: "Donwload Grype v0.54.0" | |
id: grype | |
uses: ./download-grype # anchore/scan-action/download-grype | |
with: | |
grype-version: v0.54.0 | |
- name: "Check Grype version before scan-action" | |
run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$" | |
- name: "Scan test image" | |
uses: ./ | |
with: | |
image: "alpine:latest" | |
fail-build: false # to prevent fail due to vuln:s on test image | |
- name: "Check Grype version after scan-action" | |
run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$" | |
test-all: | |
strategy: | |
matrix: | |
config: [ | |
{image: 'alpine:latest'}, | |
{path: 'tests/fixtures/npm-project'}, | |
{sbom: 'tests/fixtures/test_sbom.spdx.json'}, | |
] | |
os: [ubuntu-latest, windows-latest, macos-latest] | |
output-format: [sarif, json, table] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: ./ | |
id: scan | |
with: | |
image: ${{ matrix.config.image }} | |
path: ${{ matrix.config.path }} | |
sbom: ${{ matrix.config.sbom }} | |
output-format: ${{ matrix.output-format }} | |
fail-build: false | |
- name: Validate file exists | |
if: ${{ matrix.output-format != 'table' }} | |
run: test -f '${{ steps.scan.outputs[matrix.output-format] }}' |