Skip to content

Include latest v4 vulnerability #458

Include latest v4 vulnerability

Include latest v4 vulnerability #458

Workflow file for this run

name: CI
on:
schedule:
- cron: '0 */3 * * *'
push:
branches:
- master
pull_request:
types:
- opened
- reopened
- synchronize
jobs:
pre-build-updater:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- name: Build updater
run: make build-updater
- name: Archive the build to preserve permissions
run: tar -cvzf updater-build.tgz bin/updater
- uses: actions/upload-artifact@v4
with:
name: updater-build
path: updater-build.tgz
pre-build-scanner:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- name: Build Scanner
run: make scanner-build-nodeps
- name: Archive the build to preserve permissions
run: tar -cvzf scanner-build.tgz image/scanner/bin/scanner
- uses: actions/upload-artifact@v4
with:
name: scanner-build
path: scanner-build.tgz
style-check:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- name: Run style checks
run: ./scripts/ci/jobs/style-checks.sh
unit-tests:
runs-on: ubuntu-latest
needs:
- pre-build-scanner
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- uses: actions/download-artifact@v4
with:
name: scanner-build
- name: Unpack scanner build
run: |
tar xvzf scanner-build.tgz
- name: Run unit tests
run: ./scripts/ci/jobs/unit-tests.sh
db-integration-tests:
runs-on: ubuntu-latest
needs:
- pre-build-scanner
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- name: Cache Go dependencies
uses: ./.github/actions/cache-go-dependencies
- uses: actions/download-artifact@v4
with:
name: scanner-build
- name: Unpack scanner build
run: |
tar xvzf scanner-build.tgz
- name: Run db integration tests
run: ./scripts/ci/jobs/db-integration-tests.sh
generate-genesis-dump:
if: |
github.event_name != 'pull_request' ||
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr')
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
runs-on: ubuntu-latest
needs:
- pre-build-updater
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
with:
name: updater-build
- name: Unpack updater build
run: |
tar xvzf updater-build.tgz
- name: genesis-dump
run: |
source ./scripts/ci/lib.sh
generate_genesis_dump
- uses: actions/upload-artifact@v4
with:
name: genesis-dump
path: /tmp/genesis-dump/genesis-dump.zip
- uses: actions/upload-artifact@v4
with:
name: vuln-dump
path: /tmp/vuln-dump
generate-db-dump:
if: |
github.event_name != 'pull_request' ||
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr')
runs-on: ubuntu-latest
needs:
- generate-genesis-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
with:
name: updater-build
- name: Unpack updater build
run: |
tar xvzf updater-build.tgz
- uses: actions/download-artifact@v4
with:
name: genesis-dump
path: /tmp/genesis-dump
- name: db-dump
run: |
source ./scripts/ci/lib.sh
generate_db_dump
- uses: actions/upload-artifact@v4
with:
name: db-dump
path: /tmp/postgres/pg-definitions.sql.gz
generate-scanner-bundle:
runs-on: ubuntu-latest
needs:
- pre-build-scanner
- generate-genesis-dump
if: |
always() &&
(needs.generate-genesis-dump.result == 'success' || needs.generate-genesis-dump.result == 'skipped')
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
with:
name: scanner-build
- name: Unpack scanner build
run: |
tar xvzf scanner-build.tgz
- uses: actions/download-artifact@v4
if: |
github.event_name != 'pull_request' ||
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr')
with:
name: vuln-dump
path: /tmp/vuln-dump
- name: Generate OSS notice
run: make ossls-notice
- name: Get genesis dump
run: |
source ./scripts/ci/lib.sh
get_genesis_dump
- name: Make bundle
run: image/scanner/rhel/create-bundle.sh image/scanner image/scanner/rhel
- name: Archive the bundle to preserve permissions
run: tar -cvzf bundle.tgz image/scanner/rhel
- uses: actions/upload-artifact@v4
with:
name: scanner-bundle
path: bundle.tgz
generate-scanner-db-bundle:
runs-on: ubuntu-latest
needs:
- generate-db-dump
if: |
always() &&
(needs.generate-db-dump.result == 'success' || needs.generate-db-dump.result == 'skipped')
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
if: |
github.event_name != 'pull_request' ||
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr')
with:
name: db-dump
path: /tmp/postgres
- name: Get db dump
run: |
source ./scripts/ci/lib.sh
get_db_dump
- name: Make db bundle
run: image/db/rhel/create-bundle.sh image/db image/db/rhel
- uses: actions/upload-artifact@v4
with:
name: scanner-db-bundle
path: image/db/rhel
build-images:
env:
QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
runs-on: ubuntu-latest
needs:
- generate-scanner-bundle
- generate-scanner-db-bundle
if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
with:
name: scanner-bundle
- name: Unpack bundle
run: |
tar xvzf bundle.tgz
- uses: actions/download-artifact@v4
with:
name: scanner-db-bundle
path: image/db/rhel
- name: Build scanner image
run: |
docker build -t scanner:"$(make --no-print-directory --quiet tag)" -f image/scanner/rhel/Dockerfile image/scanner/rhel
- name: Build scanner-slim image
run: |
docker build -t scanner-slim:"$(make --no-print-directory --quiet tag)" -f image/scanner/rhel/Dockerfile.slim image/scanner/rhel
- name: Build scanner-db image
run: |
docker build -t scanner-db:"$(make --no-print-directory --quiet tag)" -f image/db/rhel/Dockerfile image/db/rhel
- name: Build scanner-db-slim image
run: |
docker build -t scanner-db-slim:"$(make --no-print-directory --quiet tag)" -f image/db/rhel/Dockerfile.slim image/db/rhel
- name: Docker login
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
docker login -u "${QUAY_RHACS_ENG_RO_USERNAME}" --password-stdin quay.io <<<"${QUAY_RHACS_ENG_RO_PASSWORD}"
- name: Push images
# Skip for external contributions.
if: |
github.event_name == 'push' || !github.event.pull_request.head.repo.fork
run: |
source ./scripts/ci/lib.sh
push_image_set
diff-dumps:
if: |
github.event_name != 'pull_request' ||
contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr')
env:
GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }}
SCANNER_GCP_SERVICE_ACCOUNT_CREDS: ${{ secrets.SCANNER_GCP_SERVICE_ACCOUNT_CREDS }}
GOOGLE_SA_CIRCLECI_SCANNER: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
runs-on: ubuntu-latest
needs:
- generate-genesis-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
with:
name: updater-build
- name: Unpack updater build
run: |
tar xvzf updater-build.tgz
- uses: actions/download-artifact@v4
if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
with:
name: genesis-dump
path: /tmp/genesis-dump
- name: diff-dumps
run: ./scripts/ci/jobs/diff-dumps.sh
upload-db-dump:
# Only run on master branch
if: github.ref == 'refs/heads/master'
env:
GOOGLE_SA_CIRCLECI_SCANNER: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
runs-on: ubuntu-latest
needs:
- generate-db-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
with:
name: db-dump
path: /tmp/postgres
- name: upload-db-dump
run: ./scripts/ci/jobs/upload-db-dump.sh
upload-dumps-for-downstream:
# Only run on master branch
if: github.ref == 'refs/heads/master'
env:
GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }}
runs-on: ubuntu-latest
needs:
- generate-db-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
with:
name: vuln-dump
path: /tmp/vuln-dump
- uses: actions/download-artifact@v4
with:
name: db-dump
path: /tmp/postgres
- name: upload-dumps-for-downstream
run: ./scripts/ci/jobs/upload-dumps-for-downstream.sh
upload-dumps-for-embedding:
# Only run on master branch
if: github.ref == 'refs/heads/master'
env:
GOOGLE_SA_CIRCLECI_SCANNER: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
runs-on: ubuntu-latest
needs:
- generate-db-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- uses: ./.github/actions/job-preamble
- uses: actions/download-artifact@v4
with:
name: vuln-dump
path: /tmp/vuln-dump
- name: upload-dumps-for-downstream
run: ./scripts/ci/jobs/upload-dumps-for-embedding.sh