Merge changes from main #650
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "CI" | |
on: # yamllint disable-line rule:truthy | |
workflow_dispatch: # yamllint disable-line rule:empty-values | |
pull_request: # yamllint disable-line rule:empty-values | |
concurrency: | |
group: "${{ github.head_ref }}-ci" | |
cancel-in-progress: true | |
jobs: | |
pre-commit-check: | |
name: "Run pre-commit checks" | |
runs-on: "ubuntu-22.04" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
steps: | |
- name: "Checkout" | |
uses: "actions/checkout@v4" | |
with: | |
fetch-depth: 0 | |
- name: "Setup Go" | |
uses: "actions/setup-go@v5" | |
- run: "echo $HOME/go/bin >> $GITHUB_PATH" | |
- name: "Setup Helm" | |
uses: "azure/setup-helm@v4" | |
- run: "mkdir template_output" | |
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami" | |
- run: "helm dependency update charts/nautobot" | |
- name: "Install helm-docs" | |
run: "go install github.com/norwoodj/helm-docs/cmd/[email protected]" | |
env: | |
GO111MODULE: "on" | |
- uses: "dorny/paths-filter@v3" | |
id: "filter" | |
with: | |
list-files: "shell" | |
filters: | | |
addedOrModified: | |
- added|modified: '**' | |
# run only if changed files were detected | |
- name: "Run against changes" | |
uses: "pre-commit/[email protected]" | |
if: "steps.filter.outputs.addedOrModified == 'true'" | |
with: | |
extra_args: "--files ${{ steps.filter.outputs.addedOrModified_files }}" | |
# run if no changed files were detected (e.g. workflow_dispatch on main branch) | |
- name: "Run against all files" | |
uses: "pre-commit/[email protected]" | |
if: "steps.filter.outputs.addedOrModified != 'true'" | |
with: | |
extra_args: "--all-files" | |
# - name: "Upload result to GitHub Code Scanning" | |
# uses: "github/codeql-action/upload-sarif@v2" | |
# with: | |
# sarif_file: "checkov.sarif" | |
snyk-security-check: | |
name: "Snyk Security Scanning" | |
runs-on: "ubuntu-22.04" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
steps: | |
- name: "Checkout" | |
uses: "actions/checkout@v4" | |
- uses: "azure/setup-helm@v4" | |
- run: "mkdir template_output" | |
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami" | |
- run: "helm dependency update charts/nautobot" | |
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot --output-dir=./template_output/test-postgresql" | |
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot --output-dir=./template_output/test-mysql" | |
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot --output-dir=./template_output/test-postgresql-ha" | |
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot --output-dir=./template_output/test-defaults" | |
- name: "Run Snyk to check template files for security issues" | |
# Snyk can be used to break the build when it detects security issues. | |
# In this case we want to upload the issues to GitHub Code Scanning | |
continue-on-error: true | |
uses: "snyk/actions/iac@master" | |
env: | |
# In order to use the Snyk Action you will need to have a Snyk API token. | |
# More details in https://github.com/snyk/actions#getting-your-snyk-token | |
SNYK_TOKEN: "${{ secrets.SNYK_TOKEN }}" | |
with: | |
# Add the path to the configuration file that you would like to test. | |
# For example `deployment.yaml` for a Kubernetes deployment manifest | |
# or `main.tf` for a Terraform configuration file | |
file: "./template_output" | |
- name: "Upload result to GitHub Code Scanning" | |
uses: "github/codeql-action/upload-sarif@v3" | |
with: | |
sarif_file: "snyk.sarif" | |
kubescape-security-check: | |
name: "Kubescape Security Scanning" | |
runs-on: "ubuntu-22.04" | |
env: | |
GITHUB_PATH: "/home/runner/.kubescape/bin" | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
steps: | |
- name: "Checkout" | |
uses: "actions/checkout@v4" | |
- uses: "azure/setup-helm@v4" | |
- name: "Install Kubescape" | |
run: "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash" | |
- run: 'echo "${HOME}/.kubescape/bin" >> $GITHUB_PATH' # yamllint disable-line rule:quoted-strings | |
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami" | |
- run: "helm dependency update charts/nautobot" | |
- name: "Kubescape NSA Scan - Defaults" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework nsa - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape NSA Scan - PostgreSQL" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework nsa - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape NSA Scan - MySQL" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework nsa - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape NSA Scan - PostgreSQL HA" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework nsa - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape MITRE Scan - Defaults" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework mitre - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape MITRE Scan - PostgreSQL" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework mitre - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape MITRE Scan - MySQL" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework mitre - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape MITRE Scan - PostgreSQL HA" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework mitre - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape ARMOBest Scan - Defaults" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework armobest - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape ARMOBest Scan - PostgreSQL" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework armobest - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape ARMOBest Scan - MySQL" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework armobest - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" | |
- name: "Kubescape ARMOBest Scan - PostgreSQL HA" | |
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework armobest - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json" |