diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7380863f..13f49b14 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,6 +20,49 @@ jobs: permissions: contents: read + verify: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v5 + with: + go-version: '1.25' + - uses: gardener/cc-utils/.github/actions/trusted-checkout@master + - name: run-verify + run: | + set -eu + mkdir /tmp/blobs.d + .ci/verify |& tee /tmp/blobs.d/verify-log.txt + tar czf /tmp/blobs.d/gosec-report.tar.gz gosec-report.sarif + tar czf /tmp/blobs.d/verify-log.tar.gz -C /tmp/blobs.d verify-log.txt + - name: add-reports-to-component-descriptor + uses: gardener/cc-utils/.github/actions/export-ocm-fragments@master + with: + blobs-directory: /tmp/blobs.d + ocm-resources: | + - name: gosec-report + relation: local + access: + type: localBlob + localReference: gosec-report.tar.gz + labels: + - name: gardener.cloud/purposes + value: + - lint + - sast + - gosec + - name: gardener.cloud/comment + value: | + we use gosec (linter) for SAST scans + see: https://github.com/securego/gosec + - name: test-results + relation: local + access: + type: localBlob + localReference: verify-log.tar.gz + labels: + - name: gardener.cloud/purposes + value: + - test oci-images: name: Build OCI-Images needs: @@ -53,14 +96,4 @@ jobs: oci-repository: ${{ matrix.args.oci-repository }} oci-platforms: linux/amd64,linux/arm64 ocm-labels: ${{ toJSON(matrix.args.ocm-labels) }} - extra-tags: latest - - sast-lint: - uses: gardener/cc-utils/.github/workflows/sastlint-ocm.yaml@master - with: - go-version: '1.25' - linter: gosec - run: .ci/verify - permissions: - contents: read - + extra-tags: latest \ No newline at end of file