Skip to content

Add gokakashi scanning in CI #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
daniel-chambers merged 13 commits into from
Mar 24, 2025
Merged

Add gokakashi scanning in CI #54

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
889172c
Add gokakashi scanning in CI
daniel-chambers Mar 21, 2025
f834575
Fix image tag
daniel-chambers Mar 21, 2025
4e6b6ee
Separate building and pushing docker images
daniel-chambers Mar 21, 2025
f409963
Try enabling containerd
daniel-chambers Mar 24, 2025
39a9e9f
Add some debugging output
daniel-chambers Mar 24, 2025
29c755a
Try again
daniel-chambers Mar 24, 2025
e37f778
Try changing socket permissions
daniel-chambers Mar 24, 2025
0940aa3
More debugging
daniel-chambers Mar 24, 2025
60033b4
Debug again
daniel-chambers Mar 24, 2025
c33572d
Typo
daniel-chambers Mar 24, 2025
87d8055
Try manually exporting and importing the image to containerd
daniel-chambers Mar 24, 2025
be74da9
Remove debug, add artifact uploading
daniel-chambers Mar 24, 2025
2cca8dc
Don't bother configuring docker to use containerd
daniel-chambers Mar 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 52 additions & 2 deletions .github/workflows/ndc-nodejs-lambda-connector.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,13 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: Set up containerd
uses: crazy-max/ghaction-setup-containerd@v3

- name: Fix containerd socket permissions
run: |
sudo chgrp docker /run/containerd/containerd.sock

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

Expand Down Expand Up @@ -102,15 +109,58 @@ jobs:
shell: bash
working-directory: ./ndc-lambda-sdk

- uses: docker/build-push-action@v6
- name: Build docker image
uses: docker/build-push-action@v6
with:
context: .
build-args: |
CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }}
platforms: linux/amd64,linux/arm64
tags: ${{ steps.docker-metadata.outputs.tags }}
labels: ${{ steps.docker-metadata.outputs.labels }}
outputs: type=oci,dest=/tmp/image.tar # Export the image to a tar so it can be imported into containerd so gokakashi can scan it

- name: Import docker image into containerd store
run: |
ctr images import --base-name ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }} --digests --all-platforms /tmp/image.tar

- name: Get first docker tag for gokakashi
id: first-docker-tag
run: |
FIRST_TAG=$(echo "${{ steps.docker-metadata.outputs.tags }}" | head -n 1)
echo "First docker tag: $FIRST_TAG"
echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT

- name: Scan docker image with gokakashi
uses: shinobistack/gokakashi-action@v0.1.1
with:
image: ${{ steps.first-docker-tag.outputs.tag }}
labels: agentKey=${{ github.run_id }}
policy: ci-platform
server: https://gokakashi-server.hasura-app.io
token: ${{ secrets.GOKAKASHI_API_TOKEN }}
cf_client_id: ${{ secrets.CF_ACCESS_CLIENT_ID }}
cf_client_secret: ${{ secrets.CF_ACCESS_CLIENT_SECRET }}
interval: 10
retries: 8

- name: Upload Trivy report as artifact
uses: actions/upload-artifact@v4
with:
name: trivy-report
path: /tmp/trivy-report-*.json

- name: Push docker image
uses: docker/build-push-action@v6
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
with:
context: .
build-args: |
CONNECTOR_VERSION=${{ steps.get-npm-package-version.outputs.package_version }}
push: ${{ startsWith(github.ref, 'refs/tags/v') }}
platforms: linux/amd64,linux/arm64
tags: ${{ steps.docker-metadata.outputs.tags }}
labels: ${{ steps.docker-metadata.outputs.labels }}
push: true

release-connector:
name: Release connector
Expand Down