Scanner release offline vulnerability bundle update #1803
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scanner release offline vulnerability bundle update | |
on: | |
schedule: | |
- cron: '0 */3 * * *' | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
jobs: | |
offline-bundle-matrix: | |
runs-on: ubuntu-latest | |
if: > | |
github.event_name == 'schedule' || | |
(github.event_name == 'pull_request' && | |
contains(github.event.pull_request.labels.*.name, 'pr-update-scanner-vulns')) | |
outputs: | |
matrix: ${{ steps.output-matrix.outputs.matrix }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Create matrix | |
id: output-matrix | |
run: | | |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
echo "matrix<<$EOF" >> "$GITHUB_OUTPUT" | |
.github/workflows/scripts/scanner-offline-bundle-matrix.sh | tee -a "$GITHUB_OUTPUT" | |
echo "$EOF" >> "$GITHUB_OUTPUT" | |
offline-bundle-generate: | |
needs: offline-bundle-matrix | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
versions: ${{ fromJson(needs.offline-bundle-matrix.outputs.matrix).versions }} | |
env: | |
VULNERABILITY_VERSION: ${{ matrix.versions.vulnerability_version }} | |
SUPPORTED_RELEASES: ${{ matrix.versions.supported_releases }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Set up Google Cloud SDK | |
uses: google-github-actions/setup-gcloud@v2 | |
- uses: ./.github/actions/job-preamble | |
with: | |
gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
- name: Generate offline bundle | |
run: | | |
.github/workflows/scripts/scanner-offline-bundle-generate.sh \ | |
bundle \ | |
"$VULNERABILITY_VERSION" \ | |
"$SUPPORTED_RELEASES" | |
- uses: ./.github/actions/upload-artifact-with-retry | |
with: | |
name: offline-bundle-${{ matrix.versions.vulnerability_version }} | |
path: bundle | |
if-no-files-found: error | |
offline-bundle-upload: | |
runs-on: ubuntu-latest | |
needs: | |
- offline-bundle-generate | |
steps: | |
- uses: actions/download-artifact@v4 | |
with: | |
path: bundles | |
pattern: offline-bundle-* | |
merge-multiple: true | |
- name: Authenticate with Google Cloud (release) | |
if: github.event_name == 'schedule' | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }} | |
- name: Authenticate with Google Cloud (pull request) | |
if: github.event_name == 'pull_request' | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }} | |
- name: Set up Cloud SDK | |
uses: google-github-actions/setup-gcloud@v2 | |
- name: Set GCS bucket (release) | |
if: github.event_name == 'schedule' | |
run: | | |
bucket="gs://definitions.stackrox.io/v4/offline-bundles/" | |
echo "BUCKET=$bucket" >> "$GITHUB_ENV" | |
- name: Set GCS bucket (pull request) | |
if: github.event_name == 'pull_request' | |
run: | | |
branch="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" | |
dir="${branch////-}" | |
case $dir in | |
dev|1.0.0) | |
echo "Branch $dir is disallowed" | |
exit 1 | |
esac | |
bucket="gs://scanner-v4-test/offline-bundles/$dir" | |
echo "BUCKET=$bucket" >> "$GITHUB_ENV" | |
- name: Upload bundles | |
run: | | |
cd bundles | |
echo "uploading files to $BUCKET" | |
ls -lh . | |
gsutil cp -r . "$BUCKET" | |
offline-bundle-notification: | |
needs: | |
- offline-bundle-matrix | |
- offline-bundle-generate | |
- offline-bundle-upload | |
runs-on: ubuntu-latest | |
if: github.event_name == 'schedule' && failure() | |
steps: | |
- name: Send Slack notification on workflow failure | |
run: | | |
curl -X POST -H 'Content-type: application/json' --data '{"text":"<${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|Workflow ${{ github.workflow }}> failed in repository ${{ github.repository }}: Failed to update offline vulnerabilities bundle"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }} |