diff --git a/.github/workflows/ci-test-go.yml b/.github/workflows/ci-test-go.yml deleted file mode 100644 index 2227246..0000000 --- a/.github/workflows/ci-test-go.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: ci-test-go -on: - push: - branches: [main] - pull_request: - branches: [main] - -jobs: - go-fmt-sentryflow: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - uses: actions/setup-go@v3 - with: - go-version: "v1.21" - - - name: Check go-fmt - run: make gofmt - working-directory: sentryflow - - go-lint-sentryflow: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - uses: actions/setup-go@v3 - with: - go-version: "v1.21" - - - name: Check Golint - run: make golint - working-directory: sentryflow - - go-sec-sentryflow: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - uses: actions/setup-go@v3 - with: - go-version: "v1.21" - - - name: Run Gosec Security Scanner - run: make gosec - working-directory: sentryflow - - license: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Check License Header - uses: apache/skywalking-eyes@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci-test-py.yml b/.github/workflows/ci-test-py.yml index 4d6ba59..5ab4ed9 100644 --- a/.github/workflows/ci-test-py.yml +++ b/.github/workflows/ci-test-py.yml @@ -1,78 +1,78 @@ -name: ci-test-py -on: - push: - branches: [main] - pull_request: - branches: [main] - -jobs: - py-pip-ai-sentryflow: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 - with: - python-version: '3.11' - cache: 'pip' - - - name: check Python pip3 requirements - run: | - pip install -r requirements.txt - working-directory: ai-engine - - py-ruff-ai-sentryflow: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 - with: - python-version: '3.11' - cache: 'pip' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - working-directory: ai-engine - - - name: Create pyproject.toml - run: | - echo "[tool.ruff.lint.per-file-ignores]" > pyproject.toml - echo '"stringlifier/*" = ["E402", "F811", "F401"]' >> pyproject.toml - working-directory: ai-engine - - - name: Lint with Ruff - run: | - pip install ruff - ruff --output-format=github . - working-directory: ai-engine - - py-lint-ai-sentryflow: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 - with: - python-version: '3.11' - cache: 'pip' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - pip install pylint - working-directory: ai-engine - - - name: Lint with Pylint - run: | - pylint classifier.py - working-directory: ai-engine - - py-pep8-ai-sentryflow: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: 'Run PEP8' - uses: quentinguidee/pep8-action@v1 - with: - arguments: '--max-line-length=120 --exclude=*stringlifier/*,*protobuf/*' +#name: ci-test-py +#on: +# push: +# branches: [main] +# pull_request: +# branches: [main] +# +#jobs: +# py-pip-ai-sentryflow: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v3 +# - uses: actions/setup-python@v4 +# with: +# python-version: '3.11' +# cache: 'pip' +# +# - name: check Python pip3 requirements +# run: | +# pip install -r requirements.txt +# working-directory: ai-engine +# +# py-ruff-ai-sentryflow: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v3 +# - uses: actions/setup-python@v4 +# with: +# python-version: '3.11' +# cache: 'pip' +# +# - name: Install dependencies +# run: | +# python -m pip install --upgrade pip +# pip install -r requirements.txt +# working-directory: ai-engine +# +# - name: Create pyproject.toml +# run: | +# echo "[tool.ruff.lint.per-file-ignores]" > pyproject.toml +# echo '"stringlifier/*" = ["E402", "F811", "F401"]' >> pyproject.toml +# working-directory: ai-engine +# +# - name: Lint with Ruff +# run: | +# pip install ruff +# ruff --output-format=github . +# working-directory: ai-engine +# +# py-lint-ai-sentryflow: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v3 +# - uses: actions/setup-python@v4 +# with: +# python-version: '3.11' +# cache: 'pip' +# +# - name: Install dependencies +# run: | +# python -m pip install --upgrade pip +# pip install -r requirements.txt +# pip install pylint +# working-directory: ai-engine +# +# - name: Lint with Pylint +# run: | +# pylint classifier.py +# working-directory: ai-engine +# +# py-pep8-ai-sentryflow: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@v3 +# - name: 'Run PEP8' +# uses: quentinguidee/pep8-action@v1 +# with: +# arguments: '--max-line-length=120 --exclude=*stringlifier/*,*protobuf/*' diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml new file mode 100644 index 0000000..926396f --- /dev/null +++ b/.github/workflows/pr-checks.yaml @@ -0,0 +1,99 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of SentryFlow + +name: PR checks + +on: + pull_request: + types: [ opened, reopened, synchronize, ready_for_review ] + paths-ignore: + - '**.md' + - 'docs/**' + - 'LICENSE' + +permissions: read-all + +jobs: + license: + name: License + runs-on: ubuntu-latest + defaults: + run: + working-directory: ./sentryflow + steps: + - uses: actions/checkout@v4 + + - name: Check License Header + uses: apache/skywalking-eyes@v0.6.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + static-checks: + name: Static checks + runs-on: ubuntu-latest + defaults: + run: + working-directory: ./sentryflow + steps: + - uses: actions/checkout@v4 + + - name: Setup go + uses: actions/setup-go@v5 + with: + go-version: '1.22' + + - name: go fmt + run: make fmt + + - name: Lint + uses: golangci/golangci-lint-action@v6 + with: + working-directory: ./sentryflow + version: v1.60.3 + args: --timeout=10m --out-format=line-number + skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778 + + go-sec: + runs-on: ubuntu-latest + defaults: + run: + working-directory: ./sentryflow + permissions: + security-events: write + env: + GO111MODULE: on + steps: + - name: Checkout Source + uses: actions/checkout@v4 + + - name: Run Gosec Security Scanner + uses: securego/gosec@master + with: + # we let the report trigger content trigger a failure using the GitHub Security features. + args: '-no-fail -fmt sarif -out results.sarif ./sentryflow/...' + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + + build-sentryflow-image: + name: Build SentryFlow container image + runs-on: ubuntu-latest + timeout-minutes: 20 + defaults: + run: + working-directory: ./sentryflow + steps: + - name: Checkout source code + uses: actions/checkout@v4 + + - name: Build image + run: make image + + - name: Scan image + uses: anchore/scan-action@v4 + with: + image: "docker.io/5gsec/sentryflow:latest" + severity-cutoff: critical + output-format: sarif diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml deleted file mode 100644 index 99e3146..0000000 --- a/.github/workflows/pr-checks.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: pr-checks - -on: - pull_request: - branches: [main] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Setup Docker Build - uses: docker/setup-buildx-action@v1 - - - name: Get tag - id: tag - run: | - if [ ${{ github.ref }} == "refs/heads/main" ]; then - echo "tag=latest" >> $GITHUB_OUTPUT - else - echo "tag=tmp" >> $GITHUB_OUTPUT - fi - - - name: Build SentryFlow Image - working-directory: ./sentryflow - run: | - make TAG=${{ steps.tag.outputs.tag }} build-image - - - name: Build SentryFlow AI Engine Image - working-directory: ./ai-engine - run: | - make TAG=${{ steps.tag.outputs.tag }} build-image diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 904b408..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: release - -on: - push: - branches: [main] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Setup Docker Build - uses: docker/setup-buildx-action@v1 - - # - name: Login to DockerHub - # uses: docker/login-action@v1 - # with: - # username: ${{ secrets.DOCKERHUB_USERNAME }} - # password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Get tag - id: tag - run: | - if [ ${{ github.ref }} == "refs/heads/main" ]; then - echo "tag=latest" >> $GITHUB_OUTPUT - else - echo "tag=tmp" >> $GITHUB_OUTPUT - fi - - - name: Build SentryFlow Image - working-directory: ./sentryflow - run: | - make TAG=${{ steps.tag.outputs.tag }} build-image - - # - name: Push SentryFlow Image - # run: | - # docker push 5gsec/sentryflow:${{ steps.tag.outputs.tag }} - - - name: Build SentryFlow AI Engine Image - working-directory: ./ai-engine - run: | - make TAG=${{ steps.tag.outputs.tag }} build-image - - # - name: Push SentryFlow AI Engine Image - # run: | - # docker push 5gsec/sentryflow-ai-engine:${{ steps.tag.outputs.tag }}