Skip to content
Build & Release

Bump trufflesecurity/trufflehog from 3.78.0 to 3.81.10 #5053

Sign in to view logs

Bump trufflesecurity/trufflehog from 3.78.0 to 3.81.10

Bump trufflesecurity/trufflehog from 3.78.0 to 3.81.10 #5053

Workflow file for this run

.github/workflows/build.yml at 5b4f41b
# Copyright 2022 MONAI Consortium
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Build & Release
on:
pull_request:
push:
workflow_dispatch:
env:
BUILD_CONFIG: "Release"
SOLUTION: "Monai.Deploy.WorkflowManager.sln"
jobs:
build-and-deploy:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- dockerfile: WorkflowManager.Dockerfile
image: ghcr.io/project-monai/monai-deploy-workflow-manager
- dockerfile: TaskManager.Dockerfile
image: ghcr.io/project-monai/monai-deploy-task-manager
- dockerfile: CallbackApp.Dockerfile
image: ghcr.io/project-monai/monai-deploy-task-manager-callback
outputs:
semVer: ${{ steps.gitversion.outputs.semVer }}
majorMinorPatch: ${{ steps.gitversion.outputs.majorMinorPatch }}
env:
REGISTRY: ghcr.io
permissions:
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install GitVersion
run: dotnet tool install --global GitVersion.Tool
- name: Determine Version
id: gitversion
uses: gittools/actions/gitversion/[email protected]
with:
useConfigFile: true
updateAssemblyInfo: true
updateAssemblyInfoFilename: src/AssemblyInfo.cs
configFilePath: .github/.gitversion.yml
- name: Print Assembly File
run: cat src/AssemblyInfo.cs
- name: Log in to the Container registry
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/[email protected]
with:
images: ${{ matrix.image }}
tags: |
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=${{ steps.gitversion.outputs.semVer }}
- name: Build and Push Container Image for ${{ matrix.dockerfile }}
uses: docker/[email protected]
with:
context: .
push: ${{ contains(github.ref, 'refs/heads/main') || contains(github.ref, 'refs/heads/develop') ||contains(github.head_ref, 'release/') || contains(github.head_ref, 'feature/') || contains(github.head_ref, 'develop') }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
file: ${{ matrix.dockerfile }}
- name: Dockle Container Scanner
uses: erzz/dockle-action@v1
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
report-format: sarif
report-name: dockle-report
failure-threshold: fatal
- name: Upload Dockle SARIF Report
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
sarif_file: dockle-report.sarif
- name: Trivy Vulnerability Scanner
uses: aquasecurity/trivy-action@master
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy SARIF Report
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
sarif_file: 'trivy-results.sarif'
- name: Anchore Container Scan
id: anchore-scan
uses: anchore/[email protected]
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
fail-build: true
severity-cutoff: high
acs-report-enable: true
- name: Upload Anchore Scan SARIF Report
uses: github/codeql-action/upload-sarif@v2
continue-on-error: true
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.head_ref, 'release/') }}
with:
sarif_file: ${{ steps.anchore-scan.outputs.sarif }}
token: ${{ secrets.GITHUB_TOKEN }}
docs:
runs-on: windows-latest
needs: [build-and-deploy]
env:
SEMVER: ${{ needs.build-and-deploy.outputs.semVer }}
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-dotnet@v3
with:
dotnet-version: "8.0.x"
- name: Enable NuGet cache
uses: actions/[email protected]
with:
path: ~/.nuget/packages
key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
restore-keys: |
${{ runner.os }}-nuget
- name: Setup DocFX
uses: crazy-max/ghaction-chocolatey@v3
with:
args: install docfx
- name: Restore dependencies
run: dotnet restore
working-directory: ./src
- name: Build Solution
run: dotnet build -c ${{ env.BUILD_CONFIG }} --nologo ${{ env.SOLUTION }}
working-directory: ./src
- name: Update docs version
run: |
sed -i -e "s,v0.0.0,v${{ env.SEMVER }},g" ./docs/docfx.json
sed -i -e "s,v0.0.0,v${{ env.SEMVER }},g" ./docs/index.md
- name: Build Docs
working-directory: docs
run: docfx docfx.json
continue-on-error: false
- name: Package docs
run: |
mkdir ~\release
Compress-Archive -Path docs\_site\* -DestinationPath ~\release\mwm-docs-${{ env.SEMVER }}.zip
Get-ChildItem ~\release -Recurse
- name: Upload docs
uses: actions/[email protected]
with:
name: artifacts
path: ~/release
retention-days: 7
release:
if: ${{ contains(github.ref, 'refs/heads/main') || contains(github.ref, 'refs/heads/develop') ||contains(github.head_ref, 'release/') || contains(github.head_ref, 'feature/') || contains(github.head_ref, 'develop') }}
runs-on: ubuntu-latest
needs: [build-and-deploy, docs]
env:
SEMVER: ${{ needs.build-and-deploy.outputs.semVer }}
MAJORMINORPATCH: ${{ needs.build-and-deploy.outputs.majorMinorPatch }}
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/download-artifact@v3
id: download
- name: List artifacts
run: ls -ldR ${{steps.download.outputs.download-path}}/**/*
- name: Extract owner and repo
uses: jungwinter/split@v2
id: repo
with:
separator: "/"
msg: ${{ github.repository }}
- name: Install GitReleaseManager
uses: gittools/actions/gitreleasemanager/[email protected]
with:
versionSpec: "0.13.x"
- name: Create release with GitReleaseManager
uses: gittools/actions/gitreleasemanager/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
owner: ${{ steps.repo.outputs._0 }}
repository: ${{ steps.repo.outputs._1 }}
milestone: ${{ env.MAJORMINORPATCH }}
name: "Release v${{ env.MAJORMINORPATCH }}"
assets: |
artifacts/mwm-docs-${{ env.SEMVER }}.zip
- name: Publish release with GitReleaseManager
uses: gittools/actions/gitreleasemanager/[email protected]
if: ${{ contains(github.ref, 'refs/heads/main') }}
with:
token: ${{ secrets.GITHUB_TOKEN }}
owner: ${{ steps.repo.outputs._0 }}
repository: ${{ steps.repo.outputs._1 }}
tagName: ${{ env.MAJORMINORPATCH }}
- name: Close release with GitReleaseManager
uses: gittools/actions/gitreleasemanager/[email protected]
if: ${{ contains(github.ref, 'refs/heads/main') }}
with:
token: ${{ secrets.GITHUB_TOKEN }}
owner: ${{ steps.repo.outputs._0 }}
repository: ${{ steps.repo.outputs._1 }}
milestone: ${{ env.MAJORMINORPATCH }}
- name: Unzip docs
if: ${{ contains(github.ref, 'refs/heads/main') }}
run: |
mkdir userguide
unzip artifacts/mwm-docs-${{ env.SEMVER }}.zip -d userguide/
ls -lR userguide/
- name: Deploy Docs
uses: peaceiris/actions-gh-pages@v4
if: ${{ contains(github.ref, 'refs/heads/main') }}
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: userguide/
publish_branch: docs