Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use reusable vulnerability check workflow #2288

Merged
merged 3 commits into from
Oct 25, 2024
Merged

Use reusable vulnerability check workflow #2288

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d82b171
Update vuln-check.yaml to call reusable workflow
ymorimo Oct 18, 2024
4123c73
Do not post a Slack message when running manual vulnerability check
ymorimo Oct 24, 2024
a906fed
Merge branch 'master' into vuln-check-reusable
brfrn169 Oct 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 10 additions & 97 deletions .github/workflows/vuln-check.yaml
View file
Open in desktop
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need to keep this file vuln-check.yaml? Can we use the reusable vulnerability check workflow scalar-labs/actions/.github/workflows/vuln-check-reusable.yaml@main directly in manual-vuln-check.yaml and scheduled-vuln-check.yaml?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, the vuln-check.yaml file has only the functionality to not duplicate the with: block. It has several repository-specific default values.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. Thanks!

Original file line number Diff line number Diff line change
Expand Up @@ -19,101 +19,14 @@ on:
SLACK_SECURITY_WEBHOOK_URL:
required: true

env:
TERM: dumb
jobs:
docker:
runs-on: ubuntu-latest

env:
GH_TOKEN: ${{ secrets.CR_PAT }}

steps:
# This first checkout is needed to use `ci/vuln-check/*`
- uses: actions/checkout@v4

- id: prepare-target-ref
name: Prepare target-ref
run: |
# Find the latest release name if `find-latest-release` is set to true. Use the value of `target-ref` as is otherwise.
if [[ ${{ inputs.find-latest-release }} = 'true' ]]; then
releases=$(ci/vuln-check/fetch_gh_releases "${{ github.event.repository.owner.login }}" "${{ github.event.repository.name }}")
echo -------------
echo "releases: $releases"
echo -------------
target_release=''
if [[ -n $releases ]]; then
target_release=$(ci/vuln-check/find_latest_release "${{ inputs.target-ref }}" $releases)
fi
if [[ -z $target_release ]]; then
echo "Can't find a target release"
exit 1
fi
echo $target_release
echo "target-ref=$target_release" >> $GITHUB_OUTPUT
else
echo "target-ref=${{ inputs.target-ref }}" >> $GITHUB_OUTPUT
fi

- uses: actions/checkout@v4
with:
ref: ${{ steps.prepare-target-ref.outputs.target-ref }}

- name: Set up JDK 8
uses: actions/setup-java@v4
with:
java-version: '8'
distribution: 'temurin'

- name: Login to GitHub Container Registry
if: always()
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.CR_PAT }}

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4

- name: Docker build
if: always()
run: ./gradlew docker

- name: Set version
if: always()
id: version
run: |
VERSION=$(./gradlew :core:properties -q | grep "version:" | awk '{print $2}')
echo "version=${VERSION}" >> $GITHUB_OUTPUT

- name: Run Trivy vulnerability scanner for ScalarDB Schema Loader
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/scalar-labs/scalardb-schema-loader:${{ steps.version.outputs.version }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
timeout: '60m'

- name: Post Trivy vulnerability check failure for ScalarDB Schema Loader to Slack
if: failure()
uses: slackapi/slack-github-action@v1.27.0
with:
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":octagonal_sign: The vulnerability check for ScalarDB Schema Loader on `${{ github.repository }}` <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|failed> with `${{ steps.prepare-target-ref.outputs.target-ref }}`"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
call-vuln-check:
uses: scalar-labs/actions/.github/workflows/vuln-check-reusable.yaml@main
with:
target-ref: ${{ inputs.target-ref }}
find-latest-release: ${{ inputs.find-latest-release }}
images: '[["ScalarDB Schema Loader", "scalardb-schema-loader"]]'
version-command: "./gradlew :core:properties -q | grep version: | awk '{print $2}'"
secrets:
CR_PAT: ${{ secrets.CR_PAT }}
SLACK_SECURITY_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}
46 changes: 0 additions & 46 deletions ci/vuln-check/fetch_gh_releases
View file
Open in desktop

This file was deleted.

102 changes: 0 additions & 102 deletions ci/vuln-check/find_latest_release
View file
Open in desktop

This file was deleted.