Merge pull request #1607 from FalkorDB/dependabot/npm_and_yarn/stagin… #3944
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: ["main", "staging"] | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'LICENSE.txt' | |
| - 'helm/**' | |
| - '.github/workflows/helm-chart.yml' | |
| - '.github/dependabot.yml' | |
| pull_request: | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'LICENSE.txt' | |
| - 'helm/**' | |
| - '.github/workflows/helm-chart.yml' | |
| - '.github/dependabot.yml' | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Build job | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Node | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: "24" | |
| cache: npm | |
| - name: Restore cache | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: | | |
| .next/cache | |
| # Generate a new cache whenever packages or source files change. | |
| key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }} | |
| # If source files changed but packages didn't, rebuild from a prior cache. | |
| restore-keys: | | |
| ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}- | |
| - name: Install dependencies | |
| run: npm ci --no-audit --progress=false | |
| - name: Build with Next.js | |
| run: npx next build | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: false | |
| tags: falkordb/falkordb-browser:test | |
| load: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Run Trivy vulnerability scanner | |
| id: trivy-scan | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| continue-on-error: true | |
| with: | |
| image-ref: 'falkordb/falkordb-browser:test' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| scanners: 'vuln' | |
| vuln-type: 'os,library' | |
| severity: 'HIGH,CRITICAL' | |
| version: 'v0.69.2' | |
| - name: Check scan outcome | |
| if: always() | |
| run: | | |
| echo "Trivy scan outcome: ${{ steps.trivy-scan.outcome }}" | |
| echo "Trivy scan conclusion: ${{ steps.trivy-scan.conclusion }}" | |
| if [ -f trivy-results.sarif ]; then | |
| echo "SARIF file exists, checking for vulnerabilities..." | |
| cat trivy-results.sarif | |
| else | |
| echo "SARIF file not found!" | |
| fi | |
| - name: Upload Trivy results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Generate Trivy report for PR | |
| if: github.event_name == 'pull_request' | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| continue-on-error: true | |
| with: | |
| image-ref: 'falkordb/falkordb-browser:test' | |
| format: 'table' | |
| output: 'trivy-results.txt' | |
| ignore-unfixed: true | |
| scanners: 'vuln' | |
| vuln-type: 'os,library' | |
| severity: 'HIGH,CRITICAL' | |
| skip-setup-trivy: true | |
| - name: Comment PR with Trivy results | |
| if: github.event_name == 'pull_request' | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| let comment; | |
| if (fs.existsSync('trivy-results.txt')) { | |
| const report = fs.readFileSync('trivy-results.txt', 'utf8'); | |
| comment = `## 🔒 Trivy Security Scan Results\n\n\`\`\`\n${report}\n\`\`\`\n`; | |
| } else { | |
| comment = `## 🔒 Trivy Security Scan Results\n\n✅ No HIGH or CRITICAL vulnerabilities detected in the Docker image.`; | |
| } | |
| // Find existing comment | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }); | |
| const botComment = comments.find(comment => | |
| comment.user.type === 'Bot' && | |
| comment.body.includes('🔒 Trivy Security Scan Results') | |
| ); | |
| if (botComment) { | |
| // Update existing comment | |
| await github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: comment | |
| }); | |
| } else { | |
| // Create new comment | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: comment | |
| }); | |
| } | |
| - name: Enforce HIGH/CRITICAL vulnerability threshold | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| image-ref: 'falkordb/falkordb-browser:test' | |
| format: 'table' | |
| output: 'trivy-enforce.txt' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| scanners: 'vuln' | |
| vuln-type: 'os,library' | |
| severity: 'HIGH,CRITICAL' | |
| skip-setup-trivy: true | |