Update runner version, dependencies and .trivyignore
#99
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ben-harvey
changed the title
.trivyignore.trivyignore
crbudzeak
reviewed
Sep 21, 2022
|
|
||
| cleanup() { |
There was a problem hiding this comment.
Does the --ephemeral flag replace the need for this old cleanup code, or was there something else that deprecated this?
There was a problem hiding this comment.
Yep!
Github is deprecating the --once flag for the run script and replacing it with the --ephemeral flag for the configure script. Runners that are configured as ephemeral are automatically de-registered by GitHub, so we can safely remove the cleanup step from our entrypoint script (I also didn't think it was necessary to clean up any folders upon exit since the whole container is torn down at this point)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change bundles together a bunch of updates and fixes to CI failures.
Runner version and dependencies
I copied these from the PRs that Dependabot has opened. I'll close those PRs after this change is approved and merged
Trivy vulnerability filter (
.trivyignore):We had already added some CVEs to the filter list since we are willing to accept the risk of internal dependencies of the runner. Trivy recently added scanning for .NET dependencies so we were seeing more Trivy failures in CI due to this. This change adds a few CVEs to the list and removes many that were no longer needed since the issues have been resolved by updates.
Other changes
Github is deprecating the
--onceflag for the run script and replacing it with the--ephemeralflag for the configure script. Runners that are configured as ephemeral are automatically de-registered by GitHub, so we can safely remove the cleanup step from our entrypoint script (I also didn't think it was necessary to clean up any folders upon exit since the whole container is torn down at this point)I also added the
--disableupdateflag to the configure script, which GitHub recommends for ephemeral runners in containers (more info)Testing:
I ran the runner container locally, registered the runner with a repo, and ran a job on it. I also ran Trivy locally to make sure the filter was working before pushing it.