diff --git a/.github/workflows/build-trivy.yml b/.github/workflows/build-trivy.yml new file mode 100644 index 0000000..e5bded8 --- /dev/null +++ b/.github/workflows/build-trivy.yml @@ -0,0 +1,96 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +################################################################################ +# DO NOT EDIT THIS FILE! +# +# 1. Edit the *.gotmpl.yml files instead. +# 2. Run 'go run generate-workflow.go -p {package} -t {template}'. +################################################################################ + +name: Build trivy +on: + workflow_dispatch: + push: + branches: [main] + paths: + - ".github/workflows/build-trivy.yml" + pull_request: + branches: [main] + paths: + - ".github/workflows/build-trivy.yml" + schedule: + - cron: '10 16 * * *' + +# Variables available to all jobs defined in this file +env: + DOCKER_BUILDKIT: 1 + REGISTRY: ${{ vars.REGISTRY }} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + lookup: + runs-on: ubuntu-latest + name: Lookup current version + permissions: + packages: write + contents: read + strategy: + fail-fast: false + + container: + image: ghcr.io/northwood-labs/package-builder/ubuntu-v22.04:latest + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + outputs: + cache_hit: ${{ steps.check.outputs.cache-hit }} + package_version: ${{ steps.lookup_version.outputs.package_version }} + + steps: + - name: Lookup latest version of package + id: lookup_version + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "package_version=$(download-asset latest-tag -r 'aquasecurity/trivy' -s)" >> $GITHUB_OUTPUT + + - name: Check to see if we've already built this version + uses: actions/cache/restore@v4 + id: check + with: + key: "tenv-${{ steps.lookup_version.outputs.package_version }}" + path: "packages/trivy/dist" + lookup-only: true + + build: + if: needs.lookup.outputs.cache_hit != 'true' + needs: lookup + name: Build and cache + uses: northwood-labs/package-building/.github/workflows/build-and-cache.yml@main + secrets: inherit + with: + package-name: "trivy" + package-version: ${{ needs.lookup.outputs.package_version }} + + upload: + if: needs.lookup.outputs.cache_hit != 'true' + needs: build + name: Upload to S3 + uses: northwood-labs/package-building/.github/workflows/upload-to-s3.yml@main + secrets: inherit + with: + package-name: "trivy" + package-version: ${{ needs.lookup.outputs.package_version }} + + metadata: + if: needs.lookup.outputs.cache_hit != 'true' + needs: upload + name: Generate metadata + uses: northwood-labs/package-building/.github/workflows/generate-rpm-meta.yml@main + secrets: inherit diff --git a/packages/trivy/.goreleaser.yml b/packages/trivy/.goreleaser.yml new file mode 100644 index 0000000..ee7aba5 --- /dev/null +++ b/packages/trivy/.goreleaser.yml @@ -0,0 +1,24 @@ +--- +# https://goreleaser.com/customization/project/ +project_name: trivy + +variables: + Vendor: Aqua Security + VendorHomepage: https://aquasecurity.github.io/trivy + License: Apache-2.0 + Description: |- + Find vulnerabilities, misconfigurations, secrets, SBOM in containers, + Kubernetes, code repositories, clouds and more. + +# https://goreleaser.com/customization/includes/ +includes: + - from_file: + path: ../shared.yml + +# https://goreleaser.com/customization/hooks/ +before: + hooks: + - cmd: | + bash ./download.sh + output: true + dir: . diff --git a/packages/trivy/download.sh b/packages/trivy/download.sh new file mode 100644 index 0000000..5dd7579 --- /dev/null +++ b/packages/trivy/download.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -euo pipefail + +# linux/amd64 (Intel64) +download-asset get \ + --owner-repo "aquasecurity/trivy" \ + --pattern "trivy_{{.Ver}}_Linux-ARM64.{{.Ext}}" \ + --archive-path "trivy" \ + --write-to-bin "trivy_amd64" \ + ; + +# linux/arm64 (ARM64) +download-asset get \ + --owner-repo "aquasecurity/trivy" \ + --pattern "trivy_{{.Ver}}_Linux-64bit.{{.Ext}}" \ + --archive-path "trivy" \ + --write-to-bin "trivy_arm64" \ + ;