v6.3.2 #1742
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # | |
| # Documentation: | |
| # https://help.github.com/en/articles/workflow-syntax-for-github-actions | |
| # | |
| ####################################### | |
| # Start the job on all push to master # | |
| ####################################### | |
| name: "Build & Deploy - PROD" | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| ############### | |
| # Set the Job # | |
| ############### | |
| jobs: | |
| deploy: | |
| name: Deploy beta | |
| runs-on: ubuntu-latest | |
| permissions: read-all | |
| environment: | |
| name: beta | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Setup .npmrc file to publish to npm | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| registry-url: "https://registry.npmjs.org" | |
| always-auth: true | |
| # Defaults to the user or organization that owns the workflow file | |
| scope: "hardisgroupcom" | |
| - run: yarn install --frozen-lockfile | |
| - run: yarn config set version-git-tag false && tsc -b | |
| - run: BETAID=$(date '+%Y%m%d%H%M') && yarn version --prepatch --preid="beta$BETAID" | |
| - run: yarn config set network-timeout 300000 && yarn publish --tag beta | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| push_beta_to_registry: | |
| name: Push Beta Docker image to Docker Hub | |
| needs: deploy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| security-events: write # Added permission for security-events | |
| environment: | |
| name: beta | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build & Push Docker Image (Beta) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| platforms: linux/amd64 | |
| build-args: | | |
| SFDX_HARDIS_VERSION=beta | |
| SFDX_CLI_VERSION=latest | |
| load: false | |
| push: true | |
| secrets: | | |
| GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
| tags: | | |
| docker.io/hardisgroupcom/sfdx-hardis:beta | |
| ghcr.io/hardisgroupcom/sfdx-hardis:beta | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ghcr.io/hardisgroupcom/sfdx-hardis:beta | |
| format: "table" | |
| output: sfdx-hardis-trivy-image-beta-results.txt | |
| exit-code: "1" | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Generate Trivy security report | |
| uses: aquasecurity/trivy-action@master | |
| if: always() | |
| with: | |
| image-ref: ghcr.io/hardisgroupcom/sfdx-hardis:beta | |
| format: "sarif" | |
| output: sfdx-hardis-trivy-image-beta-results.sarif | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Generate SBOM (CycloneDX format) | |
| uses: aquasecurity/trivy-action@master | |
| if: always() | |
| with: | |
| image-ref: ghcr.io/hardisgroupcom/sfdx-hardis:beta | |
| format: "cyclonedx" | |
| output: "sfdx-hardis-image-sbom-beta.cyclonedx.json" | |
| scan-type: "image" | |
| - name: Generate SBOM (SPDX format) | |
| uses: aquasecurity/trivy-action@master | |
| if: always() | |
| with: | |
| image-ref: ghcr.io/hardisgroupcom/sfdx-hardis:beta | |
| format: "spdx-json" | |
| output: "sfdx-hardis-image-sbom-beta.spdx.json" | |
| scan-type: "image" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: sfdx-hardis-trivy-image-beta-results.sarif | |
| category: "trivy" | |
| - name: Upload SBOM and Security artifacts | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-and-sbom-documents | |
| path: | | |
| sfdx-hardis-image-sbom-beta.cyclonedx.json | |
| sfdx-hardis-image-sbom-beta.spdx.json | |
| sfdx-hardis-trivy-image-beta-results.txt | |
| sfdx-hardis-trivy-image-beta-results.sarif | |
| push_beta_to_registry_sfdx_recommended: | |
| name: Push Beta Docker image to Docker Hub (with @salesforce/cli version recommended by hardis) | |
| needs: deploy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| environment: | |
| name: beta | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build & Push Docker Image (Beta recommended) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| platforms: linux/amd64 | |
| build-args: | | |
| SFDX_HARDIS_VERSION=beta | |
| SFDX_CLI_VERSION=latest | |
| load: false | |
| push: true | |
| secrets: | | |
| GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
| tags: | | |
| docker.io/hardisgroupcom/sfdx-hardis:beta-sfdx-recommended | |
| ghcr.io/hardisgroupcom/sfdx-hardis:beta-sfdx-recommended | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "docker.io/hardisgroupcom/sfdx-hardis:beta-sfdx-recommended" | |
| format: "table" | |
| exit-code: "1" | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| push_beta_ubuntu_to_registry: | |
| name: Push Beta Ubuntu Docker image to Docker Hub | |
| needs: deploy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| security-events: write # Added permission for security-events | |
| environment: | |
| name: beta | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build & Push Ubuntu Docker Image (Beta) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile-ubuntu | |
| platforms: linux/amd64 | |
| build-args: | | |
| SFDX_HARDIS_VERSION=beta | |
| SFDX_CLI_VERSION=latest | |
| load: false | |
| push: true | |
| secrets: | | |
| GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
| tags: | | |
| docker.io/hardisgroupcom/sfdx-hardis-ubuntu:beta | |
| ghcr.io/hardisgroupcom/sfdx-hardis-ubuntu:beta | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ghcr.io/hardisgroupcom/sfdx-hardis-ubuntu:beta | |
| format: "table" | |
| output: sfdx-hardis-ubuntu-trivy-image-beta-results.txt | |
| exit-code: "1" | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Generate Trivy security report | |
| uses: aquasecurity/trivy-action@master | |
| if: always() | |
| with: | |
| image-ref: ghcr.io/hardisgroupcom/sfdx-hardis-ubuntu:beta | |
| format: "sarif" | |
| output: sfdx-hardis-ubuntu-trivy-image-beta-results.sarif | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Generate SBOM (CycloneDX format) | |
| uses: aquasecurity/trivy-action@master | |
| if: always() | |
| with: | |
| image-ref: ghcr.io/hardisgroupcom/sfdx-hardis-ubuntu:beta | |
| format: "cyclonedx" | |
| output: "sfdx-hardis-ubuntu-image-sbom-beta.cyclonedx.json" | |
| scan-type: "image" | |
| - name: Generate SBOM (SPDX format) | |
| uses: aquasecurity/trivy-action@master | |
| if: always() | |
| with: | |
| image-ref: ghcr.io/hardisgroupcom/sfdx-hardis-ubuntu:beta | |
| format: "spdx-json" | |
| output: "sfdx-hardis-ubuntu-image-sbom-beta.spdx.json" | |
| scan-type: "image" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: sfdx-hardis-ubuntu-trivy-image-beta-results.sarif | |
| category: "trivy-ubuntu" | |
| - name: Upload SBOM and Security artifacts | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: security-and-sbom-documents-ubuntu | |
| path: | | |
| sfdx-hardis-ubuntu-image-sbom-beta.cyclonedx.json | |
| sfdx-hardis-ubuntu-image-sbom-beta.spdx.json | |
| sfdx-hardis-ubuntu-trivy-image-beta-results.txt | |
| sfdx-hardis-ubuntu-trivy-image-beta-results.sarif | |
| push_beta_ubuntu_to_registry_sfdx_recommended: | |
| name: Push Beta Ubuntu Docker image to Docker Hub (with @salesforce/cli version recommended by hardis) | |
| needs: deploy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| environment: | |
| name: beta | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build & Push Ubuntu Docker Image (Beta recommended) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile-ubuntu | |
| platforms: linux/amd64 | |
| build-args: | | |
| SFDX_HARDIS_VERSION=beta | |
| SFDX_CLI_VERSION=latest | |
| load: false | |
| push: true | |
| secrets: | | |
| GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
| tags: | | |
| docker.io/hardisgroupcom/sfdx-hardis-ubuntu:beta-sfdx-recommended | |
| ghcr.io/hardisgroupcom/sfdx-hardis-ubuntu:beta-sfdx-recommended | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "docker.io/hardisgroupcom/sfdx-hardis-ubuntu:beta-sfdx-recommended" | |
| format: "table" | |
| exit-code: "1" | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" |