diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index a852ff0..e296338 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -1,21 +1,21 @@ name: PR Test & Analysis on: - push: + pull_request: + types: [ opened, reopened, synchronize ] branches: - main - dev -#env: -# SLACK_VULNERABILITY_WEBHOOK_URL: ${{secrets.SLACK_VULNERABILITY_WEBHOOK_URL}} -# SLACK_PR_NOTIFICATION_WEBHOOK_URL: ${{secret.SLACK_PR_NOTIFICATION_WEBHOOK_URL}} concurrency: - group: ci-pr-${{ github.head_ref }} + group: ci-pr-${{ github.base_ref }} cancel-in-progress: true jobs: fetch-and-diff: runs-on: ubuntu-latest + env: + MODULES: demo demo1 outputs: modified_modules: ${{ steps.determine_modules.outputs.modules }} @@ -26,19 +26,18 @@ jobs: with: fetch-depth: 0 - - name: Set Modules - run: | - echo "MODULES=demo demo1" >> $GITHUB_ENV - - - name: Fetch Base Branch - run: git fetch origin +refs/heads/${{ github.ref_name }}:refs/remotes/origin/${{ github.ref_name }} - - name: Get Modified Files run: | - MODIFIED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} | tr '\n' ' ') + MODIFIED_FILES=$(git diff --name-only origin/${{ github.head_ref }} origin/${{ github.base_ref }} | tr '\n' ' ') echo $MODIFIED_FILES echo "MODIFIED_FILES=$MODIFIED_FILES" >> $GITHUB_ENV + - name: Fetch Base Branch + run: | + echo "From : ${{ github.head_ref }}" + echo "To : ${{ github.base_ref }}" + git fetch origin +refs/heads/${{ github.head_ref }}:refs/remotes/origin/${{ github.base_ref }} + - name: Determine Modified Modules id: determine_modules run: | @@ -85,31 +84,55 @@ jobs: MODULES=$(echo "$RAW_MODULES" | sed 's/\[//g; s/\]//g') IFS=',' read -ra MODIFIED_MODULES <<< "$MODULES" for MODULE in "${MODIFIED_MODULES[@]}"; do - docker build -f ${MODULE}/Dockerfile -t jerryworld/${MODULE}-${{ github.ref_name }}:${{ github.sha }} . - docker push jerryworld/${MODULE}-${{ github.ref_name }}:${{ github.sha }} + docker build -f ${MODULE}/Dockerfile -t jerryworld/${MODULE}-${{ github.base_ref }}:${{ github.sha }} . + docker push jerryworld/${MODULE}-${{ github.base_ref }}:${{ github.sha }} done scan: -# needs: fetch-and-diff + needs: fetch-and-diff runs-on: ubuntu-latest + strategy: + matrix: + module: ${{ fromJSON(needs.fetch-and-diff.outputs.modified_modules) }} steps: - - name: Set Modules - run: | - echo "MODULES=demo demo1" >> $GITHUB_ENV - name: Install Trivy run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin - name: Run Trivy vulnerability scanner run: | - for module in ${{ env.MODULES }}; do - echo ${module} - trivy image \ - --ignore-unfixed \ - --severity CRITICAL,HIGH \ - --format sarif --output trivy-results_${module}.sarif \ - jerryworld/${module}-${{ github.ref_name }}:${{ github.sha }} - done - - + echo "CHECK Target : ${{ matrix.module }}" + MODULE=${{ matrix.module }} + trivy image \ + --format table \ + --ignore-unfixed \ + --vuln-type os,library \ + --severity CRITICAL,HIGH,MEDIUM \ + --output ${MODULE}_trivy-results.sarif \ + jerryworld/${{ matrix.module }}-${{ github.base_ref }}:${{ github.sha }} + - name: check sarif + id: save_sarif + run: | + ls -al + MODULE=${{ matrix.module }} + DATA=$(cat ${MODULE}_trivy-results.sarif) + echo -e "trivy-results<> $GITHUB_OUTPUT + echo -e "$DATA" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Add comment + uses: actions/github-script@v6 + env: + TRIVY_RESULTS: ${{ steps.save_sarif.outputs.trivy-results }} + with: + github-token: ${{ secrets.GIT_TOKEN }} + script: | + const { owner, repo } = context.repo; + const pr_number = context.payload.pull_request.number; + + github.rest.issues.createComment({ + owner: owner, + repo: repo, + issue_number: pr_number, + body: process.env.TRIVY_RESULTS + }); push-manifest: name: Push Manifest needs: fetch-and-diff @@ -131,13 +154,16 @@ jobs: git config --global user.name "jerry-world" echo "UPDATE Target : ${{ matrix.module }}" - IFS=' ' read -r -a MODIFIED_MODULES <<< "${{ matrix.module }}" - for MODULE in "${MODIFIED_MODULES[@]}"; do - cd apps/${MODULE}/overlay/${{ github.ref_name }} - after_sha="${{ github.sha }}" - echo "this revision : ${after_sha}" - sed -i "s|\(image:[[:space:]]*[^:]*:\)[^[:space:]]*$|\1${after_sha}|g" ${MODULE}-deployment-patch.yaml - git add -A - git commit -m "update manifest demo" - done - git push \ No newline at end of file + MODULE=${{ matrix.module }} + cd apps/${MODULE}/overlay/${{ github.base_ref }} + after_sha="${{ github.sha }}" + echo "this revision : ${after_sha}" + sed -i "s|\(image:[[:space:]]*[^:]*:\)[^[:space:]]*$|\1${after_sha}|g" ${MODULE}-deployment-patch.yaml + git add -A + git commit -m "update manifest demo" + git push + + +#env: +# SLACK_VULNERABILITY_WEBHOOK_URL: ${{secrets.SLACK_VULNERABILITY_WEBHOOK_URL}} +# SLACK_PR_NOTIFICATION_WEBHOOK_URL: ${{secret.SLACK_PR_NOTIFICATION_WEBHOOK_URL}} \ No newline at end of file diff --git a/demo/build.gradle b/demo/build.gradle index 3b5233d..7ac9ee1 100644 --- a/demo/build.gradle +++ b/demo/build.gradle @@ -27,25 +27,13 @@ dependencies { implementation 'org.springframework.boot:spring-boot-starter' implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springframework.boot:spring-boot-starter-webflux' - implementation 'org.springframework.boot:spring-boot-starter-data-jpa' implementation 'org.springframework.boot:spring-boot-starter-validation' implementation 'org.springframework.cloud:spring-cloud-starter' - implementation 'org.springframework.cloud:spring-cloud-starter-config' implementation 'org.springframework.boot:spring-boot-starter-actuator' // KMS implementation 'com.github.ulisesbocchio:jasypt-spring-boot-starter:3.0.5' - // Jpa - JSON - implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.7.6' - - // queryDSL - implementation 'com.querydsl:querydsl-jpa:5.1.0:jakarta' - implementation 'com.querydsl:querydsl-sql-spatial:5.1.0' - annotationProcessor "com.querydsl:querydsl-apt:5.1.0:jakarta" - annotationProcessor "jakarta.annotation:jakarta.annotation-api" - annotationProcessor "jakarta.persistence:jakarta.persistence-api" - // Swagger implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.5.0' diff --git a/demo/src/main/java/com/example/demo/DemoApplication.java b/demo/src/main/java/com/example/demo/DemoApplication.java index 1ef4920..1f9ab53 100644 --- a/demo/src/main/java/com/example/demo/DemoApplication.java +++ b/demo/src/main/java/com/example/demo/DemoApplication.java @@ -9,5 +9,5 @@ public class DemoApplication { public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); } - //수정테스트3 - DIFF + //수정테스트3 - DIFF12 } diff --git a/demo/src/main/java/com/example/demo/home/HomeController.java b/demo/src/main/java/com/example/demo/home/HomeController.java index 9735acb..f4c0d05 100644 --- a/demo/src/main/java/com/example/demo/home/HomeController.java +++ b/demo/src/main/java/com/example/demo/home/HomeController.java @@ -11,7 +11,7 @@ public class HomeController { @RequestMapping(value = "/home") public String home() { System.out.println("home Check"); - System.out.println("Trivy 테스트"); + System.out.println("Trivy 테스트12"); return "Welcome home"; } } diff --git a/demo1/src/main/java/com/example/demo/home1/Home1Controller.java b/demo1/src/main/java/com/example/demo/home1/Home1Controller.java index 05a4d33..3175489 100644 --- a/demo1/src/main/java/com/example/demo/home1/Home1Controller.java +++ b/demo1/src/main/java/com/example/demo/home1/Home1Controller.java @@ -9,7 +9,7 @@ public class Home1Controller { @GetMapping public String home1(){ - System.out.println("home1"); + System.out.println("home1_12"); return "home1"; } }