Refactor workflows - user reusable workflows (#2504)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-06-27 10:51:20 +03:00
parent 4a6e862d57
commit a35201ac1c
16 changed files with 429 additions and 239 deletions
--- a/.github/workflows/reusable_workflow_trivy-scan.yaml
+++ b/.github/workflows/reusable_workflow_trivy-scan.yaml
@@ -0,0 +1,108 @@
+name: Trivy Scan (Reusable Workflow)
+
+on:
+  workflow_call:
+    variables:
+      ref:
+        description: 'The branch, tag or SHA to checkout, e.g. master'
+        type: string
+        default: 'master'
+      upload:
+        description: 'If to upload the scan results, e.g. true or false'
+        type: boolean
+        default: false
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      # needed for trivy scans upload
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Set up JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: "temurin"
+          java-version: 21
+          cache: "maven"
+
+      - name: Create hawkBit container images
+        run: |
+          mvn clean install -DskipTests -DskipJavadoc && \
+          cd docker/build && \
+          chmod +x build_dev.sh && \
+          ./build_dev.sh && \
+          cd ../../..
+
+      - name: Determine most recent Trivy version
+        run: |
+          echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
+            grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV
+
+      - name: Install Trivy
+        run: |
+          wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -
+
+      - name: Scan Docker images
+        run: |
+          mkdir -p scans/eclipse-hawkbit/hawkbit
+          for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
+            echo "Scanning image ${IMAGE} ..."
+            ./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif
+          done
+
+      - name: Check if to upload scan results
+        run: |
+          if [ "${{ inputs.upload }}" = "true" ]; then
+            echo "Uploading scan results..."
+          else
+            echo "Skipping upload of scan results."
+            exit 0
+          fi
+
+      - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server (hawkbit-ddi-server)
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif'
+          category: "Container Images (hawkbit-ddi-server)"
+      - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server (hawkbit-dmf-server)
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif'
+          category: "Container Images (hawkbit-dmf-server)"
+      - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server (hawkbit-mgmt-server)
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif'
+          category: "Container Images (hawkbit-mgmt-server)"
+      - name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui (hawkbit-simple-ui)
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-simple-ui:latest.sarif'
+          category: "Container Images (hawkbit-simple-ui)"
+
+      - name: Upload Docker image scan results to GitHub Security tab (hawkbit-update-server)
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif'
+          category: "Container Images (hawkbit-update-server)"
+
+      - name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init)
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
+          category: "Container Images (hawkbit-update-server)"
+
+      - name: Upload Docker image scan results to GitHub Security tab (hawkbit-repository-jpa-init)
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
+          category: "Container Images (hawkbit-repository-jpa-init)"