From 292ced6fd59a15ac68c5ca411b4452593e8af34e Mon Sep 17 00:00:00 2001 From: Raul Zamora Date: Thu, 9 Nov 2023 10:39:13 +0200 Subject: [PATCH 1/4] add trivy --- .github/workflows/trivy.yaml | 48 ++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..4bb77be --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,48 @@ +name: trivy +on: + pull_request: + workflow_call: + workflow_dispatch: +jobs: + build: + uses: ./.github/workflows/build.yaml + scan: + name: Trivy scan + needs: build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Install skopeo + run: | + sudo snap install --devmode --channel edge skopeo + - name: Install yq + run: | + sudo snap install yq + - uses: actions/download-artifact@v3 + with: + name: charmed-mysql-rock + - name: Import locally + run: | + app=$(yq .name rockcraft.yaml) + version=$(yq '(.version)' rockcraft.yaml) + base=$(yq '(.base|split(":"))[1]' rockcraft.yaml) + tag=${version}-${base}_edge + + sudo skopeo --insecure-policy copy \ + oci-archive:${app}_${tag}_amd64.rock \ + docker-daemon:trivy/charmed-mysql:test + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'trivy/charmed-mysql:test' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'MEDIUM,HIGH,CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' From 1a377555400b475c5c52603ff7a03904f9c8a541 Mon Sep 17 00:00:00 2001 From: Raul Zamora Date: Thu, 9 Nov 2023 11:15:19 +0200 Subject: [PATCH 2/4] fix rockcraft --- .github/workflows/build.yaml | 2 +- rockcraft.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8865648..d47508a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -27,8 +27,8 @@ jobs: version=$(yq '(.version|split("-"))[0]' rockcraft.yaml) base=$(yq '(.base|split(":"))[1]' rockcraft.yaml) tag=${version}-${base}_edge - sed -i "s/${app_version}/${tag}/g" rockcraft.yaml rockcraft pack + mv charmed-mysql_${version}_amd64.rock charmed-mysql_${tag}_amd64.rock - name: Upload rockcraft logs if: ${{ failure() && steps.pack.outcome == 'failure' }} uses: actions/upload-artifact@v3 diff --git a/rockcraft.yaml b/rockcraft.yaml index 712ff1d..5750eb0 100644 --- a/rockcraft.yaml +++ b/rockcraft.yaml @@ -1,5 +1,5 @@ name: charmed-mysql # the name of your ROCK -base: ubuntu:22.04 # the base environment for this ROCK +base: ubuntu@22.04 # the base environment for this ROCK version: '8.0.34' # just for humans. Semantic versioning is recommended summary: Charmed MySQL ROCK OCI # 79 char long summary description: | From e5e04cb6c7fad37e23564b6f5daf45508e2bed0a Mon Sep 17 00:00:00 2001 From: Raul Zamora Date: Thu, 9 Nov 2023 11:20:43 +0200 Subject: [PATCH 3/4] fix --- .github/workflows/build.yaml | 2 +- .github/workflows/publish.yaml | 2 +- .github/workflows/sbom.yaml | 2 +- .github/workflows/trivy.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d47508a..4771cd7 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -25,7 +25,7 @@ jobs: run: | app_version=$(yq '.version' rockcraft.yaml) version=$(yq '(.version|split("-"))[0]' rockcraft.yaml) - base=$(yq '(.base|split(":"))[1]' rockcraft.yaml) + base=$(yq '(.base|split("@"))[1]' rockcraft.yaml) tag=${version}-${base}_edge rockcraft pack mv charmed-mysql_${version}_amd64.rock charmed-mysql_${tag}_amd64.rock diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index bd62edc..857614c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -42,7 +42,7 @@ jobs: run: | app=$(yq .name rockcraft.yaml) version=$(yq '(.version)' rockcraft.yaml) - base=$(yq '(.base|split(":"))[1]' rockcraft.yaml) + base=$(yq '(.base|split("@"))[1]' rockcraft.yaml) tag=${version}-${base}_edge sudo skopeo --insecure-policy copy \ oci-archive:${app}_${tag}_amd64.rock \ diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 01691df..5ed05eb 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -18,7 +18,7 @@ jobs: - name: Set tag run: | version=$(yq '(.version|split("-"))[0]' rockcraft.yaml) - base=$(yq '(.base|split(":"))[1]' rockcraft.yaml) + base=$(yq '(.base|split("@"))[1]' rockcraft.yaml) echo "tag=${version}-${base}_edge" >> "$GITHUB_ENV" - uses: actions/download-artifact@v3 with: diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 4bb77be..6e27c3b 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -26,7 +26,7 @@ jobs: run: | app=$(yq .name rockcraft.yaml) version=$(yq '(.version)' rockcraft.yaml) - base=$(yq '(.base|split(":"))[1]' rockcraft.yaml) + base=$(yq '(.base|split("@"))[1]' rockcraft.yaml) tag=${version}-${base}_edge sudo skopeo --insecure-policy copy \ From 63e0ec013d460bad605747d7340bd06584449482 Mon Sep 17 00:00:00 2001 From: Paulo Machado Date: Fri, 16 Aug 2024 16:40:17 -0300 Subject: [PATCH 4/4] bump to match snap --- rockcraft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rockcraft.yaml b/rockcraft.yaml index 9a64d43..6b8d7aa 100644 --- a/rockcraft.yaml +++ b/rockcraft.yaml @@ -1,6 +1,6 @@ name: charmed-mysql base: ubuntu@22.04 -version: '8.0.37' +version: '8.0.39' summary: Charmed MySQL ROCK OCI description: | MySQL built from the official MySQL package