Scanner release vulnerability update #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scanner release vulnerability update | |
| on: | |
| schedule: | |
| - cron: "0 */3 * * *" | |
| push: | |
| branches: | |
| - scanner/* | |
| jobs: | |
| read-release-versions: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.output-matrix.outputs.matrix }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Generate matrix JSON | |
| id: output-matrix | |
| run: | | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| echo "matrix<<$EOF" >> "$GITHUB_OUTPUT" | |
| sed -n '/^\s*\(#.*\)\?$/!p' scanner/updater/version/RELEASE_VERSION | jq -Rs '{ versions: ( sub("\n$"; "")|split("\n") ) }' | tee -a "$GITHUB_OUTPUT" | |
| echo "$EOF" >> "$GITHUB_OUTPUT" | |
| upload-release-vulnerabilities: | |
| needs: read-release-versions | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false # If one of the versions fails, it should not stop others from succeeding. | |
| max-parallel: 1 # Jobs are memory intensive, so only run one at a time. | |
| matrix: | |
| version: ${{ fromJson(needs.read-release-versions.outputs.matrix).versions }} | |
| env: | |
| ROX_PRODUCT_VERSION: ${{ matrix.version }} | |
| steps: | |
| - name: Authenticate with Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Update vulnerabilities | |
| continue-on-error: true | |
| run: | | |
| DOWNLOAD_URL="https://github.com/stackrox/stackrox/archive/refs/tags/${{ env.ROX_PRODUCT_VERSION }}.zip" | |
| FILE_NAME=$(basename "$DOWNLOAD_URL") | |
| if ! wget "$DOWNLOAD_URL" -O "$FILE_NAME"; then | |
| echo "Download failed. Terminating current matrix step." | |
| exit 1 | |
| fi | |
| unzip "$FILE_NAME" -d "${FILE_NAME}-dir" | |
| cd "${FILE_NAME}-dir/stackrox-"* | |
| if [ ! -d "scanner" ]; then | |
| echo "Scanner directory not found. Terminating current matrix step." | |
| exit 1 | |
| fi | |
| go run ./scanner/cmd/updater -output-dir=${{ env.ROX_PRODUCT_VERSION }} | |
| gsutil cp -r "${{ env.ROX_PRODUCT_VERSION }}" "gs://scanner-v4-test/vulnerability-bundles" | |
| send-notification: | |
| needs: | |
| - read-release-versions | |
| - upload-release-vulnerabilities | |
| runs-on: ubuntu-latest | |
| if: failure() | |
| steps: | |
| - name: Send Slack notification on workflow failure | |
| run: | | |
| curl -X POST -H 'Content-type: application/json' --data '{"text":"Workflow failed in workflow ${{ github.workflow }} in repository ${{ github.repository }}: Failed to update vulnerabilities"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }} |