Skip to content

Update external networks #419

Update external networks

Update external networks #419

name: Update external networks
on:
pull_request:
types:
- opened
- reopened
- synchronize
schedule:
- cron: 30 10 * * * # Run this every day at 10:30 UTC
workflow_dispatch:
inputs:
dry-run:
description: Execute Dry Run
required: false
default: true
type: boolean
jobs:
save-current-networks:
name: Download and store currently published latest networks
if: github.event_name == 'schedule' || (github.event.inputs.dry-run == 'false' && github.event_name == 'workflow_dispatch') # Can only be triggered by scheduled run or manual action with dry-run set to false
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download and test latest networks
run: ${GITHUB_WORKSPACE}/.github/workflows/scripts/download-current-networks.sh
shell: bash
- uses: actions/upload-artifact@v3
with:
name: current-latest-networks
path: /tmp/external-networks
build:
name: Build external-network-pusher
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Read Go version from go.mod
run: echo "GO_VERSION=$(grep -E "^go\s+[0-9.]+$" go.mod | cut -d " " -f 2)" >> $GITHUB_ENV
- name: Setup Go environment
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Go Build Cache
uses: actions/cache@v4
with:
path: ~/.cache
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
- name: Go Mod Cache
uses: actions/cache@v4
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Run unit tests
run: make test
- name: Build binaries
run: make build
- name: Upload binary
uses: actions/upload-artifact@v3
with:
name: bin
path: .gobin
run-dry-run: # Dry run will run on PRs by default
runs-on: ubuntu-latest
needs: build
name: Dry-run external-network-pusher and simulate results
steps:
- uses: 'google-github-actions/auth@v2'
with:
credentials_json: '${{ secrets.GCP_NETWORKS_UPLOADER_SA }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- name: Download executable
uses: actions/download-artifact@v3
with:
name: bin
- name: Set permissions to file
run: chmod +x linux/network-crawler
- name: Dry run external-network-pusher
run: linux/network-crawler --dry-run --bucket-name definitions.stackrox.io
run-and-upload:
name: Run external-network-pusher and upload results
if: github.event_name == 'schedule' || (github.event.inputs.dry-run == 'false' && github.event_name == 'workflow_dispatch') # Can only be triggered by scheduled run or manual action with dry-run set to false
runs-on: ubuntu-latest
needs: [build, run-dry-run, save-current-networks]
steps:
- uses: 'google-github-actions/auth@v2'
with:
credentials_json: '${{ secrets.GCP_NETWORKS_UPLOADER_SA }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- name: Download executable
uses: actions/download-artifact@v3
with:
name: bin
- name: Set permissions to file
run: chmod +x linux/network-crawler
- name: Run external-network-pusher
run: linux/network-crawler --bucket-name definitions.stackrox.io
notify:
name: Notify about failed run
if: failure() && (github.event_name == 'schedule' || (github.event.inputs.dry-run == 'false' && github.event_name == 'workflow_dispatch')) # Only trigger on failures of schedule & manual non-dry runs
needs: run-and-upload
runs-on: ubuntu-latest
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
steps:
- name: Post to Slack channel team-acs-maple-interruptions
uses: slackapi/[email protected]
with:
channel-id: "C03SWCX9W0Z"
payload: >-
{ "blocks": [
{ "type": "section", "text": { "type": "mrkdwn", "text":
":red-warning: Daily update of external networks for defintions.stackrox.io failed! :red-warning:\nRefer to the Workflow logs for more information."}},
{ "type": "divider" },
{ "type": "section", "text": { "type": "mrkdwn", "text":
">
Repository: <${{github.server_url}}/${{github.repository}}|${{github.repository}}>\n>
Workflow: <${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|${{github.workflow}}>" }}
]}