mirror of
https://github.com/project-zot/zot.git
synced 2024-12-16 21:56:37 -05:00
375c35c5a1
* chore: update to go 1.22 Only go toolchain version is updated. We compile with go 1.22, but we allow others to compile using language version 1.21 if they wish to. If we also updated the go version in go.mod everyone would be forced to update, as that is enforced as a minimum allowed version. This comment explains the difference well enough https://news.ycombinator.com/item?id=36455759 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> * chore: fix freeBSD AMD64 build Looks like they made some cleanup in the logic allowing buildmode pie on various platforms. Related to https://github.com/golang/go/issues/31544 See the code at: https://cs.opensource.google/go/go/+/master:src/internal/platform/supported.go;l=222-231;drc=d7fcb5cf80953f1d63246f1ae9defa60c5ce2d76;bpv=1;bpt=0 Signed-off-by: Andrei Aaron <aaaron@luxoft.com> --------- Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
67 lines
1.9 KiB
YAML
67 lines
1.9 KiB
YAML
name: 'Security web scan for zot'
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
release:
|
|
types:
|
|
- published
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
zap_scan:
|
|
runs-on: ubuntu-latest-4-cores
|
|
name: Scan ZOT using ZAP
|
|
strategy:
|
|
matrix:
|
|
flavor: [zot-linux-amd64-minimal, zot-linux-amd64]
|
|
steps:
|
|
- name: Install go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
cache: false
|
|
go-version: 1.22.x
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Build zot
|
|
run: |
|
|
echo "Building $FLAVOR"
|
|
cd $GITHUB_WORKSPACE
|
|
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
|
|
make binary-minimal
|
|
else
|
|
make binary
|
|
fi
|
|
ls -l bin/
|
|
env:
|
|
FLAVOR: ${{ matrix.flavor }}
|
|
- name: Bringup zot server
|
|
run: |
|
|
# upload images, zot can serve OCI image layouts directly like so
|
|
mkdir /tmp/zot
|
|
skopeo copy --format=oci docker://busybox:latest oci:/tmp/zot/busybox:latest
|
|
# start zot
|
|
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
|
|
./bin/${{ matrix.flavor }} serve examples/config-conformance.json &
|
|
else
|
|
./bin/${{ matrix.flavor }} serve examples/config-ui.json &
|
|
fi
|
|
# wait until service is up
|
|
while true; do x=0; curl -f http://localhost:8080/v2/ || x=1; if [ $x -eq 0 ]; then break; fi; sleep 1; done
|
|
env:
|
|
FLAVOR: ${{ matrix.flavor }}
|
|
- name: ZAP Scan Rest API
|
|
uses: zaproxy/action-baseline@v0.11.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
docker_name: 'owasp/zap2docker-stable'
|
|
target: 'http://localhost:8080/v2/'
|
|
rules_file_name: '.zap/rules.tsv'
|
|
cmd_options: '-a -j'
|
|
allow_issue_writing: false
|
|
fail_action: true
|