Update notebook image security reports #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # The aim of this GitHub workflow is to update the `ci/securitty-scan/security_scan_results.md` with latest security scan results. | |
| name: Update notebook image security reports | |
| on: # yamllint disable-line rule:truthy | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| required: true | |
| description: "Provide the name of the branch you want to update ex main, vYYYYx etc: " | |
| schedule: | |
| - cron: "0 0 */21 * 5" # Scheduled every third Friday | |
| env: | |
| SEC_SCAN_BRANCH: sec-scan-${{ github.run_id }} | |
| BRANCH_NAME: main | |
| RELEASE_VERSION_N: 2023b | |
| RELEASE_VERSION_N_1: 2023a | |
| jobs: | |
| initialize: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Install Skopeo CLI | |
| shell: bash | |
| run: | | |
| sudo apt-get -y update | |
| sudo apt-get -y install skopeo | |
| # Checkout the branch | |
| - name: Checkout branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ env.BRANCH_NAME }} | |
| # Create a new branch | |
| - name: Create a new branch | |
| run: | | |
| echo ${{ env.SEC_SCAN_BRANCH }} | |
| git checkout -b ${{ env.SEC_SCAN_BRANCH }} | |
| git push --set-upstream origin ${{ env.SEC_SCAN_BRANCH }} | |
| check-vulnerabilities: | |
| needs: [initialize] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Configure Git | |
| run: | | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "GitHub Actions" | |
| # Get the latest weekly build commit hash: https://github.com/opendatahub-io/notebooks/commits/2023b | |
| - name: Checkout upstream notebooks repo | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: opendatahub-io/notebooks.git | |
| ref: ${{ env.RELEASE_VERSION_N }} | |
| - name: Retrieve latest weekly commit hash from the "N" branch | |
| id: hash-n | |
| shell: bash | |
| run: | | |
| echo "HASH_N=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT} | |
| - name: Checkout "N - 1" branch | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: opendatahub-io/notebooks.git | |
| ref: ${{ env.RELEASE_VERSION_N_1 }} | |
| - name: Retrieve latest weekly commit hash from the "N - 1" branch | |
| id: hash-n-1 | |
| shell: bash | |
| run: | | |
| echo "HASH_N_1=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT} | |
| - name: Checkout "main" branch | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: opendatahub-io/notebooks.git | |
| ref: main | |
| - name: Retrieve latest weekly commit hash from the "main" branch | |
| id: hash-main | |
| shell: bash | |
| run: | | |
| echo "LATEST_MAIN_COMMIT=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT} | |
| # Checkout the release branch to apply the updates | |
| - name: Checkout release branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ env.SEC_SCAN_BRANCH }} | |
| - name: setup python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' # install the python version needed | |
| - name: install python packages | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install requests | |
| - name: execute py script # run trial.py | |
| env: | |
| HASH_N: ${{ steps.hash-n.outputs.HASH_N }} | |
| RELEASE_VERSION_N: ${{ env.RELEASE_VERSION_N }} | |
| HASH_N_1: ${{ steps.hash-n-1.outputs.HASH_N_1 }} | |
| RELEASE_VERSION_N_1: ${{ env.RELEASE_VERSION_N_1 }} | |
| LATEST_MAIN_COMMIT: ${{ steps.hash-main.outputs.LATEST_MAIN_COMMIT }} | |
| run: make scan-image-vulnerabilities | |
| - name: Push the files | |
| run: | | |
| git fetch origin ${{ env.SEC_SCAN_BRANCH }} && git pull origin ${{ env.SEC_SCAN_BRANCH }} && git add . && git commit -m "Update security scans" && git push origin ${{ env.SEC_SCAN_BRANCH }} | |
| # Creates the Pull Request | |
| open-pull-request: | |
| needs: [check-vulnerabilities] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: pull-request | |
| uses: repo-sync/pull-request@v2 | |
| with: | |
| source_branch: ${{ env.SEC_SCAN_BRANCH }} | |
| destination_branch: ${{ env.BRANCH_NAME}} | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| pr_label: "automated pr" | |
| pr_title: "[Security Scanner Action] Weekly update of security vulnerabilities reported by Quay" | |
| pr_body: | | |
| :rocket: This is an automated Pull Request. | |
| This PR updates: | |
| * `ci/security-scan/security_scan_results.md` file with the latest security vulnerabilities reported by Quay. | |
| * `ci/security-scan/weekly_commit_ids` with the latest updated SHA digests of the notebooks (N & N-1) | |
| Created by `/.github/workflows/sec-scan.yaml` | |
| :exclamation: **IMPORTANT NOTE**: Remember to delete the ` ${{ env.SEC_SCAN_BRANCH }}` branch after merging the changes |