Skip to content

New contrib script to track direct and indirect vulns in npm packages… #925

New contrib script to track direct and indirect vulns in npm packages…

New contrib script to track direct and indirect vulns in npm packages… #925

Workflow file for this run

name: Upload depscan Package and Container image
on:
schedule:
- cron: "0 4 * * *"
push:
paths-ignore:
- '**/README.md'
- 'dockertests.yml'
- 'pythonapp.yml'
- 'gobintests.yml'
branches:
- master
- release/*
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: false
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '20'
- name: Install dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install setuptools wheel twine build
- name: Create Release
id: create_release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Build
run: |
python3 -m build
- name: Publish package distributions to PyPI
if: startsWith(github.ref, 'refs/tags/')
uses: pypa/gh-action-pypi-publish@release/v1
- name: Setup nydus
run: |
curl -LO https://github.com/dragonflyoss/nydus/releases/download/v2.2.4/nydus-static-v2.2.4-linux-amd64.tgz
tar -xvf nydus-static-v2.2.4-linux-amd64.tgz
chmod +x nydus-static/*
mv nydus-static/* /usr/local/bin/
rm -rf nydus-static-v2.2.4-linux-amd64.tgz nydus-static
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository }}
ghcr.io/owasp-dep-scan/depscan
- name: Build and push Docker images
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=depscan
cache-to: type=gha,mode=max,scope=depscan
- name: nydusify
run: |
nydusify convert --oci --oci-ref --source ghcr.io/owasp-dep-scan/depscan:master --target ghcr.io/owasp-dep-scan/depscan:master-nydus --prefetch-dir /opt/dep-scan
nydusify check --target ghcr.io/owasp-dep-scan/depscan:master-nydus
nydusify convert --oci --oci-ref --source ghcr.io/owasp-dep-scan/dep-scan:master --target ghcr.io/owasp-dep-scan/dep-scan:master-nydus --prefetch-dir /opt/dep-scan
if: github.ref == 'refs/heads/master'
continue-on-error: true