Skip to content

Commit

Permalink
Backport to branch(3.12) : Use reusable vulnerability check workflow (#…
Browse files Browse the repository at this point in the history
…2296)

Co-authored-by: Yusuke <[email protected]>
  • Loading branch information
feeblefakie and ymorimo authored Oct 25, 2024
1 parent 273faf5 commit 476b4d9
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 131 deletions.
2 changes: 0 additions & 2 deletions .github/workflows/manual-vuln-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,3 @@ jobs:
target-ref: ${{ github.ref_name }}
secrets:
CR_PAT: ${{ secrets.CR_PAT }}
SLACK_SECURITY_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}

140 changes: 11 additions & 129 deletions .github/workflows/vuln-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,134 +17,16 @@ on:
CR_PAT:
required: true
SLACK_SECURITY_WEBHOOK_URL:
required: true
required: false

env:
TERM: dumb
jobs:
docker:
runs-on: ubuntu-latest

env:
GH_TOKEN: ${{ secrets.CR_PAT }}

steps:
# This first checkout is needed to use `ci/vuln-check/*`
- uses: actions/checkout@v4

- id: prepare-target-ref
name: Prepare target-ref
run: |
# Find the latest release name if `find-latest-release` is set to true. Use the value of `target-ref` as is otherwise.
if [[ ${{ inputs.find-latest-release }} = 'true' ]]; then
releases=$(ci/vuln-check/fetch_gh_releases "${{ github.event.repository.owner.login }}" "${{ github.event.repository.name }}")
echo -------------
echo "releases: $releases"
echo -------------
target_release=''
if [[ -n $releases ]]; then
target_release=$(ci/vuln-check/find_latest_release "${{ inputs.target-ref }}" $releases)
fi
if [[ -z $target_release ]]; then
echo "Can't find a target release"
exit 1
fi
echo $target_release
echo "target-ref=$target_release" >> $GITHUB_OUTPUT
else
echo "target-ref=${{ inputs.target-ref }}" >> $GITHUB_OUTPUT
fi
- uses: actions/checkout@v4
with:
ref: ${{ steps.prepare-target-ref.outputs.target-ref }}

- name: Set up JDK 8
uses: actions/setup-java@v4
with:
java-version: '8'
distribution: 'temurin'

- name: Login to GitHub Container Registry
if: always()
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.CR_PAT }}

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4

- name: Docker build
if: always()
run: ./gradlew docker

- name: Set version
if: always()
id: version
run: |
VERSION=$(./gradlew :core:properties -q | grep "version:" | awk '{print $2}')
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scanner for ScalarDB Server
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/scalar-labs/scalardb-server:${{ steps.version.outputs.version }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
timeout: '60m'

- name: Post Trivy vulnerability check failure for ScalarDB Server to Slack
if: failure()
uses: slackapi/[email protected]
with:
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":octagonal_sign: The vulnerability check for ScalarDB Server on `${{ github.repository }}` <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|failed> with `${{ steps.prepare-target-ref.outputs.target-ref }}`"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

- name: Run Trivy vulnerability scanner for ScalarDB Schema Loader
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/scalar-labs/scalardb-schema-loader:${{ steps.version.outputs.version }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
timeout: '60m'

- name: Post Trivy vulnerability check failure for ScalarDB Schema Loader to Slack
if: failure()
uses: slackapi/[email protected]
with:
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":octagonal_sign: The vulnerability check for ScalarDB Schema Loader on `${{ github.repository }}` <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|failed> with `${{ steps.prepare-target-ref.outputs.target-ref }}`"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
call-vuln-check:
uses: scalar-labs/actions/.github/workflows/vuln-check-reusable.yaml@main
with:
target-ref: ${{ inputs.target-ref }}
find-latest-release: ${{ inputs.find-latest-release }}
images: '[["ScalarDB Schema Loader", "scalardb-schema-loader"]]'
version-command: "./gradlew :core:properties -q | grep version: | awk '{print $2}'"
secrets:
CR_PAT: ${{ secrets.CR_PAT }}
SLACK_SECURITY_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}

0 comments on commit 476b4d9

Please sign in to comment.