Merge branch 'main' into modulesync

voxpupuli · Sep 6, 2024 · ea9a660 · ea9a660
2 parents 698379c + 5424a9a
commit ea9a660
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 32 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -49,37 +49,6 @@ jobs:
             PUPPET_RELEASE=${{ matrix.release }}
             PUPPETDB_VERSION=${{ matrix.version }}
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: voxpupulibot
-          password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }}
-
-      - name: Analyze container image for CVEs
-        id: analyze-image-cves
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          image: 'local://ci/puppetdb:${{ matrix.version }}'
-          sarif-file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json
-          write-comment: false
-
-      - name: Compare container image to latest from Registry
-        id: compare-image
-        uses: docker/scout-action@v1
-        with:
-          command: compare
-          image: 'local://ci/puppetdb:${{ matrix.version }}'
-          to: 'ghcr.io/voxpupuli/puppetdb:${{ matrix.version }}-latest'
-          summary: true
-          keep-previous-comments: true
-
-      - name: Upload SARIF result
-        id: upload-sarif
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json
-
   tests:
     needs:
       - general_ci
@@ -88,3 +57,24 @@ jobs:
     name: Test suite
     steps:
       - run: echo Test suite completed
+
+  dependabot:
+    permissions:
+      contents: write
+    name: 'Dependabot auto-merge'
+    needs:
+      - tests
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/[email protected]
+        with:
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
+
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
@@ -0,0 +1,61 @@
+---
+name: Security Scanning 🕵️
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v4
+
+      - id: set-matrix
+        run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT
+
+  scan_ci_container:
+    name: 'Scan CI container'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build CI container
+        uses: docker/build-push-action@v6
+        with:
+          tags: 'ci/puppetdb:${{ matrix.version }}'
+          context: puppetdb
+          push: false
+          build-args: |
+            PUPPET_RELEASE=${{ matrix.release }}
+            PUPPETDB_VERSION=${{ matrix.version }}
+
+      - name: Scan image with Anchore Grype
+        uses: anchore/scan-action@v4
+        id: scan
+        with:
+          image: 'ci/puppetdb:${{ matrix.version }}'
+          fail-build: false
+
+      - name: Inspect action SARIF report
+        run: jq . ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ docker pull ghcr.io/voxpupuli/puppetdb:7.13.0-v1.2.1
 | **PUPPETDB_NODE_TTL**                   | Mark as ‘expired’ nodes that haven’t seen any activity (no new catalogs, facts, or reports) in the specified amount of time<br><br>`7d` |
 | **PUPPETDB_NODE_PURGE_TTL**             | Automatically delete nodes that have been deactivated or expired for the specified amount of time<br><br>`14d`                          |
 | **PUPPETDB_REPORT_TTL**                 | Automatically delete reports that are older than the specified amount of time<br><br>`14d`                                              |
-| **PUPPETDB_JAVA_ARGS**                  | Arguments passed directly to the JVM when starting the service<br><br>`-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xloggc:/opt/puppetlabs/server/data/puppetdb/logs/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048` |
+| **PUPPETDB_JAVA_ARGS**                  | Arguments passed directly to the JVM when starting the service<br><br>`-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xlog:gc*:file=$LOGDIR/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048` |
 | **LOGDIR**                              | Path of the log directory<br><br>`/opt/puppetlabs/server/data/puppetdb/logs`                                                            |
 | **SSLDIR**                              | Path of the SSL directory<br><br>`/opt/puppetlabs/server/data/puppetdb/certs`                                                           |