Test grype in PR2

.github/ops-files/use-cflinuxfs3.yml

@@ -0,0 +1,105 @@
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/diego/droplet_destinations/cflinuxfs3?
+  value: /home/vcap
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/diego/lifecycle_bundles/buildpack~1cflinuxfs3?
+  value: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/stacks/name=cflinuxfs4:before
+  value:
+    description: Cloud Foundry Linux-based filesystem (Ubuntu 18.04)
+    name: cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/0:before
+  value:
+    name: staticfile_buildpack
+    package: staticfile-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/0:after
+  value:
+    name: java_buildpack
+    package: java-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/1:after
+  value:
+    name: ruby_buildpack
+    package: ruby-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/2:after
+  value:
+    name: dotnet_core_buildpack
+    package: dotnet-core-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/3:after
+  value:
+    name: nodejs_buildpack
+    package: nodejs-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/4:after
+  value:
+    name: go_buildpack
+    package: go-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/5:after
+  value:
+    name: python_buildpack
+    package: python-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/6:after
+  value:
+    name: php_buildpack
+    package: php-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/7:after
+  value:
+    name: nginx_buildpack
+    package: nginx-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/8:after
+  value:
+    name: r_buildpack
+    package: r-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/install_buildpacks/9:after
+  value:
+    name: binary_buildpack
+    package: binary-buildpack-cflinuxfs3
+- type: replace
+  path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/diego/droplet_destinations/cflinuxfs3?
+  value: /home/vcap
+- type: replace
+  path: /instance_groups/name=cc-worker/jobs/name=cloud_controller_worker/properties/cc/diego/lifecycle_bundles/buildpack~1cflinuxfs3?
+  value: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
+- type: replace
+  path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/diego/droplet_destinations/cflinuxfs3?
+  value: /home/vcap
+- type: replace
+  path: /instance_groups/name=scheduler/jobs/name=cloud_controller_clock/properties/cc/diego/lifecycle_bundles/buildpack~1cflinuxfs3?
+  value: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
+- type: replace
+  path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/cc/diego/droplet_destinations/cflinuxfs3?
+  value: /home/vcap
+- type: replace
+  path: /instance_groups/name=scheduler/jobs/name=cc_deployment_updater/properties/cc/diego/lifecycle_bundles/buildpack~1cflinuxfs3?
+  value: buildpack_app_lifecycle/buildpack_app_lifecycle.tgz
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=cflinuxfs3-rootfs-setup?
+  value:
+    name: cflinuxfs3-rootfs-setup
+    properties:
+      cflinuxfs3-rootfs:
+        trusted_certs:
+        - ((diego_instance_identity_ca.ca))
+        - ((credhub_tls.ca))
+        - ((uaa_ssl.ca))
+    release: cflinuxfs3
+- type: replace
+  path: /instance_groups/name=diego-cell/jobs/name=rep/properties/diego/rep/preloaded_rootfses/0:before
+  value: cflinuxfs3:/var/vcap/packages/cflinuxfs3/rootfs.tar
+- type: replace
+  path: /releases/name=cflinuxfs4:before
+  value:
+    name: cflinuxfs3
+    sha1: 5463400cd5490e9d847326668d504a8833cf3e4e
+    url: https://bosh.io/d/github.com/cloudfoundry/cflinuxfs3-release?v=0.369.0
+    version: 0.369.0

.github/scripts/format-cve-scan-results.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+set -o errexit -o nounset -o pipefail
+[[ "${TRACE:-0}" == "1" ]] && set -o xtrace
+
+##
+# Formats CVE results in a markdown table to display a summary in a GitHub Action UI
+##
+
+# Check if the number of arguments is correct
+if [ $# -ne 1 ]; then
+    echo "Usage: $0 <filename of grype json results>"
+    exit 1
+fi
+
+_results_filename="${1}"
+
+# Check if the file exists
+if [ ! -f "${_results_filename}" ]; then
+    echo "Error: File '${_results_filename}' does not exist"
+    exit 1
+fi
+
+_number_of_cves_found=$(jq -r '.matches | length' "${_results_filename}")
+
+echo -e "# CVE Scan Results\n"
+
+if [ ${_number_of_cves_found} -eq 0 ]; then
+    echo -e "## Success! No vulnerabilities found.\n"
+else
+    echo -e "## Failure: ${_number_of_cves_found} vulnerabilities found.\n"
+
+    _table_headers='"NAME","INSTALLED","FIXED-IN","TYPE","VULNERABILITY","SEVERITY"'
+    _table_underlines='"----","---------","--------","----","-------------","--------"'
+
+    jq -r "[${_table_headers}],
+    [${_table_underlines}],
+    (.matches[] | [
+        .artifact.name,
+        .artifact.version,
+        .vulnerability.fix.versions[0],
+        .artifact.type,
+        .vulnerability.id,
+        .vulnerability.severity
+    ]) | @tsv" "${_results_filename}" \
+    | sed 's/|/\\|/g' \
+    | sed 's/\t/ | /g'
+fi

.github/workflows/check-cves.yml

@@ -0,0 +1,32 @@
+name: "Check CVEs"
+
+on:
+  workflow_dispatch:
+  pull_request:
+
+jobs:
+  check-cves:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out codebase
+      uses: actions/checkout@v4
+
+    - name: Scan current project
+      uses: anchore/scan-action@v3
+      with:
+        path: "."
+        add-cpes-if-none: true
+        by-cve: true
+        output-format: json
+
+    - name: Print scan results
+      run: .github/scripts/format-cve-scan-results.sh results.json > $GITHUB_STEP_SUMMARY
+      if: always()
+
+    - name: Archive CVE scan results
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: cve-scan-results-${{ github.sha }}-${{ github.run_id }}-${{ github.run_number }}
+        path: results.json

.github/workflows/golangci-lint.yml

@@ -0,0 +1,56 @@
+name: golangci-lint
+
+on:
+  push:
+    tags:
+      - "v9.*"
+      - "v8.*"
+      - "v7.*"
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    branches:
+      - main
+      - v9
+      - v8
+      - v7
+    paths-ignore:
+      - "doc/**"
+      - ".gitpod.yml"
+      - "README.md"
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.58
+          args: -v --exclude-dirs cf --exclude-dirs fixtures --exclude-dirs plugin --exclude-dirs command/plugin
+  format:
+    name: Run go fmt
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: '0'
+    - name: Set Up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: go.mod
+        check-latest: true
+    - name: Run go fmt
+      run: go fmt && git diff --exit-code

.github/workflows/release-build-sign-upload.yml

@@ -1067,7 +1067,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         repository: cloudfoundry/CLAW
-        ref: develop
+        ref: master
         path: CLAW
         ssh-key: ${{ secrets.GIT_SSH_KEY_CLAW }}  
 
@@ -1076,18 +1076,23 @@ jobs:
         set -ex
 
         pushd CLAW
-          echo "- ${VERSION_BUILD}" >> claw-variables.yml
-
-          git add claw-variables.yml
-
-          if ! [ -z "$(git status --porcelain)"]; then
-            git config user.name github-actions
-            git config user.email github-actions@github.com
-            git commit -m "Add CF CLI ${VERSION_BUILD}"
+          if  grep --quiet "${VERSION_BUILD}" "claw-variables.yml" ; then
+            echo 'Version already exists in CLAW.'
+            exit 1
           else
-              echo "no new version to commit"
+            echo "- ${VERSION_BUILD}" >> claw-variables.yml
+
+            git add claw-variables.yml
+
+            if ! [ -z "$(git status --porcelain)"]; then
+              git config user.name github-actions
+              git config user.email github-actions@github.com
+              git commit -m "Add CF CLI ${VERSION_BUILD}"
+            else
+                echo "no new version to commit"
+            fi
+
+            git push
           fi
-
-          git push
         popd    
 # vim: set sw=2 ts=2 sts=2 et tw=78 foldlevel=2 fdm=indent nospell: