mirror of
https://github.com/aquasecurity/trivy-action.git
synced 2026-05-14 03:02:40 +00:00
Nikita Pivkin
314ff8b431
* ci: migrate from PAT to GitHub App token * chore: remove unnecessary declaration of permissions
78 lines
2.7 KiB
YAML
78 lines
2.7 KiB
YAML
name: Bump trivy
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
trivy_version:
|
|
required: true
|
|
type: string
|
|
description: 'The Trivy version in x.x.x format'
|
|
|
|
run-name: Bump trivy to v${{ inputs.trivy_version }}
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
bump:
|
|
runs-on: ubuntu-2404-2core
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Update Trivy versions
|
|
env:
|
|
NEW_VERSION: ${{ inputs.trivy_version }}
|
|
run: make bump-trivy
|
|
|
|
- name: Setup Bats and bats libs
|
|
id: setup-bats
|
|
uses: bats-core/bats-action@77d6fb60505b4d0d1d73e48bd035b55074bbfb43 # 4.0.0
|
|
|
|
- name: Install Trivy
|
|
run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
|
|
|
|
- name: Update golden files
|
|
env:
|
|
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
|
|
run: make update-golden
|
|
|
|
- name: Run tests
|
|
env:
|
|
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
|
|
run: make test
|
|
|
|
# Use a GitHub App token because GITHUB_TOKEN does not trigger CI on PRs created by workflows
|
|
- name: Generate token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
|
|
with:
|
|
client-id: ${{ secrets.REPO_TRIVY_ACTION_WRITE_GH_APP_CLIENT_ID }}
|
|
private-key: ${{ secrets.REPO_TRIVY_ACTION_WRITE_GH_APP_PRIVATE_KEY }}
|
|
owner: ${{ github.repository_owner }}
|
|
repositories: ${{ github.event.repository.name }}
|
|
|
|
- name: Create PR
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
TRIVY_VERSION: ${{ inputs.trivy_version }}
|
|
REPO: ${{ github.repository }}
|
|
BASE_BRANCH: ${{ github.event.repository.default_branch }}
|
|
run: |
|
|
gh auth setup-git
|
|
git config user.name "GitHub Actions"
|
|
git config user.email "actions@github.com"
|
|
BRANCH="bump-trivy-${TRIVY_VERSION}"
|
|
git checkout -b "${BRANCH}"
|
|
git add action.yaml README.md test/
|
|
git commit -m "chore(deps): Update trivy to v${TRIVY_VERSION}"
|
|
git push origin "${BRANCH}"
|
|
PR_RESPONSE=$(gh api repos/${REPO}/pulls \
|
|
--method POST \
|
|
--field title="chore(deps): Update trivy to v${TRIVY_VERSION}" \
|
|
--field body="This PR was automatically generated by the bump-trivy workflow." \
|
|
--field base="${BASE_BRANCH}" \
|
|
--field head="${BRANCH}")
|
|
echo "Pull Request Number - $(echo "${PR_RESPONSE}" | jq -r '.number')"
|
|
echo "Pull Request URL - $(echo "${PR_RESPONSE}" | jq -r '.html_url')"
|