upstream/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2026-05-27 03:57:35 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
k3s/.github/workflows/trivy-trigger.yml
dependabot[bot] 8b6f2a40e7 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](bbbca2ddaa...043fb46d1a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-13 11:07:38 -07:00

70 lines
2.4 KiB
YAML
Raw Permalink Blame History

name: Trivy Scan Trigger
# This workflow is triggered when a pull request is labeled with 'scan-with-trivy'.
# This can only be initiated by a user who is a member of the k3s-io organization and has write permissions.
# It isolates the built of k3s within a unprivileged enviroment.
# The follow up unprivileged workflow will then use the artifact created here to run the scan
# and report the results back to the PR.
on:
pull_request:
types: [labeled]
permissions:
contents: read
jobs:
trigger-scan:
if: github.event.label.name == 'scan-with-trivy'
runs-on: ubuntu-latest
steps:
- name: Verify actor is a member of k3s-io organization and has write permissions
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const org = 'k3s-io';
const actor = context.actor;
const { repo, owner } = context.repo;
try {
const result = await github.rest.orgs.checkMembershipForUser({
org,
username: actor,
});
} catch (error) {
core.setFailed(`User ${actor} is not an public member of the ${org} organization`);
}
const { data: { permission } } = await github.rest.repos.getCollaboratorPermissionLevel({
owner,
repo,
username: actor
});
if (permission !== 'admin' && permission !== 'write') {
core.setFailed(`User @${actor} does not have write permission. Scan can only be triggered by repository collaborators with write access.`);
}
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Build And Save K3s Image
run: |
make local-image
make tag-image-latest
docker save -o k3s.tar rancher/k3s:latest
- name: Create PR context artifact
env:
PR_NUM: ${{ github.event.pull_request.number }}
run: |
mkdir -p pr-context
echo "$PR_NUM" > pr-context/pr_number
mv k3s.tar pr-context/k3s.tar
- name: Upload PR context artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: pr-context-for-scan
path: pr-context/
retention-days: 1
Reference in a new issue View git blame Copy permalink