diff --git a/.github/actions/awk-matcher.json b/.github/actions/awk-matcher.json deleted file mode 100644 index 852a723577..0000000000 --- a/.github/actions/awk-matcher.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "problemMatcher": [ - { - "owner": "awk", - "pattern": [ - { - "regexp": "^([^:]+):([^ ]+) (([^:]+):.*)$", - "file": 1, "line": 2, "message": 3, "severity": 4 - } - ] - } - ] -} diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml index d5d51e0441..a2e3a2bc3a 100644 --- a/.github/actions/trivy/action.yaml +++ b/.github/actions/trivy/action.yaml @@ -1,39 +1,68 @@ +# Copyright 2024 - 2025 Crunchy Data Solutions, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +# schema documentation: https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions +# yaml-language-server: $schema=https://json.schemastore.org/github-action.json + name: Trivy description: Scan this project using Trivy # The Trivy team maintains an action, but it has trouble caching its vulnerability data: # https://github.com/aquasecurity/trivy-action/issues/389 # +# 1. It caches vulnerability data once per calendar day, despite Trivy wanting +# to download more frequently than that. +# 2. When it fails to download the data, it fails the workflow *and* caches +# the incomplete data. +# 3. When (1) and (2) coincide, every following run that day *must* update the data, +# producing more opportunities for (2) and more failed workflows. +# # The action below uses any recent cache matching `cache-prefix` and calculates a cache key -# derived from the data Trivy downloads. +# derived from the data Trivy downloads. An older database is better than no scans at all. +# When a run successfully updates the data, that data is cached and available to other runs. inputs: cache: default: restore,success,use description: >- What Trivy data to cache; one or more of restore, save, success, or use. + The value "use" instructs Trivy to read and write to its cache. + The value "restore" loads the Trivy cache from GitHub. + The value "success" saves the Trivy cache to GitHub when Trivy succeeds. + The value "save" saves the Trivy cache to GitHub regardless of Trivy. database: default: update description: >- How Trivy should handle its data; one of update or skip. + The value "skip" fetches no Trivy data at all. setup: - default: v0.57.1,cache + default: v0.62.1,cache description: >- How to install Trivy; one or more of version, none, or cache. + The value "none" does not install Trivy at all. cache-directory: default: ${{ github.workspace }}/.cache/trivy + description: >- + Directory where Trivy should store its data cache-prefix: default: cache-trivy + description: >- + Name (key) where Trivy data should be stored in the GitHub cache scan-target: default: . + description: >- + What Trivy should scan scan-type: - default: filesystem + default: repository + description: >- + How Trivy should interpret scan-target; one of filesystem, image, repository, or sbom. runs: using: composite @@ -50,11 +79,12 @@ runs: "setup=\(split("[,\\s]+"; "") - [""])", "version=\(split("[,\\s]+"; "") | max_by(split("[v.]"; "") | map(tonumber?)))" ' - ) | tee --append $GITHUB_OUTPUT + ) | tee --append "${GITHUB_OUTPUT}" # Install Trivy as requested. + # NOTE: `setup-trivy` can download a "latest" version but cannot cache it. - if: ${{ ! contains(fromJSON(steps.parsed.outputs.setup), 'none') }} - uses: aquasecurity/setup-trivy@v0.2.2 + uses: aquasecurity/setup-trivy@v0.2.3 with: cache: ${{ contains(fromJSON(steps.parsed.outputs.setup), 'cache') }} version: ${{ steps.parsed.outputs.version }} @@ -75,12 +105,13 @@ runs: TRIVY_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }} TRIVY_SKIP_DB_UPDATE: ${{ inputs.database == 'skip' }} TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.database == 'skip' }} + TRIVY_SKIP_VEX_REPO_UPDATE: ${{ inputs.database == 'skip' }} run: | # Run Trivy trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$? checksum=$([[ -z "${TRIVY_CACHE_DIR}" ]] || cat "${TRIVY_CACHE_DIR}/"*/metadata.json | sha256sum) - echo 'cache-key=${{ inputs.cache-prefix }}-'"${checksum%% *}" >> $GITHUB_OUTPUT + echo 'cache-key=${{ inputs.cache-prefix }}-'"${checksum%% *}" >> "${GITHUB_OUTPUT}" exit "${result-0}" diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 639a059edc..4d7feef57b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,13 +1,17 @@ -# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file -# https://docs.github.com/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates +# Copyright 2024 - 2025 Crunchy Data Solutions, Inc. # -# See: https://www.github.com/dependabot/dependabot-core/issues/4605 ---- +# SPDX-License-Identifier: Apache-2.0 +# +# documentation: https://docs.github.com/code-security/dependabot/dependabot-version-updates +# schema documentation: https://docs.github.com/code-security/dependabot/working-with-dependabot/dependabot-options-reference # yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json +--- version: 2 updates: - package-ecosystem: github-actions - directory: / + directories: + - '/' + - '.github/actions/*' schedule: interval: weekly day: tuesday diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 5f3670f574..f164e72a43 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -19,7 +19,7 @@ jobs: - uses: actions/setup-go@v5 with: { go-version: stable } - - uses: golangci/golangci-lint-action@v7 + - uses: golangci/golangci-lint-action@v8 with: version: latest args: --timeout=5m diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index de07b96c08..43c4371182 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -29,6 +29,9 @@ jobs: TRIVY_DOWNLOAD_DB_ONLY: true TRIVY_NO_PROGRESS: true TRIVY_SCANNERS: license,secret,vuln + with: + cache: restore,success,use + database: update licenses: # Run this job after the cache job regardless of its success or failure.