-
Notifications
You must be signed in to change notification settings - Fork 15
154 lines (135 loc) · 5.92 KB
/
daily-db-publisher-r2.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: 'Daily DB Publisher R2'
on:
# allow for kicking off DB builds manually
workflow_dispatch:
inputs:
publish-databases:
description: "build new databases and upload to S3"
type: boolean
required: true
default: true
publish-listing:
description: "use S3 state to update and publish listing file"
type: boolean
required: true
default: true
# run 4 AM (UTC) daily
schedule:
- cron: '0 4 * * *'
env:
CGO_ENABLED: "0"
SLACK_NOTIFICATIONS: true
FORCE_COLOR: true
jobs:
discover-schema-versions:
# note about workflow dispatch inputs and booleans:
# a) booleans come across as string types :(
# b) if not using workflow_dispatch the default values are empty, which means we want these to effectively evaluate to true (so only check the negative case)
if: ${{ github.event.inputs.publish-databases != 'false' }}
name: "Pull vulnerability data"
runs-on: ubuntu-20.04
outputs:
schema-versions: ${{ steps.read-schema-versions.outputs.schema-versions }}
pull-date: ${{ steps.timestamp.outputs.date }}
# set the permissions granted to the github token to read the pull cache from ghcr.io
permissions:
contents: read
packages: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
- name: Read supported schema versions
id: read-schema-versions
run: |
content=`cat manager/src/grype_db_manager/data/schema-info.json | jq -c '[.available[] | select(.supported == true) | .schema]'`
echo "schema-versions=$content" >> $GITHUB_OUTPUT
generate-and-publish-dbs:
# note about workflow dispatch inputs and booleans:
# a) booleans come across as string types :(
# b) if not using workflow_dispatch the default values are empty, which means we want these to effectively evaluate to true (so only check the negative case)
if: ${{ github.event.inputs.publish-databases != 'false' }}
name: "Generate and publish DBs"
needs: discover-schema-versions
runs-on: ubuntu-22.04-4core-16gb
strategy:
matrix:
schema-version: ${{fromJson(needs.discover-schema-versions.outputs.schema-versions)}}
# set the permissions granted to the github token to read the pull cache from ghcr.io
permissions:
contents: read
packages: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
submodules: true
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Login to ghcr.io
run: |
echo ${{ secrets.GITHUB_TOKEN }} | oras login ghcr.io --username ${{ github.actor }} --password-stdin
- name: Pull vulnerability data
run: make download-all-provider-cache
- name: Generate and upload DB (schema ${{ matrix.schema-version }})
run: |
poetry run \
grype-db-manager \
-c ./config/grype-db-manager/publish-production-r2.yaml \
db build-and-upload \
--schema-version ${{ matrix.schema-version }} \
-vvv
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_CLOUDFLARE_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_CLOUDFLARE_SECRET_ACCESS_KEY }}
GRYPE_DB_MANAGER_DISTRIBUTION_S3_ENDPOINT_URL: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }}
- uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 #v3.16.2
with:
status: ${{ job.status }}
fields: workflow,eventName,job
text: Publishing the Grype DB has failed (schema ${{ matrix.schema-version }})
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }}
publish-listing-file:
# fun! https://github.com/actions/runner/issues/491#issuecomment-850884422
# essentially even if the workflow dispatch job is skipping steps, we still want to run this step.
# however, if not running from a workflow dispatch then we want the job ordering to be honored.
# also...
# note about workflow dispatch inputs and booleans:
# a) booleans come across as string types :(
# b) if not using workflow_dispatch the default values are empty, which means we want these to effectively evaluate to true (so only check the negative case)
if: |
always() &&
(needs.generate-and-publish-dbs.result == 'success' || needs.generate-and-publish-dbs.result == 'skipped') &&
github.event.inputs.publish-listing != 'false'
name: "Publish listing file"
needs: generate-and-publish-dbs
runs-on: ubuntu-22.04-4core-16gb
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
submodules: true
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Publish listing file
run: |
poetry run \
grype-db-manager \
-c ./config/grype-db-manager/publish-production-r2.yaml \
listing update
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_CLOUDFLARE_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_CLOUDFLARE_SECRET_ACCESS_KEY }}
GRYPE_DB_MANAGER_DISTRIBUTION_S3_ENDPOINT_URL: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }}
- uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 #v3.16.2
with:
status: ${{ job.status }}
fields: workflow,eventName,job
text: Publishing the Grype DB listing file has failed
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }}
sync-listing-file-to-s3:
name: "Sync listing file to S3"
needs:
- publish-listing-file
uses: ./.github/workflows/copy-listing-from-r2.yaml
secrets: inherit