Remove token from report mode in Trivy #6226
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR Continuous Integration | |
on: | |
pull_request: | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number }} # Ensure that only one instance of this workflow is running per Pull Request | |
cancel-in-progress: true # Cancel any previous runs of this workflow | |
jobs: | |
run_rubocop: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Configure git | |
run: 'git config --global init.defaultBranch main' | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag v4.1.7 | |
- uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # tag v1.202.0 | |
with: | |
ruby-version: '3.3' | |
- run: bundle | |
- run: rubocop | |
unit_tests: | |
needs: run_rubocop | |
runs-on: ubuntu-22.04 | |
services: | |
mysql: | |
image: mysql:5.7 | |
env: | |
MYSQL_ALLOW_EMPTY_PASSWORD: yes | |
CI_FOR_PR: true | |
options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3 | |
ports: | |
- "3306:3306" | |
strategy: | |
fail-fast: false | |
matrix: | |
ruby-version: [2.4.10, 3.3.6] | |
steps: | |
- name: Configure git | |
run: 'git config --global init.defaultBranch main' | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag v4.1.7 | |
# - curl is needed for Curb | |
# - xslt is needed for older Nokogiris, RUBY_VERSION < 2.5 | |
# - sasl is needed for memcached | |
- name: Install OS packages | |
run: sudo apt-get update; sudo apt-get install -y --no-install-recommends libcurl4-nss-dev libsasl2-dev libxslt1-dev | |
- name: Install Ruby ${{ matrix.ruby-version }} | |
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # tag v1.202.0 | |
with: | |
ruby-version: ${{ matrix.ruby-version }} | |
- name: Set up mini-envs for ruby version | |
uses: ./.github/actions/variable-mapper | |
with: | |
key: ${{ matrix.ruby-version }} | |
map: | | |
{ | |
"2.4.10": { | |
"rails": "norails,rails42,rails52" | |
}, | |
"3.3.6": { | |
"rails": "norails,rails61,rails72" | |
} | |
} | |
- if: matrix.ruby-version == '2.4.10' | |
name: Prepare mysql directory | |
run: sudo chown -R $USER /usr/local | |
- if: matrix.ruby-version == '2.4.10' | |
name: Cache mysql55 | |
id: mysql55-cache | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # tag v4.0.2 | |
with: | |
path: /usr/local/mysql55 | |
key: mysql55-install | |
- if: steps.mysql55-cache.outputs.cache-hit != 'true' && matrix.ruby-version == '2.4.10' | |
name: Install mysql55 | |
run: sudo ./test/script/install_mysql55 | |
- name: Setup bundler | |
run: ./.github/workflows/scripts/setup_bundler | |
env: | |
RUBY_VERSION: ${{ matrix.ruby-version }} | |
RAILS_VERSION: ${{ env.rails }} | |
CI_FOR_PR: true | |
- name: Run Unit Tests | |
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # tag v3.0.0 | |
with: | |
timeout_minutes: 30 | |
max_attempts: 2 | |
command: bundle exec rake test:env[${{ env.rails }}] | |
env: | |
DB_PORT: ${{ job.services.mysql.ports[3306] }} | |
VERBOSE_TEST_OUTPUT: true | |
COVERAGE: true | |
CI_FOR_PR: true | |
- name: Save coverage results | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag v4.3.4 | |
with: | |
name: coverage-report-unit-tests-${{ matrix.ruby-version }}-${{ env.rails }} | |
path: lib/coverage_*/.resultset.json | |
multiverse: | |
needs: run_rubocop | |
runs-on: ubuntu-22.04 | |
services: | |
elasticsearch7: | |
image: elasticsearch:7.16.2 | |
env: | |
discovery.type: single-node | |
ports: | |
- 9200:9200 | |
options: >- | |
--health-cmd "curl http://localhost:9200/_cluster/health" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 10 | |
elasticsearch8: | |
image: elasticsearch:8.13.0 | |
env: | |
discovery.type: single-node | |
xpack.security.enabled: false | |
ports: | |
- 9250:9200 | |
options: >- | |
--health-cmd "curl http://localhost:9200/_cluster/health" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 10 | |
zookeeper: | |
image: bitnami/zookeeper | |
ports: | |
- 2181:2181 | |
env: | |
ALLOW_ANONYMOUS_LOGIN: yes | |
options: >- | |
--health-cmd "echo mntr | nc -w 2 -q 2 localhost 2181" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
kafka: | |
image: bitnami/kafka | |
ports: | |
- 9092:9092 | |
options: >- | |
--health-cmd "kafka-broker-api-versions.sh --version" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
env: | |
KAFKA_CFG_ZOOKEEPER_CONNECT: zookeeper:2181 | |
ALLOW_PLAINTEXT_LISTENER: yes | |
KAFKA_LISTENERS: INSIDE://0.0.0.0:9093,OUTSIDE://0.0.0.0:9092 | |
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INSIDE:PLAINTEXT,OUTSIDE:PLAINTEXT | |
KAFKA_INTER_BROKER_LISTENER_NAME: INSIDE | |
KAFKA_ADVERTISED_LISTENERS: INSIDE://kafka:9093,OUTSIDE://localhost:9092 | |
memcached: | |
image: memcached:latest | |
ports: | |
- 11211:11211 | |
options: >- | |
--health-cmd "timeout 5 bash -c 'cat < /dev/null > /dev/udp/127.0.0.1/11211'" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
mongodb: | |
image: ${{ contains(fromJson('["2.4.10"]'), matrix.ruby-version) && 'mongo:5.0.11' || 'mongo:latest' }} | |
ports: | |
- 27017:27017 | |
mysql: | |
image: mysql:5.7 | |
env: | |
MYSQL_ROOT_PASSWORD: root | |
options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3 | |
ports: | |
- 3306 | |
postgres: | |
image: postgres:latest | |
env: | |
POSTGRES_USERNAME: postgres | |
POSTGRES_PASSWORD: password | |
ports: | |
- 5432:5432 | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
rabbitmq: | |
image: rabbitmq:latest | |
ports: | |
- 5672:5672 | |
options: >- | |
--health-cmd "rabbitmq-diagnostics -q check_port_connectivity" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
redis: | |
image: redis | |
ports: | |
- 6379:6379 | |
options: >- | |
--health-cmd "redis-cli ping" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
strategy: | |
fail-fast: false | |
matrix: | |
multiverse: [agent, ai, background, background_2, kafka, database, frameworks, httpclients, httpclients_2, rails, rest] | |
ruby-version: [2.4.10, 3.3.6] | |
steps: | |
- name: Configure git | |
run: 'git config --global init.defaultBranch main' | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag v4.1.7 | |
# - curl is needed for Curb | |
# - xslt is needed for older Nokogiris, RUBY_VERSION < 2.5 | |
# - sasl is needed for memcached | |
- name: Install OS packages | |
run: sudo apt-get update; sudo apt-get install -y --no-install-recommends libcurl4-nss-dev libsasl2-dev libxslt1-dev | |
- name: Install Ruby ${{ matrix.ruby-version }} | |
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # tag v1.202.0 | |
with: | |
ruby-version: ${{ matrix.ruby-version }} | |
# This allows the cache in the following step to be able to write files to the directory needed for mysql | |
- if: matrix.ruby-version == '2.4.10' | |
name: Prepare mysql directory | |
run: sudo chown -R $USER /usr/local | |
- if: matrix.ruby-version == '2.4.10' | |
name: Cache mysql55 | |
id: mysql55-cache | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # tag v4.0.2 | |
with: | |
path: /usr/local/mysql55 | |
key: mysql55-install | |
- if: steps.mysql55-cache.outputs.cache-hit != 'true' && matrix.ruby-version == '2.4.10' | |
name: Install mysql55 | |
run: sudo ./test/script/install_mysql55 | |
- name: Setup bundler | |
run: ./.github/workflows/scripts/setup_bundler | |
env: | |
RUBY_VERSION: ${{ matrix.ruby-version }} | |
- name: Wait for/Check Mysql | |
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # tag v3.0.0 | |
with: | |
timeout_minutes: 1 | |
max_attempts: 20 | |
command: | | |
mysql --host 127.0.0.1 --port ${{ job.services.mysql.ports[3306] }} -uroot -proot -e "SHOW GRANTS FOR 'root'@'localhost'"; | |
if [[ $? != 0 ]]; then | |
sleep 1; | |
fi | |
- name: Run Multiverse Tests | |
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # tag v3.0.0 | |
with: | |
timeout_minutes: 60 | |
max_attempts: 2 | |
command: bundle exec rake test:multiverse[group="${{ matrix.multiverse }}"] | |
env: | |
VERBOSE_TEST_OUTPUT: true | |
MYSQL_PASSWORD: root | |
DB_PASSWORD: root | |
DB_PORT: ${{ job.services.mysql.ports[3306] }} | |
MYSQL_PORT: ${{ job.services.mysql.ports[3306] }} | |
MYSQL_HOST: 127.0.0.1 | |
POSTGRES_USERNAME: postgres | |
POSTGRES_PASSWORD: password | |
SERIALIZE: 1 | |
COVERAGE: true | |
CI_FOR_PR: true | |
- name: Annotate errors | |
if: ${{ failure() }} | |
uses: ./.github/actions/annotate | |
- name: Save coverage results | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag v4.3.4 | |
with: | |
name: coverage-report-multiverse-${{ matrix.ruby-version }}-${{ matrix.multiverse }} | |
path: lib/coverage_*/.resultset.json | |
retention-days: 2 | |
- name: Generate gem manifest | |
run: rake test:multiverse:gem_manifest | |
- name: Save gem manifest | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag v4.3.4 | |
with: | |
name: gem_manifest_${{ matrix.ruby-version }}_${{ matrix.multiverse }}.json | |
path: gem_manifest_${{ matrix.ruby-version }}_${{ matrix.multiverse }}.json | |
retention-days: 2 | |
infinite_tracing: | |
needs: run_rubocop | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
ruby-version: [2.7.8, 3.3.6] | |
steps: | |
- name: Configure git | |
run: 'git config --global init.defaultBranch main' | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag v4.1.7 | |
- name: Install Ruby ${{ matrix.ruby-version }} | |
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # tag v1.202.0 | |
with: | |
ruby-version: ${{ matrix.ruby-version }} | |
- name: Bundle | |
run: bundle install | |
- name: Run Multiverse Tests | |
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # tag v3.0.0 | |
with: | |
timeout_minutes: 15 | |
max_attempts: 2 | |
command: bundle exec rake test:multiverse[group=infinite_tracing] | |
env: | |
VERBOSE_TEST_OUTPUT: true | |
SERIALIZE: 1 | |
COVERAGE: true | |
CI_FOR_PR: true | |
- name: Annotate errors | |
if: ${{ failure() }} | |
uses: ./.github/actions/annotate | |
- name: Save coverage results | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag v4.3.4 | |
with: | |
name: coverage-report-infinite-tracing-${{ matrix.ruby-version }}-infinite_tracing | |
path: lib/coverage_*/.resultset.json | |
simplecov: | |
needs: [unit_tests, multiverse, infinite_tracing] | |
runs-on: ubuntu-22.04 | |
if: github.event.pull_request.head.repo.full_name == github.repository | |
permissions: | |
pull-requests: write | |
steps: | |
- name: Configure git | |
run: 'git config --global init.defaultBranch main' | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag v4.1.7 | |
- uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # tag v1.202.0 | |
with: | |
ruby-version: '3.3' | |
- run: bundle | |
- name: Download all workflow run artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag v4.1.8 | |
- name: Collate Coverage Results | |
run: bundle exec rake coverage:report | |
- name: Upload coverage results | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag v4.3.4 | |
with: | |
name: coverage-report-combined-${{ matrix.ruby-version }} | |
path: lib/coverage_results | |
retention-days: 2 | |
- name: Simplecov Report | |
uses: ./.github/actions/simplecov-report | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
resultPath: lib/coverage_results/.last_run.json | |
failedThreshold: 93.5 | |
failedThresholdBranch: 50 |