Skip to content

Scanner update database init dump #149

Scanner update database init dump

Scanner update database init dump #149

name: Scanner update database init dump
on:
schedule:
# Run at midnight UTC.
- cron: "0 0 * * *"
jobs:
build-updater:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: ./.github/actions/job-preamble
with:
gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
- uses: ./.github/actions/cache-go-dependencies
- name: Build updater
run: |
make tag
make -C scanner bin/updater
- uses: ./.github/actions/upload-artifact-with-retry
with:
name: updater
path: scanner/bin/updater
build-init-dump:
needs:
- build-updater
runs-on: ubuntu-latest
services:
postgres:
image: registry.redhat.io/rhel8/postgresql-15
credentials:
username: ${{ secrets.RH_REGISTRY_USERNAME_RO }}
password: ${{ secrets.RH_REGISTRY_PASSWORD_RO }}
env:
POSTGRESQL_ADMIN_PASSWORD: scanner
# User "runner(1001)" owns the workspace directory.
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
--user 1001
# Use workspace to ensure the volume permission is set to "runnner(1001)".
volumes:
- ${{ github.workspace }}:/var/lib/pgsql/data
ports:
- 5432:5432
env:
# TODO Hard-coded to "dev" while we don't have a matrix job to go over all
# release branches.
version: dev
steps:
# Checkout to run ./.github/actions/{download,upload}-artifact-with-retry
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/download-artifact-with-retry
with:
name: updater
path: /usr/local/bin
- name: Install PostgreSQL 15 client
shell: bash
run: |
source /etc/os-release
echo "deb http://apt.postgresql.org/pub/repos/apt $VERSION_CODENAME-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list
curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
sudo apt-get update
sudo apt-get install -y postgresql-client-15
- name: Run updater
run: |
chmod +x /usr/local/bin/updater
updater import \
--vulns-url "https://storage.googleapis.com/scanner-v4-test/vulnerability-bundles/$version/vulns.json.zst" \
--db-conn 'host=localhost user=postgres database=postgres password=scanner'
- name: Run pg_dump
shell: bash
run: |
PGPASSWORD=scanner pg_dump \
-v \
-h localhost \
-p 5432 \
-U postgres \
--format=custom postgres \
| zstd -o "db-init-$version.dump.zst"
- uses: ./.github/actions/upload-artifact-with-retry
with:
name: init-dump
path: db-init-*.dump.zst
upload-init-dump:
needs:
- build-init-dump
runs-on: ubuntu-latest
steps:
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
- name: Set up Google Cloud SDK
uses: google-github-actions/setup-gcloud@v2
# Checkout to run ./.github/actions/download-artifact-with-retry
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/download-artifact-with-retry
- name: Upload to Google Cloud Bucket
run: |
gsutil cp init-dump*/* gs://scanner-v4-test/scanner-v4-db-init-bundles/