ASH Running as non-root user #242
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ASH - Core Pipeline | |
on: | |
push: | |
branches: | |
- '*' | |
tags: | |
- '*' | |
pull_request: | |
branches: | |
- '*' | |
permissions: | |
actions: read | |
checks: write | |
contents: write | |
id-token: write | |
security-events: write | |
pull-requests: write | |
env: | |
PYTHON_VERSION: "3.12" | |
jobs: | |
build: | |
strategy: | |
matrix: | |
runner: | |
# - macos-14 # Docker support on this runner is not working yet, still no options for ARM in hosted :-( | |
- ubuntu-latest | |
name: ASH Build & Scan - ${{ matrix.runner }} | |
runs-on: ${{ matrix.runner }} | |
env: | |
IMG_NAME: ${{ github.repository }} | |
ARCH: ${{ matrix.runner == 'ubuntu-latest' && 'amd64' || 'arm64' }} | |
SUMMARY_FILE: 'ASH Scan Result Summary - ${{ matrix.runner }}.md' | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup docker | |
if: runner.os == 'macos' | |
run: | | |
brew install docker | |
docker info | |
- name: Set up Docker Buildx | |
if: runner.os == 'macos' | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: "linux/${{ env.ARCH }}" | |
# - name: Set container metadata | |
# id: metadata | |
# uses: docker/metadata-action@v5 | |
# with: | |
# images: ${{ env.IMG_NAME }} | |
# tags: | | |
# type=raw,value=latest | |
# type=raw,value=${{ env.ARCH }} | |
# type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }} | |
# - name: Build image | |
# uses: docker/build-push-action@v5 | |
# with: | |
# context: '.' | |
# push: false | |
# tags: ${{ steps.metadata.outputs.tags }} | |
# labels: ${{ steps.metadata.outputs.labels }} | |
- name: Run ASH against itself | |
id: ash | |
run: |- | |
# Disable exit on error | |
set +e | |
# Run ASH against itself | |
./ash --source-dir $(pwd) --output-dir ash_output --container-uid 1001 --container-gid 123 --debug | \ | |
tee ash_stdout.txt | |
# cat the output contents to build the summary markdown | |
# strip out the color codes from the output | |
ASH_STDOUT=$(cat ash_stdout.txt | sed 's/\x1b\[[0-9;]*[mGKHF]//g') | |
ASH_AGG_RESULTS=$(cat ash_output/aggregated_results.txt | sed 's/\x1b\[[0-9;]*[mGKHF]//g') | |
# Write the summary markdown to a file | |
cat << EOF | tee "${{ env.SUMMARY_FILE }}" | tee -a "${GITHUB_STEP_SUMMARY}" | |
## ASH Scan Output - ${{ env.ARCH }} - ${{ matrix.runner }} | |
\`\`\`bash | |
$ cat ash_stdout.txt | |
${ASH_STDOUT} | |
\`\`\` | |
<details> | |
<summary>Show aggregated_results.txt</summary> | |
\`\`\`bash | |
${ASH_AGG_RESULTS} | |
\`\`\` | |
</details> | |
EOF | |
# Write the summary markdown to the GITHUB_OUTPUT | |
{ | |
echo 'ASH_OUTPUT<<EOF' | |
cat "${{ env.SUMMARY_FILE }}" | |
echo EOF | |
} >> "$GITHUB_OUTPUT" | |
# Exit with the highest return code from ASH | |
set -e | |
typeset -i ASH_EXIT_CODE | |
# ASH_EXIT_CODE=`sed -nE "s/.*Highest return code is ([0-9]+)/\1/p" ash_stdout.txt` | |
ASH_EXIT_CODE=`perl -ne 'print "$1\n" if /Highest return code is ([[:digit:]]+)/' ash_stdout.txt` | |
echo "Highest return code found is '$ASH_EXIT_CODE'" | |
if [ $ASH_EXIT_CODE -eq 0 ]; then | |
echo "ASH scan succeeded" | |
exit 0 | |
else | |
echo "ASH scan failed" | |
exit $ASH_EXIT_CODE | |
fi | |
- name: Post ASH output as PR comment | |
uses: mshick/add-pr-comment@v2 | |
# This does not work for fork runs without setting up a proxy | |
# Info: https://github.com/mshick/add-pr-comment#proxy-for-fork-based-prshttps://github.com/mshick/add-pr-comment#proxy-for-fork-based-prs | |
if: github.repository_owner == 'awslabs' | |
continue-on-error: true | |
with: | |
message: | | |
${{ steps.ash.outputs.ASH_OUTPUT }} | |
- name: Collect summary | |
uses: actions/upload-artifact@v4 | |
if: always() | |
continue-on-error: true | |
with: | |
name: Summary | |
path: "${{ env.SUMMARY_FILE }}" | |
- name: Collect ash_stdout | |
uses: actions/upload-artifact@v4 | |
if: always() | |
continue-on-error: true | |
with: | |
name: ash_stdout | |
path: ash_stdout.txt | |
if-no-files-found: error | |
- name: Collect ash_output artifact | |
uses: actions/upload-artifact@v4 | |
if: always() | |
continue-on-error: false | |
with: | |
name: ash_output | |
path: ash_output | |
if-no-files-found: error | |
build-docs: | |
name: Build documentation | |
needs: [] | |
runs-on: ubuntu-latest | |
if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref != 'refs/heads/main') | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
cache: 'pip' | |
- name: Install dependencies | |
run: pip install -r requirements.txt | |
- name: Build documentation | |
run: mkdocs build --clean | |
deploy-docs: | |
name: Deploy documentation | |
needs: [] | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.PYTHON_VERSION }} | |
cache: 'pip' | |
- name: Install dependencies | |
run: pip install -r requirements.txt | |
- name: Deploy documentation | |
run: mkdocs gh-deploy --clean --force |