[chore] Upgrade release version used in mass deployment testing (#6265) #3121
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: vulnerability scans | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| paths: | |
| - '.github/workflows/vuln-scans.yml' | |
| - '.grype.yaml' | |
| - '.trivyignore' | |
| - '.snyk' | |
| schedule: | |
| - cron: '0 0 * * 1-5' # Every weekday at midnight UTC | |
| env: | |
| GO_VERSION: 1.23.8 | |
| concurrency: | |
| group: vuln-scans-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| trivy-fs-scan: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run trivy filesystem scan | |
| uses: aquasecurity/[email protected] | |
| with: | |
| version: v0.57.1 | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| skip-dirs: 'deployments,examples,instrumentation/packaging,packaging,tests' | |
| format: 'table' | |
| exit-code: '1' | |
| severity: 'CRITICAL,HIGH' | |
| ignore-unfixed: true | |
| anchore-fs-scan: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: anchore/scan-action@v6 | |
| with: | |
| severity-cutoff: "high" | |
| only-fixed: true | |
| add-cpes-if-none: true | |
| output-format: "table" | |
| path: "." | |
| docker-otelcol: | |
| runs-on: ubuntu-24.04${{ matrix.ARCH == 'arm64' && '-arm' || '' }} | |
| strategy: | |
| matrix: | |
| ARCH: [ "amd64", "arm64" ] | |
| FIPS: [ true, false ] | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache-dependency-path: '**/go.sum' | |
| - uses: actions/cache@v4 | |
| id: bundle-cache | |
| with: | |
| path: .cache/buildx/agent-bundle-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
| key: agent-bundle-buildx-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }}-${{ hashFiles('packaging/bundle/**') }} | |
| restore-keys: | | |
| agent-bundle-buildx-${{ matrix.ARCH }}-${{ matrix.FIPS == true && '-fips' || '' }} | |
| - run: | | |
| make docker-otelcol ARCH=${{ matrix.ARCH }} FIPS="${{ matrix.FIPS }}" | |
| env: | |
| DOCKER_BUILDKIT: '1' | |
| BUNDLE_CACHE_HIT: "${{ steps.bundle-cache.outputs.cache-hit }}" | |
| - run: mkdir -p dist && docker save -o dist/image.tar otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
| path: ./dist | |
| binaries-windows_amd64: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out the codebase. | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache-dependency-path: '**/go.sum' | |
| - run: make binaries-windows_amd64 | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: binaries-windows_amd64 | |
| path: | | |
| ./bin/* | |
| trivy-image-scan: | |
| runs-on: ${{ matrix.ARCH == 'amd64' && 'ubuntu-24.04' || 'ubuntu-24.04-arm' }} | |
| needs: docker-otelcol | |
| strategy: | |
| matrix: | |
| ARCH: [ "amd64", "arm64" ] | |
| FIPS: [ true, false ] | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
| path: ./dist | |
| - run: docker load -i ./dist/image.tar | |
| - name: Run trivy image scan | |
| uses: aquasecurity/[email protected] | |
| with: | |
| version: v0.57.1 | |
| scan-type: 'image' | |
| image-ref: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest" | |
| format: 'table' | |
| exit-code: '1' | |
| severity: 'CRITICAL,HIGH' | |
| ignore-unfixed: true | |
| anchore-image-scan: | |
| runs-on: ${{ matrix.ARCH == 'amd64' && 'ubuntu-24.04' || 'ubuntu-24.04-arm' }} | |
| needs: docker-otelcol | |
| strategy: | |
| matrix: | |
| ARCH: [ "amd64", "arm64" ] | |
| FIPS: [ true, false ] | |
| fail-fast: false | |
| env: | |
| GRYPE_PLATFORM: ${{ matrix.ARCH }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
| path: ./dist | |
| - run: docker load -i ./dist/image.tar | |
| - uses: anchore/scan-action@v6 | |
| id: anchore-scan | |
| with: | |
| severity-cutoff: "high" | |
| only-fixed: true | |
| add-cpes-if-none: true | |
| output-format: sarif | |
| image: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest" | |
| - name: Upload result to GitHub Code Scanning | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.anchore-scan.outputs.sarif }} | |
| anchore-win-image-scan: | |
| runs-on: ${{ matrix.OS }} | |
| needs: [ "binaries-windows_amd64" ] | |
| strategy: | |
| matrix: | |
| OS: [ windows-2022, windows-2025 ] | |
| fail-fast: false | |
| env: | |
| PIP_CACHE_DIR: ${{ github.workspace }}/.cache/pip | |
| steps: | |
| - name: Check out the codebase. | |
| uses: actions/checkout@v4 | |
| - name: Downloading binaries-windows_amd64 | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binaries-windows_amd64 | |
| path: ./bin | |
| - uses: actions/cache@v4 | |
| with: | |
| path: ${{ env.PIP_CACHE_DIR }} | |
| key: agent-bundle-windows-pip-${{ hashFiles('packaging/bundle/collectd-plugins.yaml', 'packaging/bundle/scripts/requirements.txt') }} | |
| - run: ./packaging/bundle/scripts/windows/make.ps1 bundle | |
| - name: Build docker image | |
| run: | | |
| $ErrorActionPreference = 'Stop' | |
| Copy-Item .\bin\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe | |
| Copy-Item .\dist\agent-bundle_windows_amd64.zip .\cmd\otelcol\agent-bundle_windows_amd64.zip | |
| if ("${{ matrix.OS }}" -eq "windows-2025") { | |
| $base_image = "mcr.microsoft.com/windows/servercore:ltsc2025" | |
| } else { | |
| $base_image = "mcr.microsoft.com/windows/servercore:ltsc2022" | |
| } | |
| docker build -t otelcol-windows --pull --build-arg BASE_IMAGE=${base_image} --build-arg JMX_METRIC_GATHERER_RELEASE=$(Get-Content packaging\jmx-metric-gatherer-release.txt) -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\ | |
| Remove-Item .\cmd\otelcol\otelcol.exe | |
| Remove-Item .\cmd\otelcol\agent-bundle_windows_amd64.zip | |
| - uses: anchore/scan-action@v6 | |
| with: | |
| severity-cutoff: "high" | |
| only-fixed: true | |
| add-cpes-if-none: true | |
| output-format: "table" | |
| image: "otelcol-windows:latest" | |
| check-snyk-token: | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| has-snyk-token: ${{ steps.snyk-token-check.outputs.defined }} | |
| steps: | |
| - name: Check for snyk token | |
| id: snyk-token-check | |
| run: | | |
| if [ -n "${{ secrets.SNYK_TOKEN }}" ]; then | |
| echo "defined=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "defined=false" >> $GITHUB_OUTPUT | |
| echo "ERROR: The Snyk token is not available. The token is not available on PRs triggered from forked repositories." | |
| exit 1 | |
| fi | |
| snyk-fs-scan: | |
| runs-on: ubuntu-24.04 | |
| needs: check-snyk-token | |
| if: ${{ needs.check-snyk-token.outputs.has-snyk-token == 'true' }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/golang@master | |
| continue-on-error: true # To make sure that SARIF upload gets called | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| command: code test | |
| args: --severity-threshold=high --sarif-file-output=snyk.sarif --policy-path=.snyk | |
| - name: Upload result to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: snyk.sarif | |
| snyk-docker-scan: | |
| runs-on: ubuntu-24.04 | |
| needs: [docker-otelcol, check-snyk-token] | |
| if: ${{ needs.check-snyk-token.outputs.has-snyk-token == 'true' }} | |
| strategy: | |
| matrix: | |
| ARCH: [ "amd64", "arm64" ] | |
| FIPS: [ true, false ] | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # There is no snyk/snyk:docker image for arm64, so we need to use the | |
| # docker setup-qemu-action to run the scan | |
| - uses: docker/setup-qemu-action@v3 | |
| if: ${{ matrix.ARCH != 'amd64' }} | |
| with: | |
| platforms: ${{ matrix.ARCH }} | |
| image: tonistiigi/binfmt:qemu-v7.0.0 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: otelcol-${{ matrix.ARCH }}${{ matrix.FIPS == true && '-fips' || '' }} | |
| path: ./dist | |
| - run: docker load -i ./dist/image.tar | |
| - uses: snyk/actions/docker@master | |
| continue-on-error: true # To make sure that SARIF upload gets called | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| image: "otelcol${{ matrix.FIPS == true && '-fips' || '' }}:latest" | |
| args: --file=cmd/otelcol/Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif --policy-path=.snyk --platform=linux/${{ matrix.ARCH }} | |
| - name: Upload result to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: snyk.sarif | |
| govulncheck-run: | |
| # Running on a large macOS runner to reliably use scan mode as symbol without hitting OOM. | |
| runs-on: macos-14-large | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache-dependency-path: '**/go.sum' | |
| - name: Install Tools | |
| run: make install-tools | |
| - run: govulncheck --version | |
| - name: Run `govulncheck` to generate SARIF files | |
| env: | |
| GOVULN_OPTS: --format sarif --scan symbol | |
| run: ./.github/workflows/scripts/govulncheck-run.sh | |
| - name: Save govulncheck results as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: govulncheck-results | |
| path: ./govulncheck/ | |
| - name: Run `govulncheck` to fail the workflow if vulnerabilities are found | |
| env: | |
| GOVULN_OPTS: --show verbose --scan symbol | |
| run: ./.github/workflows/scripts/govulncheck-run.sh | |
| govulncheck-categories: | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| matrix: ${{ steps.capture-packages.outputs.matrix }} | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache-dependency-path: '**/go.sum' | |
| - name: Capture Go Packages | |
| id: capture-packages | |
| run: | | |
| repoPrefix=$(go list -m) | |
| packages=$(go list ./... | sed "s|^$repoPrefix/||" | tr '/' '_') | |
| category=$(for p in $(echo -e "$packages"); do echo "\"$p\","; done) | |
| matrix=$(echo "{\"category\": [${category%,}]}" | tr -d '\n') | |
| echo "$matrix" | jq | |
| echo "matrix=${matrix}" >> $GITHUB_OUTPUT | |
| govulncheck-upload: | |
| runs-on: ubuntu-24.04 | |
| needs: [govulncheck-run, govulncheck-categories] | |
| if: always() # Always run to upload results to code-scanning even if the scan fails | |
| strategy: | |
| matrix: ${{ fromJSON(needs.govulncheck-categories.outputs.matrix) }} | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| - name: Download govulncheck results artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: govulncheck-results | |
| path: ./govulncheck/ | |
| - name: Upload result to GitHub Code Scanning | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ./govulncheck/${{ matrix.category }}.sarif | |
| category: ${{ matrix.category }} |