79 lines
2.3 KiB
Markdown
79 lines
2.3 KiB
Markdown
# Github Actions Basics
|
|
|
|
https://docs.github.com/en/actions/about-github-actions/understanding-github-actions#the-components-of-github-actions
|
|
|
|
## Runners
|
|
|
|
* A runner is a server that runs your workflows when they're triggered.
|
|
* Each runner can run a single job at a time.
|
|
|
|
## Workflows
|
|
|
|
A workflow is a configurable automated process that will run one or more jobs.
|
|
|
|
## Jobs vs Steps
|
|
|
|
* Steps are executed in order and are dependent on each other
|
|
* Since all steps are executed in the same runner, data can be shared from one step to another. Eg: Build the app, then test the same built app.
|
|
* Jobs on the other hand can run in parallel. You can define dependencies between jobs.
|
|
|
|
## Actions
|
|
|
|
Actions is a custom application.
|
|
|
|
# Syntax
|
|
|
|
https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer
|
|
https://docs.github.com/en/actions/writing-workflows/quickstart
|
|
|
|
## Inbuilt values
|
|
|
|
### Contexts
|
|
|
|
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs
|
|
|
|
### Variables
|
|
|
|
Environment Variables
|
|
|
|
* CI : always true
|
|
* GITHUB_BASE_REF: target branch. Usually `main`
|
|
* GITHUB_HEAD_REF: source branch of pull request. `feature-branch-1`
|
|
* github.sha: The commit SHA. Eg ffac537e6cbbf934b08745a378932722df287a53
|
|
*
|
|
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables
|
|
|
|
### Getting SHA ID first 8 chars
|
|
|
|
https://github.com/orgs/community/discussions/26625#discussioncomment-3252582
|
|
|
|
# Grype
|
|
|
|
https://anchorecommunity.discourse.group/t/how-to-act-on-go-module-vulnerabilities/186/2
|
|
|
|
Within the image:
|
|
```bash
|
|
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin/
|
|
|
|
#To check vulnerabilities
|
|
grype .
|
|
#To save detailed output
|
|
grype $MY_IMAGE -o json > vuln.json
|
|
#OR
|
|
grype . -o json > vuln.json
|
|
|
|
#To explain the issue:
|
|
cat vuln.json | grype explain --id CVE-2023-24537
|
|
cat vuln2.json | grype explain --id CVE-2023-45853
|
|
```
|
|
|
|
## Getting the word "main" (branch name) during builds
|
|
|
|
If the build (was triggered by) is a merge of a pull request, GITHUB_BASE_REF will contain main.
|
|
But if it is a direct commit on the main branch, then GITHUB_REF_NAME will contain main
|
|
|
|
```yaml
|
|
env:
|
|
BRANCH_NAME: ${{ github.base_ref || github.ref_name }}
|
|
```
|