d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

ci: harden validation + ci workflows for Gitea act-runner (pre-existing main red fixes) #2

Open
nsatoshi wants to merge 2 commits from devin/ci-hardening-1776555113 into main
pull from: devin/ci-hardening-1776555113
merge into: d-bis:main
Conversation 0 Commits 2 Files Changed 2 +27
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.github/workflows/ci.yml vendored
View File

@@ -87,7 +87,13 @@ jobs:
- name: Run Trivy container scan
uses: aquasecurity/trivy-action@master
env:
# Avoid "Bad credentials" from GitHub API when the runner's
# GITHUB_TOKEN is a Gitea token. Pin trivy binary so installer
# does not hit api.github.com releases/latest.
GITHUB_TOKEN: ""
with:
version: v0.51.1
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
@@ -142,6 +148,12 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Install unzip (act-runner image may lack it)
run: |
if ! command -v unzip >/dev/null 2>&1; then
sudo apt-get update && sudo apt-get install -y unzip
fi
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:

15
.github/workflows/validation.yml vendored
View File

@@ -24,6 +24,12 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Install unzip (act-runner image may lack it)
run: |
if ! command -v unzip >/dev/null 2>&1; then
sudo apt-get update && sudo apt-get install -y unzip
fi
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
@@ -93,16 +99,25 @@ jobs:
- name: Container Security Scan
uses: aquasecurity/trivy-action@master
env:
# Avoid "Bad credentials" from GitHub API when the runner's
# GITHUB_TOKEN is a Gitea token. Pin trivy binary so installer
# does not hit api.github.com releases/latest.
GITHUB_TOKEN: ""
with:
version: v0.51.1
scan-type: 'image'
image-ref: 'hyperledger/besu:23.10.0'
format: 'sarif'
output: 'trivy-results.sarif'
continue-on-error: true
- name: Upload Trivy results
# Gitea does not host GitHub code-scanning; don't fail the job.
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
continue-on-error: true
validate-documentation:
runs-on: ubuntu-latest