use self-hosted runners and shared security scan action

canonical · Jul 10, 2024 · d18dba3 · d18dba3
1 parent 9f94383
commit d18dba3
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 41 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -5,42 +5,10 @@ on:
   workflow_dispatch:
 
 jobs:
-  security_scan:
-    name: Security Scan
-    runs-on: ubuntu-22.04
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-tags: true
-          fetch-depth: 0
-
-      # TODO(ale8k): Currently hanging forever, not sure why?
-      # - name: Run govulncheck
-      #   uses: golang/govulncheck-action@v1
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/[email protected]
-        with:
-          scan-type: 'fs'
-          ignore-unfixed: true
-          format: 'table' 
-          # output: 'trivy-results.sarif' # TODO(ale8k) Turn on when uploading to gh and change above line to sarif
-          severity: 'CRITICAL'
-          exit-code: '1'
-
-      # TODO(ale8k): Setup GH security
-      # - name: Upload Trivy scan results to GitHub Security tab
-      #   uses: github/codeql-action/upload-sarif@v2
-      #   with:
-      #     sarif_file: 'trivy-results.sarif'
-
   build_test:
     name: Build and Test
     runs-on: ubuntu-22.04
     timeout-minutes: 45
-    needs: [security_scan]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -90,7 +58,6 @@ jobs:
   smoke_test:
     name: Smoke Test
     runs-on: ubuntu-22.04
-    needs: [security_scan]
     # The docker compose has a healthcheck on the JIMM container.
     # So if the compose returns with exit code 0 then the JIMM server successfully started.
     steps:

diff --git a/.github/workflows/vulncheck.yaml b/.github/workflows/vulncheck.yaml
@@ -6,15 +6,10 @@ on:
 
 jobs:
   govulncheck:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, linux, X64, jammy, large]
     name: Run govulncheck
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-      - name: Go Vulnerability Check
-        id: govulncheck
-        uses: golang/govulncheck-action@v1
+      - name: Security checks
+        uses: canonical/comsys-build-tools/.github/actions/security-scan@main