generated from iits-consulting/helm-chart-repo-gh-pages-template
-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Setup github actions for linting and security issue scanning
- Loading branch information
Victor Getz
committed
Apr 28, 2023
1 parent
18ae3fa
commit 83b92f6
Showing
4 changed files
with
170 additions
and
53 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| name: Release Charts | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - '*' | ||
| push: | ||
| branches: | ||
| - "*" | ||
| - '!master' | ||
| env: | ||
| HELM_VERSION: v3.4.0 | ||
|
|
||
| jobs: | ||
| find-charts: | ||
| name: Find Charts | ||
| container: debian:buster-slim | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| matrix: ${{ steps.determine-chart-names.outputs.matrix }} | ||
| steps: | ||
| - uses: actions/checkout@v1 | ||
| - id: determine-chart-names | ||
| run: echo "matrix=[$(ls -Q --format=commas ./charts)]" >> $GITHUB_OUTPUT | ||
| release-charts: | ||
| name: Release | ||
| needs: find-charts | ||
| strategy: | ||
| matrix: | ||
| chart: ${{fromJSON(needs.find-charts.outputs.matrix)}} | ||
| permissions: | ||
| contents: write | ||
| security-events: write | ||
| actions: read | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Configure Git | ||
| run: | | ||
| git config user.name "$GITHUB_ACTOR" | ||
| git config user.email "[email protected]" | ||
| - name: Setup Helm | ||
| uses: azure/setup-helm@v3 | ||
| with: | ||
| version: ${{ env.HELM_VERSION }} | ||
|
|
||
| - name: Lint ${{ matrix.chart }} | ||
| run: helm lint charts/${{ matrix.chart }} --strict | ||
|
|
||
| - name: KubeVal ${{ matrix.chart }} | ||
| run: | | ||
| helm plugin install https://github.com/instrumenta/helm-kubeval | ||
| helm kubeval --ignore-missing-schemas charts/${{ matrix.chart }} | ||
| - name: Trivy Scan ${{ matrix.chart }} | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: 'config' | ||
| hide-progress: false | ||
| format: 'sarif' | ||
| scan-ref: 'charts/${{matrix.chart}}' | ||
| output: 'trivy-results.sarif' | ||
| exit-code: '1' | ||
| ignore-unfixed: false | ||
| severity: 'MEDIUM,HIGH,CRITICAL' | ||
| limit-severities-for-sarif: true | ||
|
|
||
| - name: Upload Trivy scan results for ${{ matrix.chart }} | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| if: always() | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,37 @@ | ||
| name: Release Charts | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - '*' | ||
| push: | ||
| branches: | ||
| - * | ||
| - "*" | ||
| - '!master' | ||
| env: | ||
| HELM_VERSION: v3.4.0 | ||
|
|
||
| jobs: | ||
| release: | ||
| find-charts: | ||
| name: Find Charts | ||
| container: debian:buster-slim | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| matrix: ${{ steps.determine-chart-names.outputs.matrix }} | ||
| steps: | ||
| - uses: actions/checkout@v1 | ||
| - id: determine-chart-names | ||
| run: echo "matrix=[$(ls -Q --format=commas ./charts)]" >> $GITHUB_OUTPUT | ||
| release-charts: | ||
| name: Release | ||
| needs: find-charts | ||
| strategy: | ||
| matrix: | ||
| chart: ${{fromJSON(needs.find-charts.outputs.matrix)}} | ||
| permissions: | ||
| contents: write | ||
| security-events: write | ||
| actions: read | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
|
|
@@ -24,33 +47,44 @@ jobs: | |
| - name: Setup Helm | ||
| uses: azure/setup-helm@v3 | ||
| with: | ||
| version: v3.4.0 | ||
| version: ${{ env.HELM_VERSION }} | ||
|
|
||
| - name: Lint chart | ||
| run: helm lint charts/* --strict | ||
| - name: Lint ${{ matrix.chart }} | ||
| run: helm lint charts/${{ matrix.chart }} --strict | ||
|
|
||
| - name: Validate Kubernetes YAML files with Kubeval | ||
| - name: KubeVal ${{ matrix.chart }} | ||
| run: | | ||
| helm plugin install https://github.com/instrumenta/helm-kubeval | ||
| helm kubeval charts/* | ||
| helm kubeval --ignore-missing-schemas charts/${{ matrix.chart }} | ||
| - name: Run Trivy vulnerability scanner in IaC mode | ||
| uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # tag=0.8.0 | ||
| - name: Trivy Scan ${{ matrix.chart }} | ||
| uses: aquasecurity/trivy-action@0.10.0 | ||
| with: | ||
| scan-type: 'config' | ||
| hide-progress: false | ||
| format: 'sarif' | ||
| scan-ref: 'charts/*' | ||
| scan-ref: 'charts/${{matrix.chart}}' | ||
| output: 'trivy-results.sarif' | ||
| exit-code: '1' | ||
| ignore-unfixed: true | ||
| ignore-unfixed: false | ||
| severity: 'MEDIUM,HIGH,CRITICAL' | ||
| limit-severities-for-sarif: true | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@312e093a1892bd801f026f1090904ee8e460b9b6 # v2.1.34 | ||
| - name: Upload Trivy scan results for ${{ matrix.chart }} | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| if: always() | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' | ||
|
|
||
| - name: Run chart-releaser | ||
| - name: Release ${{ matrix.chart }} | ||
| uses: helm/[email protected] | ||
| env: | ||
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
| CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
|
|
||
| - name: Publish Helm charts | ||
| uses: stefanprodan/[email protected] | ||
| with: | ||
| charts_dir: charts | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,42 +1,46 @@ | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: {{ .Chart.Name }} | ||
| name: {{ .Chart.Name }} | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: {{ .Chart.Name }} | ||
| release: {{ .Chart.Name }} | ||
| replicas: {{default 2 .Values.nginx.replicaCount }} | ||
| template: | ||
| metadata: | ||
| annotations: | ||
| htmlChecksum: {{ include (print $.Template.BasePath "/nginx-index-html.yaml") . | sha256sum }} | ||
| labels: | ||
| app: {{ .Chart.Name }} | ||
| release: {{ .Chart.Name }} | ||
| spec: | ||
| containers: | ||
| - name: {{ .Chart.Name }} | ||
| image: {{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }} | ||
| imagePullPolicy: {{ default "IfNotPresent" .Values.nginx.image.pullPolicy }} | ||
| ports: | ||
| - name: app-internal | ||
| containerPort: {{ .Values.nginx.service.port }} | ||
| livenessProbe: | ||
| httpGet: | ||
| path: "/" | ||
| port: {{ .Values.nginx.service.port }} | ||
| initialDelaySeconds: 60 | ||
| periodSeconds: 60 | ||
| readinessProbe: | ||
| httpGet: | ||
| path: "/" | ||
| port: {{ .Values.nginx.service.port }} | ||
| volumeMounts: | ||
| - name: {{ .Chart.Name }}-pages | ||
| mountPath: /usr/share/nginx/html | ||
| volumes: | ||
| - name: {{ .Chart.Name }}-pages | ||
| configMap: | ||
| name: {{ .Chart.Name }}-pages | ||
| selector: | ||
| matchLabels: | ||
| app: {{ .Chart.Name }} | ||
| release: {{ .Chart.Name }} | ||
| replicas: {{default 2 .Values.nginx.replicaCount }} | ||
| template: | ||
| metadata: | ||
| annotations: | ||
| htmlChecksum: {{ include (print $.Template.BasePath "/nginx-index-html.yaml") . | sha256sum }} | ||
| labels: | ||
| app: {{ .Chart.Name }} | ||
| release: {{ .Chart.Name }} | ||
| spec: | ||
| securityContext: | ||
| runAsNonRoot: true | ||
| containers: | ||
| - name: {{ .Chart.Name }} | ||
| image: {{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }} | ||
| securityContext: | ||
| allowPrivilegeEscalation: false | ||
| imagePullPolicy: {{ default "IfNotPresent" .Values.nginx.image.pullPolicy }} | ||
| ports: | ||
| - name: app-internal | ||
| containerPort: {{ .Values.nginx.service.port }} | ||
| livenessProbe: | ||
| httpGet: | ||
| path: "/" | ||
| port: {{ .Values.nginx.service.port }} | ||
| initialDelaySeconds: 60 | ||
| periodSeconds: 60 | ||
| readinessProbe: | ||
| httpGet: | ||
| path: "/" | ||
| port: {{ .Values.nginx.service.port }} | ||
| volumeMounts: | ||
| - name: {{ .Chart.Name }}-pages | ||
| mountPath: /usr/share/nginx/html | ||
| volumes: | ||
| - name: {{ .Chart.Name }}-pages | ||
| configMap: | ||
| name: {{ .Chart.Name }}-pages |