Include latest v4 vulnerability #416
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
schedule: | |
- cron: '0 */3 * * *' | |
push: | |
branches: | |
- master | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
jobs: | |
pre-build-updater: | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- name: Build updater | |
run: make build-updater | |
- name: Archive the build to preserve permissions | |
run: tar -cvzf updater-build.tgz bin/updater | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: updater-build | |
path: updater-build.tgz | |
pre-build-scanner: | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- name: Build Scanner | |
run: make scanner-build-nodeps | |
- name: Archive the build to preserve permissions | |
run: tar -cvzf scanner-build.tgz image/scanner/bin/scanner | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: scanner-build | |
path: scanner-build.tgz | |
style-check: | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- name: Run style checks | |
run: ./scripts/ci/jobs/style-checks.sh | |
unit-tests: | |
runs-on: ubuntu-latest | |
needs: | |
- pre-build-scanner | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- uses: actions/download-artifact@v4 | |
with: | |
name: scanner-build | |
- name: Unpack scanner build | |
run: | | |
tar xvzf scanner-build.tgz | |
- name: Run unit tests | |
run: ./scripts/ci/jobs/unit-tests.sh | |
db-integration-tests: | |
runs-on: ubuntu-latest | |
needs: | |
- pre-build-scanner | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- name: Cache Go dependencies | |
uses: ./.github/actions/cache-go-dependencies | |
- uses: actions/download-artifact@v4 | |
with: | |
name: scanner-build | |
- name: Unpack scanner build | |
run: | | |
tar xvzf scanner-build.tgz | |
- name: Run db integration tests | |
run: ./scripts/ci/jobs/db-integration-tests.sh | |
generate-genesis-dump: | |
if: | | |
github.event_name != 'pull_request' || | |
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr') | |
env: | |
NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
runs-on: ubuntu-latest | |
needs: | |
- pre-build-updater | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
with: | |
name: updater-build | |
- name: Unpack updater build | |
run: | | |
tar xvzf updater-build.tgz | |
- name: genesis-dump | |
run: | | |
source ./scripts/ci/lib.sh | |
generate_genesis_dump | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: genesis-dump | |
path: /tmp/genesis-dump/genesis-dump.zip | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: vuln-dump | |
path: /tmp/vuln-dump | |
generate-db-dump: | |
if: | | |
github.event_name != 'pull_request' || | |
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr') | |
runs-on: ubuntu-latest | |
needs: | |
- generate-genesis-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
with: | |
name: updater-build | |
- name: Unpack updater build | |
run: | | |
tar xvzf updater-build.tgz | |
- uses: actions/download-artifact@v4 | |
with: | |
name: genesis-dump | |
path: /tmp/genesis-dump | |
- name: db-dump | |
run: | | |
source ./scripts/ci/lib.sh | |
generate_db_dump | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: db-dump | |
path: /tmp/postgres/pg-definitions.sql.gz | |
generate-scanner-bundle: | |
runs-on: ubuntu-latest | |
needs: | |
- pre-build-scanner | |
- generate-genesis-dump | |
if: | | |
always() && | |
(needs.generate-genesis-dump.result == 'success' || needs.generate-genesis-dump.result == 'skipped') | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
with: | |
name: scanner-build | |
- name: Unpack scanner build | |
run: | | |
tar xvzf scanner-build.tgz | |
- uses: actions/download-artifact@v4 | |
if: | | |
github.event_name != 'pull_request' || | |
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr') | |
with: | |
name: vuln-dump | |
path: /tmp/vuln-dump | |
- name: Generate OSS notice | |
run: make ossls-notice | |
- name: Get genesis dump | |
run: | | |
source ./scripts/ci/lib.sh | |
get_genesis_dump | |
- name: Make bundle | |
run: image/scanner/rhel/create-bundle.sh image/scanner image/scanner/rhel | |
- name: Archive the bundle to preserve permissions | |
run: tar -cvzf bundle.tgz image/scanner/rhel | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: scanner-bundle | |
path: bundle.tgz | |
generate-scanner-db-bundle: | |
runs-on: ubuntu-latest | |
needs: | |
- generate-db-dump | |
if: | | |
always() && | |
(needs.generate-db-dump.result == 'success' || needs.generate-db-dump.result == 'skipped') | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
if: | | |
github.event_name != 'pull_request' || | |
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr') | |
with: | |
name: db-dump | |
path: /tmp/postgres | |
- name: Get db dump | |
run: | | |
source ./scripts/ci/lib.sh | |
get_db_dump | |
- name: Make db bundle | |
run: image/db/rhel/create-bundle.sh image/db image/db/rhel | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: scanner-db-bundle | |
path: image/db/rhel | |
build-images: | |
env: | |
QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
runs-on: ubuntu-latest | |
needs: | |
- generate-scanner-bundle | |
- generate-scanner-db-bundle | |
if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
with: | |
name: scanner-bundle | |
- name: Unpack bundle | |
run: | | |
tar xvzf bundle.tgz | |
- uses: actions/download-artifact@v4 | |
with: | |
name: scanner-db-bundle | |
path: image/db/rhel | |
- name: Build scanner image | |
run: | | |
docker build -t scanner:"$(make --no-print-directory --quiet tag)" -f image/scanner/rhel/Dockerfile image/scanner/rhel | |
- name: Build scanner-slim image | |
run: | | |
docker build -t scanner-slim:"$(make --no-print-directory --quiet tag)" -f image/scanner/rhel/Dockerfile.slim image/scanner/rhel | |
- name: Build scanner-db image | |
run: | | |
docker build -t scanner-db:"$(make --no-print-directory --quiet tag)" -f image/db/rhel/Dockerfile image/db/rhel | |
- name: Build scanner-db-slim image | |
run: | | |
docker build -t scanner-db-slim:"$(make --no-print-directory --quiet tag)" -f image/db/rhel/Dockerfile.slim image/db/rhel | |
- name: Docker login | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
docker login -u "${QUAY_RHACS_ENG_RO_USERNAME}" --password-stdin quay.io <<<"${QUAY_RHACS_ENG_RO_PASSWORD}" | |
- name: Push images | |
# Skip for external contributions. | |
if: | | |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
run: | | |
source ./scripts/ci/lib.sh | |
push_image_set | |
diff-dumps: | |
if: | | |
github.event_name != 'pull_request' || | |
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr') | |
env: | |
GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }} | |
SCANNER_GCP_SERVICE_ACCOUNT_CREDS: ${{ secrets.SCANNER_GCP_SERVICE_ACCOUNT_CREDS }} | |
GOOGLE_SA_CIRCLECI_SCANNER: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }} | |
runs-on: ubuntu-latest | |
needs: | |
- generate-genesis-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
with: | |
name: updater-build | |
- name: Unpack updater build | |
run: | | |
tar xvzf updater-build.tgz | |
- uses: actions/download-artifact@v4 | |
if: ${{ ! startsWith(github.ref, 'refs/tags/') }} | |
with: | |
name: genesis-dump | |
path: /tmp/genesis-dump | |
- name: diff-dumps | |
run: ./scripts/ci/jobs/diff-dumps.sh | |
upload-db-dump: | |
# Only run on master branch | |
if: github.ref == 'refs/heads/master' | |
env: | |
GOOGLE_SA_CIRCLECI_SCANNER: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }} | |
runs-on: ubuntu-latest | |
needs: | |
- generate-db-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
with: | |
name: db-dump | |
path: /tmp/postgres | |
- name: upload-db-dump | |
run: ./scripts/ci/jobs/upload-db-dump.sh | |
upload-dumps-for-downstream: | |
# Only run on master branch | |
if: github.ref == 'refs/heads/master' | |
env: | |
GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }} | |
runs-on: ubuntu-latest | |
needs: | |
- generate-db-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
with: | |
name: vuln-dump | |
path: /tmp/vuln-dump | |
- uses: actions/download-artifact@v4 | |
with: | |
name: db-dump | |
path: /tmp/postgres | |
- name: upload-dumps-for-downstream | |
run: ./scripts/ci/jobs/upload-dumps-for-downstream.sh | |
upload-dumps-for-embedding: | |
# Only run on master branch | |
if: github.ref == 'refs/heads/master' | |
env: | |
GOOGLE_SA_CIRCLECI_SCANNER: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }} | |
runs-on: ubuntu-latest | |
needs: | |
- generate-db-dump | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
- uses: actions/download-artifact@v4 | |
with: | |
name: vuln-dump | |
path: /tmp/vuln-dump | |
- name: upload-dumps-for-downstream | |
run: ./scripts/ci/jobs/upload-dumps-for-embedding.sh |