ci: add PR labels and combine workflows (#407)
* Automatically labels PRs based on change paths to make it easier to see what is in scope of a PR at a glance * Merges dependency security scanning into single CI workflows for Rust/TS changes
This commit is contained in:
parent
bb35aa66dc
commit
3f0ed5978c
|
@ -0,0 +1,15 @@
|
||||||
|
program:
|
||||||
|
- 'programs/**'
|
||||||
|
client:
|
||||||
|
- 'ts/client/**'
|
||||||
|
liquidator:
|
||||||
|
- 'liquidator/**'
|
||||||
|
keeper:
|
||||||
|
- 'keeper/**'
|
||||||
|
ci:
|
||||||
|
- '.github/workflows/**'
|
||||||
|
dependency:
|
||||||
|
- '*.lock'
|
||||||
|
documentation:
|
||||||
|
- '*.md'
|
||||||
|
- '**/LICENCE'
|
|
@ -7,7 +7,8 @@ on:
|
||||||
'keeper/**',
|
'keeper/**',
|
||||||
'lib/**',
|
'lib/**',
|
||||||
'liquidator/**',
|
'liquidator/**',
|
||||||
'anchor/cli/**']
|
'anchor/cli/**',
|
||||||
|
'Cargo.lock']
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: ['main', 'dev']
|
branches: ['main', 'dev']
|
||||||
paths: ['cli/**',
|
paths: ['cli/**',
|
||||||
|
@ -16,7 +17,8 @@ on:
|
||||||
'keeper/**',
|
'keeper/**',
|
||||||
'lib/**',
|
'lib/**',
|
||||||
'liquidator/**',
|
'liquidator/**',
|
||||||
'anchor/cli/**']
|
'anchor/cli/**',
|
||||||
|
'Cargo.lock']
|
||||||
workflow_dispatch: # Pick branch manually
|
workflow_dispatch: # Pick branch manually
|
||||||
|
|
||||||
env:
|
env:
|
||||||
|
@ -101,12 +103,48 @@ jobs:
|
||||||
with:
|
with:
|
||||||
name: raw-test-bpf
|
name: raw-test-bpf
|
||||||
path: raw-test-bpf.log
|
path: raw-test-bpf.log
|
||||||
|
|
||||||
|
sca:
|
||||||
|
name: Dependency Scan
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
|
# Report all vulnerabilities in security tab
|
||||||
|
- name: Report on all vulnerabilities
|
||||||
|
uses: aquasecurity/trivy-action@master
|
||||||
|
with:
|
||||||
|
scan-type: 'fs'
|
||||||
|
scan-ref: 'Cargo.lock'
|
||||||
|
ignore-unfixed: true
|
||||||
|
hide-progress: true
|
||||||
|
format: 'sarif'
|
||||||
|
output: 'trivy-results.sarif'
|
||||||
|
|
||||||
|
# Fail the job on critical vulnerabiliies with fix available
|
||||||
|
- name: Fail on critical vulnerabilities
|
||||||
|
uses: aquasecurity/trivy-action@master
|
||||||
|
with:
|
||||||
|
scan-type: 'fs'
|
||||||
|
scan-ref: 'Cargo.lock'
|
||||||
|
ignore-unfixed: true
|
||||||
|
hide-progress: true
|
||||||
|
format: 'table'
|
||||||
|
severity: 'CRITICAL'
|
||||||
|
exit-code: '1'
|
||||||
|
|
||||||
|
- name: Upload output
|
||||||
|
uses: github/codeql-action/upload-sarif@v2
|
||||||
|
if: always()
|
||||||
|
with:
|
||||||
|
sarif_file: 'trivy-results.sarif'
|
||||||
|
|
||||||
# Download logs and process them
|
# Download logs and process them
|
||||||
process-logs:
|
process-logs:
|
||||||
name: Process logs
|
name: Process logs
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [format, clippy, test]
|
needs: ['test']
|
||||||
steps:
|
steps:
|
||||||
- name: Download raw log
|
- name: Download raw log
|
||||||
uses: actions/download-artifact@v3
|
uses: actions/download-artifact@v3
|
||||||
|
|
|
@ -3,9 +3,9 @@ name: Code Review - TypeScript
|
||||||
on:
|
on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: ['main', 'dev']
|
branches: ['main', 'dev']
|
||||||
paths: ['ts/**']
|
paths: ['ts/**', 'yarn.lock']
|
||||||
push:
|
push:
|
||||||
paths: ['ts/**']
|
paths: ['ts/**', 'yarn.lock']
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
format:
|
format:
|
||||||
|
@ -46,8 +46,8 @@ jobs:
|
||||||
- name: Lint
|
- name: Lint
|
||||||
run: yarn lint
|
run: yarn lint
|
||||||
|
|
||||||
unit-test:
|
test:
|
||||||
name: Unit Test
|
name: Test
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
|
@ -65,7 +65,7 @@ jobs:
|
||||||
- name: Run Test
|
- name: Run Test
|
||||||
run: yarn test
|
run: yarn test
|
||||||
|
|
||||||
semgrep:
|
sast:
|
||||||
name: Security Scan
|
name: Security Scan
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
container:
|
container:
|
||||||
|
@ -85,3 +85,60 @@ jobs:
|
||||||
if: always()
|
if: always()
|
||||||
with:
|
with:
|
||||||
sarif_file: semgrep-results.sarif
|
sarif_file: semgrep-results.sarif
|
||||||
|
|
||||||
|
sca:
|
||||||
|
name: Dependency Scan
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
|
# Report all vulnerabilities in security tab
|
||||||
|
- name: Report on all vulnerabilities
|
||||||
|
uses: aquasecurity/trivy-action@master
|
||||||
|
with:
|
||||||
|
scan-type: 'fs'
|
||||||
|
scan-ref: 'yarn.lock'
|
||||||
|
ignore-unfixed: true
|
||||||
|
hide-progress: true
|
||||||
|
format: 'sarif'
|
||||||
|
output: 'trivy-results.sarif'
|
||||||
|
|
||||||
|
# Fail the job on critical vulnerabiliies with fix available
|
||||||
|
- name: Fail on critical vulnerabilities
|
||||||
|
uses: aquasecurity/trivy-action@master
|
||||||
|
with:
|
||||||
|
scan-type: 'fs'
|
||||||
|
scan-ref: 'yarn.lock'
|
||||||
|
ignore-unfixed: true
|
||||||
|
hide-progress: true
|
||||||
|
format: 'table'
|
||||||
|
severity: 'CRITICAL'
|
||||||
|
exit-code: '1'
|
||||||
|
|
||||||
|
- name: Upload output
|
||||||
|
uses: github/codeql-action/upload-sarif@v2
|
||||||
|
if: always()
|
||||||
|
with:
|
||||||
|
sarif_file: 'trivy-results.sarif'
|
||||||
|
|
||||||
|
yarn-pass:
|
||||||
|
name: Yarn tests pass
|
||||||
|
needs: ['format', 'lint', 'test']
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- run: echo ok
|
||||||
|
|
||||||
|
security-pass:
|
||||||
|
name: Security tests pass
|
||||||
|
needs: ['sca', 'sast']
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- run: echo ok
|
||||||
|
|
||||||
|
all-pass:
|
||||||
|
name: All tests pass 🚀
|
||||||
|
needs: ['yarn-pass', 'security-pass']
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- run: echo ok
|
||||||
|
|
|
@ -1,59 +0,0 @@
|
||||||
name: Dependency Security Scan - Cargo
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
branches: ['main', 'dev']
|
|
||||||
paths: ['cli/**',
|
|
||||||
'client/**',
|
|
||||||
'programs/**',
|
|
||||||
'keeper/**',
|
|
||||||
'lib/**',
|
|
||||||
'liquidator/**',
|
|
||||||
'anchor/cli/**',
|
|
||||||
'Cargo.lock']
|
|
||||||
push:
|
|
||||||
paths: ['cli/**',
|
|
||||||
'client/**',
|
|
||||||
'programs/**',
|
|
||||||
'keeper/**',
|
|
||||||
'lib/**',
|
|
||||||
'liquidator/**',
|
|
||||||
'anchor/cli/**',
|
|
||||||
'Cargo.lock']
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
trivy:
|
|
||||||
name: Dependency Scan
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v3
|
|
||||||
|
|
||||||
# Report all vulnerabilities in security tab
|
|
||||||
- name: Report on all vulnerabilities
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
scan-type: 'fs'
|
|
||||||
scan-ref: 'Cargo.lock'
|
|
||||||
ignore-unfixed: true
|
|
||||||
hide-progress: true
|
|
||||||
format: 'sarif'
|
|
||||||
output: 'trivy-results.sarif'
|
|
||||||
|
|
||||||
# Fail the job on critical vulnerabiliies with fix available
|
|
||||||
- name: Fail on critical vulnerabilities
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
scan-type: 'fs'
|
|
||||||
scan-ref: 'Cargo.lock'
|
|
||||||
ignore-unfixed: true
|
|
||||||
hide-progress: true
|
|
||||||
format: 'table'
|
|
||||||
severity: 'CRITICAL'
|
|
||||||
exit-code: '1'
|
|
||||||
|
|
||||||
- name: Upload output
|
|
||||||
uses: github/codeql-action/upload-sarif@v2
|
|
||||||
if: always()
|
|
||||||
with:
|
|
||||||
sarif_file: 'trivy-results.sarif'
|
|
|
@ -1,45 +0,0 @@
|
||||||
name: Dependency Security Scan - Yarn
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
branches: ['main', 'dev']
|
|
||||||
paths: ['ts/**', 'yarn.lock']
|
|
||||||
push:
|
|
||||||
paths: ['ts/**', 'yarn.lock']
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
trivy:
|
|
||||||
name: Dependency Scan
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v3
|
|
||||||
|
|
||||||
# Report all vulnerabilities in security tab
|
|
||||||
- name: Report on all vulnerabilities
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
scan-type: 'fs'
|
|
||||||
scan-ref: 'yarn.lock'
|
|
||||||
ignore-unfixed: true
|
|
||||||
hide-progress: true
|
|
||||||
format: 'sarif'
|
|
||||||
output: 'trivy-results.sarif'
|
|
||||||
|
|
||||||
# Fail the job on critical vulnerabiliies with fix available
|
|
||||||
- name: Fail on critical vulnerabilities
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
scan-type: 'fs'
|
|
||||||
scan-ref: 'yarn.lock'
|
|
||||||
ignore-unfixed: true
|
|
||||||
hide-progress: true
|
|
||||||
format: 'table'
|
|
||||||
severity: 'CRITICAL'
|
|
||||||
exit-code: '1'
|
|
||||||
|
|
||||||
- name: Upload output
|
|
||||||
uses: github/codeql-action/upload-sarif@v2
|
|
||||||
if: always()
|
|
||||||
with:
|
|
||||||
sarif_file: 'trivy-results.sarif'
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
name: PR Labels
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
types: [opened, synchronize]
|
||||||
|
branches: [dev]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
label:
|
||||||
|
name: Add PR labels
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
pull-requests: write
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/labeler@v4
|
||||||
|
with:
|
||||||
|
repo-token: "${{ secrets.GITHUB_TOKEN }}"
|
Loading…
Reference in New Issue