Skip to content

Commit

Permalink
Backport to branch(3.10) : Use reusable vulnerability check workflow (#…
Browse files Browse the repository at this point in the history
…2298)

Co-authored-by: Yusuke <[email protected]>
  • Loading branch information
feeblefakie and ymorimo authored Oct 25, 2024
1 parent f05cfcc commit 23bcfe1
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 103 deletions.
2 changes: 0 additions & 2 deletions .github/workflows/manual-vuln-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,5 +12,3 @@ jobs:
target-ref: ${{ github.ref_name }}
secrets:
CR_PAT: ${{ secrets.CR_PAT }}
SLACK_SECURITY_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}

112 changes: 11 additions & 101 deletions .github/workflows/vuln-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,106 +12,16 @@ on:
CR_PAT:
required: true
SLACK_SECURITY_WEBHOOK_URL:
required: true
required: false

env:
TERM: dumb
jobs:
docker:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.target-ref }}

- name: Set up JDK 8
uses: actions/setup-java@v4
with:
java-version: '8'
distribution: 'temurin'

- name: Login to GitHub Container Registry
if: always()
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.CR_PAT }}

- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4

- name: Docker build
if: always()
run: ./gradlew docker

- name: Set version
if: always()
id: version
run: |
VERSION=$(./gradlew :core:properties -q | grep "version:" | awk '{print $2}')
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scanner for ScalarDB Server
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/scalar-labs/scalardb-server:${{ steps.version.outputs.version }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
timeout: '60m'

- name: Post Trivy vulnerability check failure for ScalarDB Server to Slack
if: failure()
uses: slackapi/[email protected]
with:
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":octagonal_sign: The vulnerability check for ScalarDB Server on `${{ github.repository }}` <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|failed> with `${{ inputs.target-ref }}`"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

- name: Run Trivy vulnerability scanner for ScalarDB Schema Loader
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/scalar-labs/scalardb-schema-loader:${{ steps.version.outputs.version }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
timeout: '60m'

- name: Post Trivy vulnerability check failure for ScalarDB Schema Loader to Slack
if: failure()
uses: slackapi/[email protected]
with:
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ":octagonal_sign: The vulnerability check for ScalarDB Schema Loader on `${{ github.repository }}` <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|failed> with `${{ inputs.target-ref }}`"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

call-vuln-check:
uses: scalar-labs/actions/.github/workflows/vuln-check-reusable.yaml@main
with:
target-ref: ${{ inputs.target-ref }}
find-latest-release: ${{ inputs.find-latest-release }}
images: '[["ScalarDB Schema Loader", "scalardb-schema-loader"]]'
version-command: "./gradlew :core:properties -q | grep version: | awk '{print $2}'"
secrets:
CR_PAT: ${{ secrets.CR_PAT }}
SLACK_SECURITY_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }}

0 comments on commit 23bcfe1

Please sign in to comment.