add image scan for test and publish workflows #123
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run Tests | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| paths: | |
| - trusted_library/** | |
| - openapi/** | |
| - src/** | |
| pull_request: | |
| branches: [ "main" ] | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: test | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.properties.outputs.version }} | |
| changelog: ${{ steps.properties.outputs.changelog }} | |
| steps: | |
| # Check out current repository | |
| - name: Fetch Sources | |
| uses: actions/checkout@v3.5.1 | |
| # Validate wrapper | |
| - name: Gradle Wrapper Validation | |
| uses: gradle/wrapper-validation-action@v1.0.6 | |
| # Setup Java 17 environment for the next steps | |
| - name: Setup Java | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: zulu | |
| java-version: 17 | |
| cache: gradle | |
| - name: Generate full lockfile for Trivy | |
| # Running 'classes' ensures all implementation dependencies are resolved | |
| env: | |
| GITHUB_ACTOR: ${{ github.actor }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew testClasses --write-locks | |
| - name: Run Trivy vulnerability scanner (Repo scan) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' # 'fs' scans the filesystem (dependencies and IaC) | |
| scan-ref: '.' | |
| vuln-type: 'os,library' | |
| ignore-unfixed: true | |
| format: 'table' | |
| exit-code: '1' # Fails the PR if high/critical issues are found | |
| severity: 'CRITICAL,HIGH' | |
| - name: Run Tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew test |