rename vars and get latest main commit using workflow

opendatahub-io · Jan 3, 2024 · c83b431 · c83b431
1 parent 9bea990
commit c83b431
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 24 deletions.
diff --git a/.github/workflows/sec-scan.yml b/.github/workflows/sec-scan.yml
@@ -58,7 +58,7 @@ jobs:
           repository: opendatahub-io/notebooks.git
           ref: ${{ env.RELEASE_VERSION_N }}
 
-      - name: Retrieve latest weekly commit hash from the release branch
+      - name: Retrieve latest weekly commit hash from the "N" branch
         id: hash-n
         shell: bash
         run: |
@@ -70,11 +70,23 @@ jobs:
           repository: opendatahub-io/notebooks.git
           ref: ${{ env.RELEASE_VERSION_N_1 }}
 
-      - name: Retrieve latest weekly commit hash from the release branch
+      - name: Retrieve latest weekly commit hash from the "N - 1" branch
         id: hash-n-1
         shell: bash
         run: |
           echo "HASH_N_1=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT}
+        
+      - name: Checkout "main" branch
+        uses: actions/checkout@v3
+        with:
+          repository: opendatahub-io/notebooks.git
+          ref: main
+
+      - name: Retrieve latest weekly commit hash from the "main" branch
+        id: hash-main
+        shell: bash
+        run: |
+          echo "LATEST_MAIN_COMMIT=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT}
 
       # Checkout the release branch to apply the updates
       - name: Checkout release branch
@@ -99,6 +111,8 @@ jobs:
 
           HASH_N_1: ${{ steps.hash-n-1.outputs.HASH_N_1 }}
           RELEASE_VERSION_N_1: 2023a
+
+          LATEST_MAIN_COMMIT: ${{ steps.hash-main.outputs.HASH_N }}
         run: make scan-image-vulnerabilities
 
       - name: Push the files

diff --git a/ci/security-scan/quay_security_analysis.py b/ci/security-scan/quay_security_analysis.py
@@ -68,17 +68,14 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N):
     src_tag_cmd = f'skopeo inspect docker://{img} | jq \'.Env[] | select(startswith("OPENSHIFT_BUILD_NAME=")) | split("=")[1]\''
     src_tag = subprocess.check_output(src_tag_cmd, shell=True, text=True).strip().strip('"').replace('-amd64', '')
 
-
-    regex = "" # f"{src_tag}-{RELEASE_VERSION_N}-\\d+-{HASH_N}"
+    regex = ""
 
     if RELEASE_VERSION_N == "":
         regex = f"{src_tag}-(\\d+-)?{HASH_N}"
     else:
         regex = f"{src_tag}-{RELEASE_VERSION_N}-\\d+-{HASH_N}"
 
     latest_tag_cmd = f'skopeo inspect docker://{img} | jq -r --arg regex "{regex}" \'.RepoTags | map(select(. | test($regex))) | .[0]\''
-    print("latest_tag_cmd")
-    print(latest_tag_cmd)
     latest_tag = subprocess.check_output(latest_tag_cmd, shell=True, text=True).strip()
 
     digest_cmd = f'skopeo inspect docker://{registry}:{latest_tag} | jq .Digest | tr -d \'"\''
@@ -89,9 +86,6 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N):
 
     output = f"{registry}@{digest}"
 
-    print("output")
-    print(output)
-
     sha_ = output.split(":")[1]
 
     url = f"https://quay.io/api/v1/repository/opendatahub/workbench-images/manifest/sha256:{sha_}/security"
@@ -124,12 +118,10 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N):
             line = f"{image}={output}\n"
         print(line, end="")
 
-
-RELEASE_VERSION_N = os.environ['RELEASE_VERSION_N']
-HASH_N = os.environ['HASH_N']
+LATEST_MAIN_COMMIT = os.environ['LATEST_MAIN_COMMIT']
 
 for i, image in enumerate(IMAGES_MAIN):
-    process_image(image, commit_id_path, "", "0133259")
+    process_image(image, commit_id_path, "", LATEST_MAIN_COMMIT)
 
 branch_main_data = ""
 for key, value in my_dictionary.items():
@@ -141,20 +133,23 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N):
 
 my_dictionary = {}
 
+RELEASE_VERSION_N = os.environ['RELEASE_VERSION_N']
+HASH_N = os.environ['HASH_N']
+
 # Call the function for each image in IMAGES
 for i, image in enumerate(IMAGES):
     process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N)
 
 today = date.today()
 d2 = today.strftime("%B %d, %Y")
 
-formatted_data = ""
+branch_n_data = ""
 for key, value in my_dictionary.items():
-    formatted_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |"
+    branch_n_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |"
     for severity in ['Medium', 'Low', 'Unknown', 'High', 'Critical']:
         count = value.get(severity, 0)  # Get count for the severity, default to 0 if not present
-        formatted_data += f" {count} |"
-    formatted_data += "\n"
+        branch_n_data += f" {count} |"
+    branch_n_data += "\n"
 
 my_dictionary = {}
 
@@ -164,13 +159,13 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N):
 for i, image in enumerate(IMAGES_N_1):
     process_image(image, commit_id_path, RELEASE_VERSION_N_1, HASH_N_1)
 
-branch_n_data = ""
+branch_n_1_data = ""
 for key, value in my_dictionary.items():
-    branch_n_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |"
+    branch_n_1_data += f"| [{key}](https://quay.io/repository/opendatahub/workbench-images/manifest/{my_dictionary[key]['sha']}?tab=vulnerabilities) |"
     for severity in ['Medium', 'Low', 'Unknown', 'High', 'Critical']:
         count = value.get(severity, 0)  # Get count for the severity, default to 0 if not present
-        branch_n_data += f" {count} |"
-    branch_n_data += "\n"
+        branch_n_1_data += f" {count} |"
+    branch_n_1_data += "\n"
 
 markdown_content = """# Security Scan Results
 
@@ -186,16 +181,16 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N):
 
 | Image Name | Medium | Low | Unknown | High | Critical |
 |------------|-------|-----|---------|------|------|
-{table_content}
+{branch_n}
 
 # Branch N - 1
 
 | Image Name | Medium | Low | Unknown | High | Critical |
 |------------|-------|-----|---------|------|------|
-{branch_n}
+{branch_n_1}
 """
 
-final_markdown = markdown_content.format(table_content=formatted_data, todays_date=d2, branch_n=branch_n_data, branch_main=branch_main_data)
+final_markdown = markdown_content.format(branch_n=branch_n_data, todays_date=d2, branch_n_1=branch_n_1_data, branch_main=branch_main_data)
 
 # Writing to the markdown file
 with open("ci/security-scan/security_scan_results.md", "w") as markdown_file: