feat: csaf correlation - correlate vulnerability to purls and sboms #122
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: benchmark | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| pull_request: | |
| branches: | |
| - "main" | |
| concurrency: benchmark | |
| jobs: | |
| bench: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| # deployments permission to deploy GitHub pages website | |
| deployments: write | |
| # contents permission to update benchmark contents in gh-pages branch | |
| contents: write | |
| steps: | |
| - name: Maximize build space | |
| run: | | |
| df -h | |
| sudo rm -rf /usr/share/dotnet | |
| sudo rm -rf /usr/local/lib/android | |
| sudo rm -rf /opt/ghc | |
| sudo rm -rf /opt/hostedtoolcache/CodeQL | |
| sudo docker image prune --all --force | |
| sudo rm -Rf ${JAVA_HOME_8_X64} | |
| sudo rm -Rf ${JAVA_HOME_11_X64} | |
| sudo rm -Rf ${JAVA_HOME_17_X64} | |
| sudo rm -Rf ${RUBY_PATH} | |
| df -h | |
| - uses: actions/checkout@v4 | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Setup cargo-binstall | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash | |
| - name: Install oidc CLI | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| cargo binstall -y --force oidc-cli | |
| - name: Install HTTPie | |
| run: | | |
| python -m pip install --upgrade pip wheel | |
| python -m pip install httpie | |
| - name: Build | |
| run: | | |
| cargo build --bin trustd --release | |
| - name: Run | |
| env: | |
| NO_COLOR: "true" | |
| run: | |
| nohup cargo run --bin trustd --release &> trustd.log & | |
| - name: Wait for the backend to be up | |
| run: | | |
| URL="http://localhost:8080/.well-known/trustify" | |
| TIMEOUT=300 # 5 minutes | |
| INTERVAL=5 # Interval between retries in seconds | |
| START_TIME=$(date +%s) | |
| while true; do | |
| # Check if the endpoint is up | |
| if curl -s --fail "$URL"; then | |
| echo | |
| echo "Endpoint is up!" | |
| exit 0 | |
| fi | |
| # Check if timeout has passed | |
| CURRENT_TIME=$(date +%s) | |
| ELAPSED_TIME=$((CURRENT_TIME - START_TIME)) | |
| if [ "$ELAPSED_TIME" -ge "$TIMEOUT" ]; then | |
| echo "Timeout reached. Endpoint is still down." | |
| exit 1 | |
| fi | |
| echo "Endpoint is down. Retrying in $INTERVAL seconds..." | |
| sleep "$INTERVAL" | |
| done | |
| - name: Setup OIDC | |
| run: | | |
| oidc create confidential trustify --issuer http://localhost:8090/realms/trustify --client-id walker --client-secret R8A6KFeyxJsMDBhjfHbpZTIF0GWt43HP --force # no-secret | |
| - name: Run DS3 ingestion | |
| run: | | |
| .github/scripts/benchmark.sh | |
| - name: Store benchmark result | |
| uses: benchmark-action/github-action-benchmark@v1 | |
| with: | |
| tool: 'customSmallerIsBetter' | |
| output-file-path: benchmark.json | |
| fail-on-alert: true | |
| # GitHub API token to make a commit comment | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| # Enable Job Summary for PRs | |
| summary-always: true | |
| # Push and deploy GitHub pages branch automatically | |
| auto-push: ${{ github.event_name != 'pull_request' }} | |
| # Enable alert commit comment | |
| comment-on-alert: true | |
| # Mention @rhysd in the commit comment | |
| # alert-comment-cc-users: '@rhysd' | |
| - name: Upload container logs | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: logs | |
| path: | | |
| trustd.log | |
| if-no-files-found: error |