m4.2_advanced_middleware_api/.github/workflows/reusable-check.yml at d3cb9cac374c3cf0338755b283637013c8a71d63 · fairagro/m4.2_advanced_middleware_api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: Reusable Check

permissions:
  contents: read

on:
  workflow_call:
    inputs:
      version:  # required if skip is false, but allowing default to enable skipping both checks when no code changes
        description: 'Version calculated in Build phase'
        required: false
        type: string
        default: ''
      components:
        description: 'A JSON string array of components to check'
        required: false
        type: string
        default: '["api"]'
      skip:
        description: 'Exit immediately with success without running any checks (for PRs with no code changes)'
        required: false
        type: boolean
        default: false

env:
  IMAGE_BASE_NAME: ${{ vars.IMAGE_BASE_NAME || 'fairagro-advanced-middleware' }}
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
  licence-check:
    name: Licence Check
    if: ${{ !inputs.skip }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        component: ${{ fromJson(inputs.components) }}
    permissions:
      contents: read

    steps:
      - name: Download Docker image artifact
        uses: actions/download-artifact@v8
        with:
          name: docker-image-${{ matrix.component }}-${{ inputs.version }}

      - name: Load Docker image
        run: |
          docker load < docker-image-${{ matrix.component }}.tar.gz
          IMAGE_TAG="local/${{ env.IMAGE_BASE_NAME }}-${{ matrix.component }}:${{ inputs.version }}"
          echo "LICENCE_IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

      - name: Run Trivy licence scanner
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
        with:
          image-ref: ${{ env.LICENCE_IMAGE_TAG }}
          format: 'table'
          scan-type: 'image'
          scanners: 'license'
          severity: 'CRITICAL,HIGH'

  security-check:
    name: Security Check
    if: ${{ !inputs.skip }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        component: ${{ fromJson(inputs.components) }}
    permissions:
      contents: read
      security-events: write

    steps:
      - name: Download Docker image artifact
        uses: actions/download-artifact@v8
        with:
          name: docker-image-${{ matrix.component }}-${{ inputs.version }}

      - name: Download SBOM artifact
        uses: actions/download-artifact@v8
        with:
          name: sbom-${{ matrix.component }}-${{ inputs.version }}

      - name: Load Docker image
        run: |
          docker load < docker-image-${{ matrix.component }}.tar.gz
          IMAGE_TAG="local/${{ env.IMAGE_BASE_NAME }}-${{ matrix.component }}:${{ inputs.version }}"
          echo "SCAN_IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

      - name: Run Trivy Vulnerability Scan (Image)
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
        with:
          image-ref: ${{ env.SCAN_IMAGE_TAG }}
          format: 'sarif'
          output: 'trivy-image-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Run Trivy Vulnerability Scan (SBOM)
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
        with:
          image-ref: 'sbom-${{ matrix.component }}.spdx.json'
          scan-type: 'sbom'
          format: 'sarif'
          output: 'trivy-sbom-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: 'trivy-image-results.sarif'
          category: "trivy-image-scan-${{ matrix.component }}"

      - name: Upload Trivy SBOM scan results
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: 'trivy-sbom-results.sarif'
          category: "trivy-sbom-scan-${{ matrix.component }}"

  container-structure-tests:
    name: Container Structure Tests
    strategy:
      matrix:
        component: ${{ fromJson(inputs.components) }}
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - name: No code changes — skipping checks
        if: ${{ inputs.skip }}
        run: echo "No code files changed. Exiting with success."

      - name: Checkout code
        if: ${{ !inputs.skip }}
        uses: actions/checkout@v6

      - name: Download Docker image artifact
        if: ${{ !inputs.skip }}
        uses: actions/download-artifact@v8
        with:
          name: docker-image-${{ matrix.component }}-${{ inputs.version }}

      - name: Load Docker image
        if: ${{ !inputs.skip }}
        run: |
          docker load < docker-image-${{ matrix.component }}.tar.gz
          IMAGE_TAG="local/${{ env.IMAGE_BASE_NAME }}-${{ matrix.component }}:${{ inputs.version }}"
          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

      - name: Run Container Structure Tests
        if: ${{ !inputs.skip }}
        uses: plexsystems/container-structure-test-action@v0.3.0
        with:
          image: ${{ env.IMAGE_TAG }}
          config: docker/container-structure-tests/${{ matrix.component }}.yaml