forked from stackrox/stackrox
-
Notifications
You must be signed in to change notification settings - Fork 0
129 lines (113 loc) · 3.92 KB
/
scanner-db-init-dump.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Scanner update database init dump
on:
schedule:
# Run at midnight UTC.
- cron: "0 0 * * *"
jobs:
build-updater:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: ./.github/actions/job-preamble
with:
gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
- uses: ./.github/actions/cache-go-dependencies
- name: Build updater
run: |
make tag
make -C scanner bin/updater
- uses: ./.github/actions/upload-artifact-with-retry
with:
name: updater
path: scanner/bin/updater
build-init-dump:
needs:
- build-updater
runs-on: ubuntu-latest
services:
postgres:
image: registry.redhat.io/rhel8/postgresql-15
credentials:
username: ${{ secrets.RH_REGISTRY_USERNAME_RO }}
password: ${{ secrets.RH_REGISTRY_PASSWORD_RO }}
env:
POSTGRESQL_ADMIN_PASSWORD: scanner
# User "runner(1001)" owns the workspace directory.
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
--user 1001
# Use workspace to ensure the volume permission is set to "runnner(1001)".
volumes:
- ${{ github.workspace }}:/var/lib/pgsql/data
ports:
- 5432:5432
env:
# TODO Hard-coded to "dev" while we don't have a matrix job to go over all
# release branches.
version: dev
steps:
# Checkout to run ./.github/actions/{download,upload}-artifact-with-retry
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/download-artifact-with-retry
with:
name: updater
path: /usr/local/bin
- name: Install PostgreSQL 15 client
shell: bash
run: |
source /etc/os-release
echo "deb http://apt.postgresql.org/pub/repos/apt $VERSION_CODENAME-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list
curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
sudo apt-get update
sudo apt-get install -y postgresql-client-15
- name: Run updater
run: |
chmod +x /usr/local/bin/updater
updater import \
--vulns-url "https://storage.googleapis.com/scanner-v4-test/vulnerability-bundles/$version/vulns.json.zst" \
--db-conn 'host=localhost user=postgres database=postgres password=scanner'
- name: Run pg_dump
shell: bash
run: |
PGPASSWORD=scanner pg_dump \
-v \
-h localhost \
-p 5432 \
-U postgres \
--format=custom postgres \
| zstd -o "db-init-$version.dump.zst"
- uses: ./.github/actions/upload-artifact-with-retry
with:
name: init-dump
path: db-init-*.dump.zst
upload-init-dump:
needs:
- build-init-dump
runs-on: ubuntu-latest
steps:
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
- name: Set up Google Cloud SDK
uses: google-github-actions/setup-gcloud@v2
# Checkout to run ./.github/actions/download-artifact-with-retry
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/download-artifact-with-retry
- name: Upload to Google Cloud Bucket
run: |
gsutil cp init-dump*/* gs://scanner-v4-test/scanner-v4-db-init-bundles/