-
Notifications
You must be signed in to change notification settings - Fork 0
68 lines (55 loc) · 2.24 KB
/
core.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# SPDX-FileCopyrightText: 2021 Belcan Advanced Solutions
# SPDX-FileCopyrightText: 2021 Kaelan Thijs Fouwels <[email protected]>
#
# SPDX-License-Identifier: Apache-2.0
name: Core
on:
push:
env:
REPO: ${{github.repository}}
REGISTRY: containers.fouwels.app
GOSEC_VERSION: 2.8.0
STATICCHECK_VERSION: 2021.1
ARCH: linux_amd64
jobs:
code-security:
runs-on: ubuntu-latest
name: Code Security (MITRE)
steps:
- id: vars
run: echo ::set-output name=TAG::${GITHUB_REF##*/}
- name: Print headers
run: echo "Running for target ${{env.REGISTRY}}/${{env.REPO}}:${{steps.vars.outputs.TAG}} in ${GITHUB_WORKSPACE}"
- name: Checkout repo
uses: actions/checkout@master
with:
lfs: true
- run: echo Working in ${GITHUB_WORKSPACE}
- name: Downloading and extracting gosec ${{env.GOSEC_VERSION}}
run: wget https://github.com/securego/gosec/releases/download/v${{env.GOSEC_VERSION}}/gosec_${{env.GOSEC_VERSION}}_${{env.ARCH}}.tar.gz -O gosec.tar.gz && tar -xzf gosec.tar.gz
- name: Run gosec/MITRE static security scanner (init)
run: cd ${GITHUB_WORKSPACE}/init && ${GITHUB_WORKSPACE}/gosec -exclude=G307,G306,G302,G204 ./...
static-check:
runs-on: ubuntu-latest
name: Code Security (static checks)
steps:
- id: vars
run: echo ::set-output name=TAG::${GITHUB_REF##*/}
- name: Print headers
run: echo "Running for target ${{env.REGISTRY}}/${{env.REPO}}:${{steps.vars.outputs.TAG}} in ${GITHUB_WORKSPACE}"
- name: Checkout repo
uses: actions/checkout@master
with:
lfs: true
- run: echo Working in ${GITHUB_WORKSPACE}
- name: Downloading and extracting static check ${{env.GOSEC_VERSION}}
run: wget https://github.com/dominikh/go-tools/releases/download/${{env.STATICCHECK_VERSION}}/staticcheck_${{env.ARCH}}.tar.gz -O staticcheck.tar.gz && tar -xzf staticcheck.tar.gz
- name: Run static checks (init)
run: cd ${GITHUB_WORKSPACE}/init && ${GITHUB_WORKSPACE}/staticcheck/staticcheck ./...
licencing:
runs-on: ubuntu-latest
name: Licensing (SPDX)
steps:
- uses: actions/checkout@v2
- name: REUSE Compliance Check
uses: fsfe/reuse-action@v1