-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into improve-certification-feed
- Loading branch information
Showing
474 changed files
with
10,342 additions
and
2,727 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| name: Prepare for Docker Build | ||
| description: Set up Docker Build dependencies (without pushing) and run Maven build | ||
|
|
||
| inputs: | ||
| image: | ||
| description: Image name | ||
| required: true | ||
| tag: | ||
| description: Docker tag to use | ||
| required: true | ||
| is_ingestion: | ||
| description: true if we are building an Ingestion image, false otherwise | ||
| required: true | ||
| default: "false" | ||
| release_version: | ||
| description: OpenMetadata Release Version | ||
|
|
||
| outputs: | ||
| tags: | ||
| description: Generated Docker Tags | ||
| value: ${{ steps.meta.outputs.tags }} | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Install Ubuntu dependencies | ||
| shell: bash | ||
| run: | | ||
| # stop relying on apt cache of GitHub runners | ||
| sudo apt-get update | ||
| sudo apt-get install -y unixodbc-dev python3-venv librdkafka-dev gcc libsasl2-dev build-essential libssl-dev libffi-dev \ | ||
| librdkafka-dev unixodbc-dev libevent-dev wkhtmltopdf libkrb5-dev jq | ||
| - name: Set up JDK 17 | ||
| if: inputs.is_ingestion == 'false' | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: 17 | ||
| distribution: 'temurin' | ||
|
|
||
| - name: Install antlr cli | ||
| shell: bash | ||
| run: | | ||
| sudo make install_antlr_cli | ||
| - name: Build OpenMetadata Server Application | ||
| if: inputs.is_ingestion == 'false' | ||
| shell: bash | ||
| run: | | ||
| mvn -DskipTests clean package | ||
| - name: Install OpenMetadata Ingestion Dependencies | ||
| if: inputs.is_ingestion == 'true' | ||
| shell: bash | ||
| run: | | ||
| python3 -m venv env | ||
| source env/bin/activate | ||
| pip install --upgrade pip | ||
| sudo make install_antlr_cli | ||
| make install_dev generate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| {{- range . }} | ||
| <h2> 🛡️ TRIVY SCAN RESULT 🛡️ </h2> | ||
| <h4> Target: <code>{{ .Target }}</code></h4> | ||
| {{- if .Vulnerabilities }} | ||
| <h4>Vulnerabilities ({{ len .Vulnerabilities }})</h4> | ||
| <table border="1" cellspacing="0" cellpadding="5"> | ||
| <thead> | ||
| <tr> | ||
| <th>Package</th> | ||
| <th>Vulnerability ID</th> | ||
| <th>Severity</th> | ||
| <th>Installed Version</th> | ||
| <th>Fixed Version</th> | ||
| </tr> | ||
| </thead> | ||
| <tbody> | ||
| {{- range .Vulnerabilities }} | ||
| <tr> | ||
| <td><code>{{ .PkgName }}</code></td> | ||
| <td><a href="{{ .PrimaryURL }}" target="_blank">{{ .VulnerabilityID }}</a></td> | ||
| <td> | ||
| {{- if eq .Severity "CRITICAL" }} 🔥 CRITICAL | ||
| {{- else if eq .Severity "HIGH" }} 🚨 HIGH | ||
| {{- else }} {{ .Severity }} {{- end }} | ||
| </td> | ||
| <td>{{ .InstalledVersion }}</td> | ||
| <td>{{ if .FixedVersion }}{{ .FixedVersion }}{{ else }}N/A{{ end }}</td> | ||
| </tr> | ||
| {{- end }} | ||
| </tbody> | ||
| </table> | ||
| {{- else }} | ||
| <h4>No Vulnerabilities Found</h4> | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -55,7 +55,7 @@ jobs: | |
| docker-images: false | ||
|
|
||
| - name: Wait for the labeler | ||
| uses: lewagon/[email protected].3 | ||
| uses: lewagon/[email protected].4 | ||
| if: ${{ github.event_name == 'pull_request_target' }} | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
81 changes: 81 additions & 0 deletions
81
.github/workflows/trivy-scan-ingestion-base-slim-image.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| name: Trivy Scan For OpenMetadata Ingestion Base Slim Docker Image | ||
|
|
||
| on: | ||
| pull_request_target: | ||
| types: [labeled, opened, synchronize, reopened] | ||
| paths: | ||
| - "ingestion/**" | ||
| - "openmetadata-service/**" | ||
| - "openmetadata-spec/src/main/resources/json/schema/**" | ||
| - "pom.xml" | ||
| - "Makefile" | ||
|
|
||
| concurrency: | ||
| group: trivy-ingestion-base-slim-scan-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| build-and-scan: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| pull-requests: write | ||
| steps: | ||
| - name: Wait for the labeler | ||
| uses: lewagon/[email protected] | ||
| if: ${{ github.event_name == 'pull_request_target' }} | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| check-name: Team Label | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
| wait-interval: 90 | ||
|
|
||
| - name: Verify PR labels | ||
| uses: jesusvasquez333/[email protected] | ||
| if: ${{ github.event_name == 'pull_request_target' }} | ||
| with: | ||
| github-token: '${{ secrets.GITHUB_TOKEN }}' | ||
| valid-labels: 'safe to test' | ||
| pull-request-number: '${{ github.event.pull_request.number }}' | ||
| disable-reviews: true # To not auto approve changes | ||
|
|
||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
| - name: Prepare for Docker Build | ||
| id: prepare | ||
| uses: ./.github/actions/prepare-for-docker-build | ||
| with: | ||
| image: openmetadata-ingestion-base-slim | ||
| tag: trivy | ||
| is_ingestion: true | ||
|
|
||
|
|
||
| - name: Build Docker Image | ||
| run: | | ||
| docker build -t openmetadata-ingestion-base-slim:trivy -f ingestion/operators/docker/Dockerfile.ci . | ||
| - name: Run Trivy Image Scan | ||
| id: trivy_scan | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: "image" | ||
| image-ref: openmetadata-ingestion-base-slim:trivy | ||
| hide-progress: false | ||
| ignore-unfixed: true | ||
| severity: "HIGH,CRITICAL" | ||
| skip-dirs: "/opt/airflow/dags,/home/airflow/ingestion/pipelines" | ||
| scan-ref: . | ||
| format: 'template' | ||
| template: "@.github/trivy/templates/github.tpl" | ||
| output: "trivy-result-ingestion-base-slim.md" | ||
| env: | ||
| TRIVY_DISABLE_VEX_NOTICE: "true" | ||
|
|
||
| - name: Comment Trivy Scan Results on PR | ||
| uses: marocchino/sticky-pull-request-comment@v2 | ||
| with: | ||
| path: trivy-result-ingestion-base-slim.md | ||
| header: "trivy-scan-${{ github.workflow }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| name: Trivy Scan For OpenMetadata Ingestion Docker Image | ||
|
|
||
| on: | ||
| pull_request_target: | ||
| types: [labeled, opened, synchronize, reopened] | ||
| paths: | ||
| - "ingestion/**" | ||
| - "openmetadata-service/**" | ||
| - "openmetadata-spec/src/main/resources/json/schema/**" | ||
| - "pom.xml" | ||
| - "Makefile" | ||
|
|
||
| concurrency: | ||
| group: trivy-ingestion-scan-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| build-and-scan: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| pull-requests: write | ||
| steps: | ||
| - name: Wait for the labeler | ||
| uses: lewagon/[email protected] | ||
| if: ${{ github.event_name == 'pull_request_target' }} | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| check-name: Team Label | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
| wait-interval: 90 | ||
|
|
||
| - name: Verify PR labels | ||
| uses: jesusvasquez333/[email protected] | ||
| if: ${{ github.event_name == 'pull_request_target' }} | ||
| with: | ||
| github-token: '${{ secrets.GITHUB_TOKEN }}' | ||
| valid-labels: 'safe to test' | ||
| pull-request-number: '${{ github.event.pull_request.number }}' | ||
| disable-reviews: true # To not auto approve changes | ||
|
|
||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
| - name: Prepare for Docker Build | ||
| id: prepare | ||
| uses: ./.github/actions/prepare-for-docker-build | ||
| with: | ||
| image: openmetadata-ingestion | ||
| tag: trivy | ||
| is_ingestion: true | ||
|
|
||
|
|
||
| - name: Build Docker Image | ||
| run: | | ||
| docker build -t openmetadata-ingestion:trivy -f ingestion/Dockerfile.ci . | ||
| - name: Run Trivy Image Scan | ||
| id: trivy_scan | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: "image" | ||
| image-ref: openmetadata-ingestion:trivy | ||
| hide-progress: false | ||
| ignore-unfixed: true | ||
| severity: "HIGH,CRITICAL" | ||
| skip-dirs: "/opt/airflow/dags,/home/airflow/ingestion/pipelines" | ||
| scan-ref: . | ||
| format: 'template' | ||
| template: "@.github/trivy/templates/github.tpl" | ||
| output: "trivy-results-ingestion.md" | ||
| env: | ||
| TRIVY_DISABLE_VEX_NOTICE: "true" | ||
|
|
||
| - name: Comment Trivy Scan Results on PR | ||
| uses: marocchino/sticky-pull-request-comment@v2 | ||
| with: | ||
| path: trivy-results-ingestion.md | ||
| header: "trivy-scan-${{ github.workflow }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| name: Trivy Scan For OpenMetadata Server Docker Image | ||
| on: | ||
| pull_request_target: | ||
| types: [labeled, opened, synchronize, reopened] | ||
| paths: | ||
| - "openmetadata-service/**" | ||
| - "openmetadata-spec/src/main/resources/json/schema/**" | ||
| - "openmetadata-dist/**" | ||
| - "openmetadata-clients/**" | ||
| - "common/**" | ||
| - "pom.xml" | ||
| - "yarn.lock" | ||
| - "Makefile" | ||
| - "bootstrap/**" | ||
| concurrency: | ||
| group: trivy-server-scan-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true | ||
| jobs: | ||
| build-and-scan: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| pull-requests: write | ||
| steps: | ||
| - name: Wait for the labeler | ||
| uses: lewagon/[email protected] | ||
| if: ${{ github.event_name == 'pull_request_target' }} | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| check-name: Team Label | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
| wait-interval: 90 | ||
|
|
||
| - name: Verify PR labels | ||
| uses: jesusvasquez333/[email protected] | ||
| if: ${{ github.event_name == 'pull_request_target' }} | ||
| with: | ||
| github-token: '${{ secrets.GITHUB_TOKEN }}' | ||
| valid-labels: 'safe to test' | ||
| pull-request-number: '${{ github.event.pull_request.number }}' | ||
| disable-reviews: true # To not auto approve changes | ||
|
|
||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
| - name: Prepare for Docker Build | ||
| id: prepare | ||
| uses: ./.github/actions/prepare-for-docker-build | ||
| with: | ||
| image: openmetadata-server | ||
| tag: trivy | ||
| is_ingestion: false | ||
|
|
||
| - name: Build Docker Image | ||
| run: | | ||
| docker build -t openmetadata-server:trivy -f docker/development/Dockerfile . | ||
| - name: Run Trivy Image Scan | ||
| id: trivy_scan | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| scan-type: "image" | ||
| image-ref: openmetadata-server:trivy | ||
| hide-progress: false | ||
| ignore-unfixed: true | ||
| severity: "HIGH,CRITICAL" | ||
| scan-ref: . | ||
| format: 'template' | ||
| template: "@.github/trivy/templates/github.tpl" | ||
| output: trivy-result-openmetadata-server.md | ||
| env: | ||
| TRIVY_DISABLE_VEX_NOTICE: "true" | ||
|
|
||
| - name: Comment Trivy Scan Results on PR | ||
| uses: marocchino/sticky-pull-request-comment@v2 | ||
| with: | ||
| path: trivy-result-openmetadata-server.md | ||
| header: "trivy-scan-${{ github.workflow }}" | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.