ci: harden workflows; add trivy scanning;

Signed-off-by: Jan Larwig <jan@larwig.com>
2026-03-14 15:54:27 +08:00 · 2026-03-14 15:54:27 +08:00 · 231332c554
parent e59f7c1549
commit 231332c554
2 changed files with 38 additions and 15 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -7,18 +7,21 @@ on:
  pull_request:
    branches:
      - '**'
+  workflow_dispatch:
+
 permissions:
  contents: read
  id-token: write
+  security-events: write

 jobs:
  build:
    runs-on: ubuntu-latest
-    env:
-      COVER: true
    steps:
    - name: Check out code
      uses: actions/checkout@v6
+      with:
+        fetch-depth: 0

    - name: Get Go version
      run: |
@ -33,11 +36,10 @@ jobs:
        check-latest: true

    - name: Install golangci-lint
-      env:
-        # renovate: datasource=github-tags depName=golangci/golangci-lint
-        GOLANGCI_LINT_VERSION: v2.8.0
-      run: |
-        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
+      uses: golangci/golangci-lint-action@v9
+      with:
+        install-only: true
+        version: v2.8.0 # renovate: datasource=github-tags depName=golangci/golangci-lint

    - name: Verify Code Generation
      run: |
@ -59,13 +61,15 @@ jobs:
        make release

    - name: Test
+      env:
+        COVER: true
      run: |
        make test

    - name: Generate Coverage Report
      if: github.event_name == 'push'
      run: |
-        go install github.com/jandelgado/gcov2lcov@latest
+        go install github.com/jandelgado/gcov2lcov@25681830fb515e3d4c117e136b4f049e21efb4d0
        gcov2lcov -infile=c.out -outfile=lcov.info

    - name: Upload Coverage Report
@ -75,11 +79,30 @@ jobs:
        oidc: true
        files: lcov.info

+    - name: Run Trivy vulnerability scanner
+      if: (!startsWith(github.head_ref, 'release'))
+      uses: aquasecurity/trivy-action@0.35.0
+      with:
+        scan-type: 'rootfs'
+        scan-ref: './oauth2-proxy'
+        severity: 'CRITICAL,HIGH'
+        hide-progress: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        exit-code: '0'
+
+    - name: Upload Trivy scan results
+      uses: github/codeql-action/upload-sarif@v4
+      with:
+        sarif_file: 'trivy-results.sarif'
+
  docker:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
      uses: actions/checkout@v6
+      with:
+        fetch-depth: 0

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@ -55,14 +55,14 @@ jobs:
        go-version: ${{ steps.go-version.outputs.version }}
        check-latest: true

-    - name: Get dependencies
-      env:
-        # renovate: datasource=github-tags depName=golangci/golangci-lint
-        GOLANGCI_LINT_VERSION: v2.8.0
-      run: |
-        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
+    - name: Install golangci-lint
+      uses: golangci/golangci-lint-action@v9
+      with:
+        install-only: true
+        version: v2.8.0 # renovate: datasource=github-tags depName=golangci/golangci-lint

-        # Install go dependencies
+    - name: Get go dependencies
+      run: |
        go mod download

    - name: Build Artifacts