feat: EMR submission serverless + classic #216
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Grype Security Scan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '*.mill' | |
| - '**/*.mill' | |
| - 'docker/fetcher/Dockerfile' | |
| - '.github/workflows/test_grype.yaml' | |
| - '.grype.yaml' | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - '*.mill' | |
| - '**/*.mill' | |
| - 'docker/fetcher/Dockerfile' | |
| - '.github/workflows/test_grype.yaml' | |
| - '.grype.yaml' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| SCALA_VERSION: "2.12.18" | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/${{ github.repository }}-ci:latest | |
| credentials: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install curl | |
| run: | | |
| apt-get update && apt-get install -y curl | |
| - name: Build Service JAR | |
| run: ./mill service\[${{ env.SCALA_VERSION }}\].assembly | |
| - name: Build Cloud GCP JAR | |
| run: ./mill cloud_gcp\[${{ env.SCALA_VERSION }}\].assembly | |
| - name: Build Flink jar | |
| run: ./mill flink\[${{ env.SCALA_VERSION }}\].assembly | |
| - name: Build Flink connectors jar | |
| run: ./mill flink_connectors\[${{ env.SCALA_VERSION }}\].assembly | |
| - name: Prepare build artifacts | |
| run: | | |
| # Copy jars to build_output as docker build can't access the mill output directories directly | |
| mkdir -p build_output | |
| cp out/service/${{ env.SCALA_VERSION }}/assembly.dest/out.jar build_output/service_assembly_deploy.jar | |
| cp out/cloud_gcp/${{ env.SCALA_VERSION }}/assembly.dest/out.jar build_output/cloud_gcp_lib_deploy.jar | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Fetcher Docker image (no push) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: docker/fetcher/Dockerfile | |
| platforms: linux/amd64 | |
| push: false | |
| tags: chronon-fetcher:grype-test | |
| outputs: type=docker,dest=/tmp/chronon-fetcher.tar | |
| - name: Upload Service Assembly Jar | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: service-assembly-jar | |
| path: out/service/${{ env.SCALA_VERSION }}/assembly.dest/out.jar | |
| - name: Upload Cloud GCP Jar | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cloud-gcp-jar | |
| path: out/cloud_gcp/${{ env.SCALA_VERSION }}/assembly.dest/out.jar | |
| - name: Upload Flink Jar | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: flink-jar | |
| path: out/flink/${{ env.SCALA_VERSION }}/assembly.dest/out.jar | |
| - name: Upload Flink connectors Jar | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: flink-connectors-jar | |
| path: out/flink_connectors/${{ env.SCALA_VERSION }}/assembly.dest/out.jar | |
| - name: Upload Docker image | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: chronon-fetcher-image | |
| path: /tmp/chronon-fetcher.tar | |
| security_scan: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download Service Assembly Jar | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: service-assembly-jar | |
| path: service-assembly-jar | |
| - name: Download Cloud GCP Jar | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: cloud-gcp-jar | |
| path: cloud-gcp-jar | |
| - name: Download Flink Jar | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: flink-jar | |
| path: flink-jar | |
| - name: Download Flink connectors Jar | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: flink-connectors-jar | |
| path: flink-connectors-jar | |
| - name: Download Docker image | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: chronon-fetcher-image | |
| - name: Install Grype | |
| run: | | |
| curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin | |
| - name: Run Grype scan on Service JAR | |
| run: | | |
| echo "Scanning Service JAR for vulnerabilities..." | |
| grype --only-fixed --fail-on low service-assembly-jar/out.jar | |
| - name: Run Grype scan on Cloud GCP JAR | |
| run: | | |
| echo "Scanning Cloud GCP JAR for vulnerabilities..." | |
| grype --only-fixed --fail-on low cloud-gcp-jar/out.jar | |
| - name: Run Grype scan on Flink JAR | |
| run: | | |
| echo "Scanning Flink JAR for vulnerabilities..." | |
| grype --only-fixed --fail-on low flink-jar/out.jar | |
| - name: Run Grype scan on Flink connectors JAR | |
| run: | | |
| echo "Scanning Flink connectors JAR for vulnerabilities..." | |
| grype --only-fixed --fail-on low flink-connectors-jar/out.jar | |
| - name: Load Docker image for Grype scanning | |
| run: docker load -i chronon-fetcher.tar | |
| # we go with medium & higher here as there are some dated Linux packages that we can't do much about | |
| - name: Run Grype scan on Fetcher Docker image | |
| run: | | |
| echo "Scanning Fetcher Docker image for vulnerabilities..." | |
| grype --only-fixed --fail-on medium chronon-fetcher:grype-test |