Skip to content

Scanner release vulnerability update #61

Scanner release vulnerability update

Scanner release vulnerability update #61

name: Scanner release vulnerability update
on:
schedule:
- cron: "0 */3 * * *"
push:
branches:
- scanner/*
jobs:
read-release-versions:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.output-matrix.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Generate matrix JSON
id: output-matrix
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "matrix<<$EOF" >> "$GITHUB_OUTPUT"
sed -n '/^\s*\(#.*\)\?$/!p' scanner/updater/version/RELEASE_VERSION | jq -Rs '{ versions: ( sub("\n$"; "")|split("\n") ) }' | tee -a "$GITHUB_OUTPUT"
echo "$EOF" >> "$GITHUB_OUTPUT"
upload-release-vulnerabilities:
needs: read-release-versions
runs-on: ubuntu-latest
strategy:
fail-fast: false # If one of the versions fails, it should not stop others from succeeding.
max-parallel: 1 # Jobs are memory intensive, so only run one at a time.
matrix:
version: ${{ fromJson(needs.read-release-versions.outputs.matrix).versions }}
env:
ROX_PRODUCT_VERSION: ${{ matrix.version }}
steps:
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: Update vulnerabilities
continue-on-error: true
run: |
DOWNLOAD_URL="https://github.com/stackrox/stackrox/archive/refs/tags/${{ env.ROX_PRODUCT_VERSION }}.zip"
FILE_NAME=$(basename "$DOWNLOAD_URL")
if ! wget "$DOWNLOAD_URL" -O "$FILE_NAME"; then
echo "Download failed. Terminating current matrix step."
exit 1
fi
unzip "$FILE_NAME" -d "${FILE_NAME}-dir"
cd "${FILE_NAME}-dir/stackrox-"*
if [ ! -d "scanner" ]; then
echo "Scanner directory not found. Terminating current matrix step."
exit 1
fi
go run ./scanner/cmd/updater -output-dir=${{ env.ROX_PRODUCT_VERSION }}
gsutil cp -r "${{ env.ROX_PRODUCT_VERSION }}" "gs://scanner-v4-test/vulnerability-bundles"
send-notification:
needs:
- read-release-versions
- upload-release-vulnerabilities
runs-on: ubuntu-latest
if: failure()
steps:
- name: Send Slack notification on workflow failure
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":"Workflow failed in workflow ${{ github.workflow }} in repository ${{ github.repository }}: Failed to update vulnerabilities"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }}