Initial github actions for automated build & security scans #10
Conversation
device-plugins: - Improve build.sh to take proper --ver, --repo, and --push arguments - Add a workflow which runs build.sh, Trivy which scans both the source code and resulting docker image for vulnerable dependencies, and ClamAV to scan for malware. - Add a workflow to scan for static analysis problems with Coverity. Requires COVERITY_TOKEN secret to be present in the repository. qemu: - Add a workflow which builds the patched QEMU, based on kubevirt-patch/README.md. Also enable Trivy & ClamAV scans. This does not yet build or scan the full kubevirt environment. Signed-off-by: Byron Marohn <byron.marohn@intel.com>
Signed-off-by: Byron Marohn <byron.marohn@intel.com>
|
Please check to have Coverity Scan |
|
Coverity scan is enabled but not on pull request - it'll run every day on main and update the coverity dashboard, which will send out notifications. In the future I'd like to enhance this to provide immediate feedback on pull requests but won't be able to do that for this initial implementation. |
@byron-marohn : Can you please put the link of coverity dashboard |
- kubevirt components should work, but currently run out of space on the github actions runner Additional improvements: - Add release tarball artifact for device-plugins-for-kubernetes - Add EDV_VERSION environment variable to all jobs for consistent Versioning - Add EDV_HOME environment variable to easily reference top-level code directory - Improve device-plugins-for-kubernetes/build.sh to update the version in the deployment manifest Signed-off-by: Byron Marohn <byron.marohn@intel.com>
byron-marohn
force-pushed
the
byron_initial_githubactions
branch
from
5f549ac to
d04c799
Compare
|
@byron-marohn : Updated the device plugin docker base image from alpine to debian:stable-slim Hopefully no functional impact. @dmkarthi : Do confirm from your side as well. |
Build succeeded functional testing is yet to complete, also @byron-marohn can you update the name mf-device-plugin to device-plugin and increment the version as v1.1 |
byron-marohn
force-pushed
the
byron_initial_githubactions
branch
from
a8ebf48 to
675ca9f
Compare
- Improved shared actions file with some limited settings - Cleaned up disk space on runner to make room for kubevirt build - Caching to make kubevirt not have to build for 30m every time - Misc cleanup to other working actions Signed-off-by: Byron Marohn <byron.marohn@intel.com>
byron-marohn
force-pushed
the
byron_initial_githubactions
branch
from
675ca9f to
3430568
Compare
|
|
||
| # Build the Docker image | ||
| echo "Building the Docker image..." | ||
| docker build --no-cache -t "$DOCKER_REPO/mf-device-plugin:$VER" . |
There was a problem hiding this comment.
@byron-marohn : This still has mf-device-plugin
| # Push the Docker image if --push is specified | ||
| if [[ $PUSH == "true" ]]; then | ||
| echo "Pushing the Docker image to the repository..." | ||
| ! docker push "$DOCKER_REPO/mf-device-plugin:$VER" |
There was a problem hiding this comment.
mf has to be removed from everywhere as Maverick Flats (MF) was internal code name
There was a problem hiding this comment.
This can be taken care in subsequent ongoing PR. So merging this.
device-plugins:
qemu:
Kubevirt: