Skip to content

Scanner release offline vulnerability bundle update #1789

Scanner release offline vulnerability bundle update

Scanner release offline vulnerability bundle update #1789

name: Scanner release offline vulnerability bundle update
on:
schedule:
- cron: '0 */3 * * *'
pull_request:
types:
- opened
- reopened
- synchronize
jobs:
offline-bundle-matrix:
runs-on: ubuntu-latest
if: >
github.event_name == 'schedule' ||
(github.event_name == 'pull_request' &&
contains(github.event.pull_request.labels.*.name, 'pr-update-scanner-vulns'))
outputs:
matrix: ${{ steps.output-matrix.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Create matrix
id: output-matrix
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "matrix<<$EOF" >> "$GITHUB_OUTPUT"
.github/workflows/scripts/scanner-offline-bundle-matrix.sh | tee -a "$GITHUB_OUTPUT"
echo "$EOF" >> "$GITHUB_OUTPUT"
offline-bundle-generate:
needs: offline-bundle-matrix
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
versions: ${{ fromJson(needs.offline-bundle-matrix.outputs.matrix).versions }}
env:
VULNERABILITY_VERSION: ${{ matrix.versions.vulnerability_version }}
SUPPORTED_RELEASES: ${{ matrix.versions.supported_releases }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Google Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- uses: ./.github/actions/job-preamble
with:
gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
- name: Generate offline bundle
run: |
.github/workflows/scripts/scanner-offline-bundle-generate.sh \
bundle \
"$VULNERABILITY_VERSION" \
"$SUPPORTED_RELEASES"
- uses: ./.github/actions/upload-artifact-with-retry
with:
name: offline-bundle-${{ matrix.versions.vulnerability_version }}
path: bundle
if-no-files-found: error
offline-bundle-upload:
runs-on: ubuntu-latest
needs:
- offline-bundle-generate
steps:
- uses: actions/download-artifact@v4
with:
path: bundles
pattern: offline-bundle-*
merge-multiple: true
- name: Authenticate with Google Cloud (release)
if: github.event_name == 'schedule'
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }}
- name: Authenticate with Google Cloud (pull request)
if: github.event_name == 'pull_request'
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: Set GCS bucket (release)
if: github.event_name == 'schedule'
run: |
bucket="gs://definitions.stackrox.io/v4/offline-bundles/"
echo "BUCKET=$bucket" >> "$GITHUB_ENV"
- name: Set GCS bucket (pull request)
if: github.event_name == 'pull_request'
run: |
branch="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
dir="${branch////-}"
case $dir in
dev|1.0.0)
echo "Branch $dir is disallowed"
exit 1
esac
bucket="gs://scanner-v4-test/offline-bundles/$dir"
echo "BUCKET=$bucket" >> "$GITHUB_ENV"
- name: Upload bundles
run: |
cd bundles
echo "uploading files to $BUCKET"
ls -lh .
gsutil cp -r . "$BUCKET"
offline-bundle-notification:
needs:
- offline-bundle-matrix
- offline-bundle-generate
- offline-bundle-upload
runs-on: ubuntu-latest
if: github.event_name == 'schedule' && failure()
steps:
- name: Send Slack notification on workflow failure
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":"<${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|Workflow ${{ github.workflow }}> failed in repository ${{ github.repository }}: Failed to update offline vulnerabilities bundle"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }}