Merge pull request #896 from opendatacube/trivy-update

github action update - trivy and doc preview

.github/workflows/pyspellcheck.yaml

@@ -1,32 +1,22 @@
-# This is workflow for spell checking using PySpelling lib (https://pypi.org/project/pyspelling/)
-name: Spellcheck
-# Controls when the action will run.
+name: Doc QA
 on:
-  # Triggers the workflow on push or pull request events but only for the main branch
-  push:
-    branches:
-      - 'master'
-    # paths:
-    #   - 'docs/**'
-    #   - '.github/workflow/pyspellcheck.yaml'
   pull_request:
     branches:
       - 'master'
-    # paths:
-    #   - 'docs/**'
-    #   - '.github/workflow/pyspellcheck.yaml'
 
-  # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+
 jobs:
-  # This workflow contains a single job called "build"
-  build:
-    # The type of runner that the job will run on
+  pyspellcheck:
     runs-on: ubuntu-latest
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Spellcheck
       - uses: actions/checkout@v2
       - uses: igsekor/[email protected]
         name: Spellcheck
+
+  documentation-preview:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: readthedocs/actions/preview@v1
+        with:
+          project-slug: "datacube-ows"

.github/workflows/scan.yml

@@ -2,6 +2,20 @@
 name: Scan
 
 on:
+  push:
+    branches:
+      - master
+    paths:
+      - ".github/workflows/scan.yml"
+      - "Dockerfile"
+
+  pull_request:
+    branches:
+      - master
+    paths:
+      - ".github/workflows/scan.yml"
+      - "Dockerfile"
+
   schedule:
     - cron: '0 0 * * *'
 
@@ -35,21 +49,27 @@ jobs:
 
       - name: Run vulnerability scanner
         if: github.event_name != 'release'
-        uses: aquasecurity/trivy-action@0.0.6
+        uses: aquasecurity/trivy-action@master
         with:
           image-ref: "${{ env.IMAGE_NAME }}:${{ env.UNSTABLE_TAG }}"
-          format: "table"
-          exit-code: "1"
+          format: "sarif"
+          output: 'trivy-results.sarif'
+          # exit-code: "1"
           severity: "CRITICAL,HIGH"
 
-      - name: Notify Slack for Failures
-        uses: rtCamp/[email protected]
-        if: failure()
-        env:
-          SLACK_CHANNEL: ga-wms-ops
-          SLACK_ICON: "https://github.com/docker.png?size=48"
-          SLACK_COLOR: "#482de1"
-          SLACK_MESSAGE: ""
-          SLACK_TITLE: CVE Scan alert
-          SLACK_USERNAME: OWS Scanner
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      # - name: Notify Slack for Failures
+      #   uses: rtCamp/[email protected]
+      #   if: failure()
+      #   env:
+      #     SLACK_CHANNEL: ga-wms-ops
+      #     SLACK_ICON: "https://github.com/docker.png?size=48"
+      #     SLACK_COLOR: "#482de1"
+      #     SLACK_MESSAGE: ""
+      #     SLACK_TITLE: CVE Scan alert
+      #     SLACK_USERNAME: OWS Scanner
+      #     SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:22.04 as builder
+FROM ubuntu:22.10 as builder
 
 # Setup build env for postgresql-client-14
 USER root