Bump aws-actions/amazon-ecr-login from 9238dd443b7a5941caf19ffbe68be34d4dbd61df to d5cf4f36e4c014a2577cb2e20da5db85ab3cf97a #407
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Infra: CVE checks" | |
| on: | |
| pull_request: | |
| types: [ "opened", "reopened", "synchronize" ] | |
| push: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| schedule: | |
| # * is a special character in YAML so you have to quote this string | |
| - cron: '0 8 15 * *' | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-cves: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 # infered from @v4 | |
| with: | |
| token: ${{ github.token }} | |
| - name: Set up JDK | |
| uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # infered from @v4 | |
| with: | |
| java-version: '21' | |
| distribution: 'zulu' | |
| cache: 'gradle' | |
| - name: Build project | |
| id: build | |
| run: | | |
| ./gradlew clean build \ | |
| -x test \ | |
| -Pbuild-docker-images=true \ | |
| -Pinclude-frontend=true \ | |
| -Pversion=latest | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # infered from @v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # infered from @v3 | |
| - name: Cache Docker layers | |
| uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # infered from @v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Build docker image | |
| uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # infered from @v6 | |
| with: | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: api | |
| platforms: linux/amd64 | |
| push: false | |
| load: true | |
| tags: | | |
| ghcr.io/kafbat/kafka-ui:latest | |
| build-args: | | |
| JAR_FILE=build/libs/api-latest.jar | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache | |
| - name: Run CVE checks | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # infered from @v0.29.0 | |
| with: | |
| image-ref: "ghcr.io/kafbat/kafka-ui:latest" | |
| format: "table" | |
| exit-code: "1" | |
| notify: | |
| needs: check-cves | |
| if: ${{ always() && needs.build-and-test.result == 'failure' && github.event_name == 'schedule' }} | |
| uses: ./.github/workflows/infra_discord_hook.yml | |
| with: | |
| message: "Attention! CVE checks run failed! Please fix them CVEs :(" | |
| secrets: | |
| DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL_CVE }} |