2.3 KiB
2.3 KiB
Github Actions Basics
Runners
- A runner is a server that runs your workflows when they're triggered.
- Each runner can run a single job at a time.
Workflows
A workflow is a configurable automated process that will run one or more jobs.
Jobs vs Steps
- Steps are executed in order and are dependent on each other
- Since all steps are executed in the same runner, data can be shared from one step to another. Eg: Build the app, then test the same built app.
- Jobs on the other hand can run in parallel. You can define dependencies between jobs.
Actions
Actions is a custom application.
Syntax
https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer https://docs.github.com/en/actions/writing-workflows/quickstart
Inbuilt values
Contexts
Variables
Environment Variables
- CI : always true
- GITHUB_BASE_REF: target branch. Usually
main - GITHUB_HEAD_REF: source branch of pull request.
feature-branch-1 - github.sha: The commit SHA. Eg ffac537e6cbbf934b08745a378932722df287a53
Getting SHA ID first 8 chars
https://github.com/orgs/community/discussions/26625#discussioncomment-3252582
Grype
https://anchorecommunity.discourse.group/t/how-to-act-on-go-module-vulnerabilities/186/2
Within the image:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b ./bin
#To check vulnerabilities
grypd .
#To save detailed output
grype $MY_IMAGE -o json > vuln.json
#OR
grype . -o json > vuln.json
#To explain the issue:
cat vuln.json | grype explain --id CVE-2023-24537
cat vuln2.json | grype explain --id CVE-2023-45853
Getting the word "main" (branch name) during builds
If the build (was triggered by) is a merge of a pull request, GITHUB_BASE_REF will contain main. But if it is a direct commit on the main branch, then GITHUB_REF_NAME will contain main
env:
BRANCH_NAME: ${{ github.base_ref || github.ref_name }}