Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create issues only for continuous testing #292

Closed
wants to merge 4 commits into from
Closed

Create issues only for continuous testing #292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
48aff37
feat: move issue job to continuous testing.
clay-lake Nov 14, 2024
2a57206
feat: avoid use job result from callable workflows
zhijie-yang Nov 20, 2024
c4ef8f6
ci: automatically update oci/mock-rock/_releases.json, from https://g…
Nov 21, 2024
f470bbe
ci: automatically update oci/mock-rock/_releases.json, from https://g…
Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions .github/workflows/Continuous-Testing.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,84 @@ jobs:
oci-image-path: "oci/${{ matrix.name }}"
date-last-scan: ${{ needs.prepare-test-matrix.outputs.last-scan }}
secrets: inherit

issue:
runs-on: ubuntu-22.04
name: Create issue
if: ${{ !cancelled() }}
needs:
- run-tests
env:
GITHUB_TOKEN: ${{ secrets.ROCKSBOT_TOKEN }}
steps:
- uses: actions/checkout@v4

- id: simplify-image-name
run: |
img_name=$(echo "${{ inputs.oci-image-name }}" | sed -r 's|.*/([a-zA-Z0-9-]+:[0-9.-]+)_[0-9]+|\1|')
echo "img_name=$img_name" >> "$GITHUB_OUTPUT"

# We assume that the sources within image.yaml are the same
- name: Get image repo
id: get-image-repo
run: |
img_repo=$(yq -r '.upload.[].source' ${{ github.workspace }}/${{ inputs.oci-image-path }}/image.yaml | head -n 1)
echo "img-repo=$img_repo" >> "$GITHUB_OUTPUT"

# We have to walk through the vulnerabilities since trivy does not support outputting the results as Markdown
- name: Create Markdown Content
id: create-markdown
run: |
set -x
title="Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name }}"
echo "## $title" > issue.md
echo "| ID | Target | Severity | Package |" >> issue.md
echo "| -- | ----- | -------- | ------- |" >> issue.md
echo '${{ needs.run-tests.outputs.vulnerabilities }}' | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> issue.md
echo -e "\nDetails: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md
num_vulns=$(echo '${{ needs.run-tests.outputs.vulnerabilities }}' | jq -r 'length')
echo "issue-title=$title" >> "$GITHUB_OUTPUT"
echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
echo "vulnerability-exists=$([[ $num_vulns -gt 0 ]] && echo 'true' || echo 'false')" >> "$GITHUB_OUTPUT"

- id: issue-exists
run: |
issue_number=$(gh issue list --repo ${{ steps.get-image-repo.outputs.img-repo }} --json "number,title" \
| jq -r '.[] | select(.title == "${{ steps.create-markdown.outputs.issue-title }}") | .number')
echo "issue-exists=$([[ -n "$issue_number" ]] && echo 'true' || echo 'false')" >> "$GITHUB_OUTPUT"
echo "issue-number=$issue_number" >> "$GITHUB_OUTPUT"


# Truth table for issue creation
# | issue-exists | notify | vulnerability-exists | op |
# |--------------|--------|----------------------|--------|
# | T | T | T | update |
# | T | T | F | never |
# | T | F | T | nop |
# | T | F | F | close |
# | F | T | T | create |
# | F | T | F | never |
# | F | F | T | create |
# | F | F | F | nop |

- name: Notify via GitHub issue
if: ${{ steps.create-markdown.outputs.vulnerability-exists == 'true' }}
run: |
set -x
op=nop
if [[ ${{ steps.issue-exists.outputs.issue-exists }} == 'false' ]]; then
op="create"
elif [[ ${{ steps.issue-exists.outputs.issue-exists }} == 'true' \
&& ${{ needs.test-vulnerabilities.outputs.notify }} == 'true' ]]; then
op="edit ${{ steps.issue-exists.outputs.issue-number }}"
fi
if [[ $op != 'nop' ]]; then
gh issue $op --repo ${{ steps.get-image-repo.outputs.img-repo }} \
--title "Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name }}" \
--body-file "${{ steps.create-markdown.outputs.issue-body-file }}"
fi

- name: Close issue
if: ${{ steps.create-markdown.outputs.vulnerability-exists == 'false' && steps.issue-exists.outputs.issue-exists == 'true' && steps.create-markdown.outputs.vulnerability-exists == 'false' }}
run: |
gh issue close ${{ steps.issue-exists.outputs.issue-number }} --repo ${{ steps.get-image-repo.outputs.img-repo }}
88 changes: 7 additions & 81 deletions .github/workflows/Vulnerability-Scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ on:
required: false
type: string
default: '9999-12-31T23:59:59'
outputs:
vulnerabilities:
description: "Result of the vulnerability analysis."
value: ${{ jobs.test-vulnerabilities.outputs.vulnerabilities }}
notify:
description: "Should we report result to issue tracker?"
value: ${{ jobs.test-vulnerabilities.outputs.notify }}

env:
TEST_IMAGE_NAME: 'test-img'
Expand Down Expand Up @@ -192,84 +199,3 @@ jobs:
do
MM_CHANNEL_ID="${channel}" ./src/notifications/send_to_mattermost.sh
done

issue:
runs-on: ubuntu-22.04
name: Create issue
needs:
- test-vulnerabilities
env:
GITHUB_TOKEN: ${{ secrets.ROCKSBOT_TOKEN }}
if: ${{ !cancelled() && github.event_name != 'pull_request' }}
steps:
- uses: actions/checkout@v4

- id: simplify-image-name
run: |
img_name=$(echo "${{ inputs.oci-image-name }}" | sed -r 's|.*/([a-zA-Z0-9-]+:[0-9.-]+)_[0-9]+|\1|')
echo "img_name=$img_name" >> "$GITHUB_OUTPUT"

# We assume that the sources within image.yaml are the same
- name: Get image repo
id: get-image-repo
run: |
img_repo=$(yq -r '.upload.[].source' ${{ github.workspace }}/${{ inputs.oci-image-path }}/image.yaml | head -n 1)
echo "img-repo=$img_repo" >> "$GITHUB_OUTPUT"

# We have to walk through the vulnerabilities since trivy does not support outputting the results as Markdown
- name: Create Markdown Content
id: create-markdown
run: |
set -x
title="Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name }}"
echo "## $title" > issue.md
echo "| ID | Target | Severity | Package |" >> issue.md
echo "| -- | ----- | -------- | ------- |" >> issue.md
echo '${{ needs.test-vulnerabilities.outputs.vulnerabilities }}' | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> issue.md
echo -e "\nDetails: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md
num_vulns=$(echo '${{ needs.test-vulnerabilities.outputs.vulnerabilities }}' | jq -r 'length')
echo "issue-title=$title" >> "$GITHUB_OUTPUT"
echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
echo "vulnerability-exists=$([[ $num_vulns -gt 0 ]] && echo 'true' || echo 'false')" >> "$GITHUB_OUTPUT"

- id: issue-exists
run: |
issue_number=$(gh issue list --repo ${{ steps.get-image-repo.outputs.img-repo }} --json "number,title" \
| jq -r '.[] | select(.title == "${{ steps.create-markdown.outputs.issue-title }}") | .number')
echo "issue-exists=$([[ -n "$issue_number" ]] && echo 'true' || echo 'false')" >> "$GITHUB_OUTPUT"
echo "issue-number=$issue_number" >> "$GITHUB_OUTPUT"


# Truth table for issue creation
# | issue-exists | notify | vulnerability-exists | op |
# |--------------|--------|----------------------|--------|
# | T | T | T | update |
# | T | T | F | never |
# | T | F | T | nop |
# | T | F | F | close |
# | F | T | T | create |
# | F | T | F | never |
# | F | F | T | create |
# | F | F | F | nop |

- name: Notify via GitHub issue
if: ${{ steps.create-markdown.outputs.vulnerability-exists == 'true' }}
run: |
set -x
op=nop
if [[ ${{ steps.issue-exists.outputs.issue-exists }} == 'false' ]]; then
op="create"
elif [[ ${{ steps.issue-exists.outputs.issue-exists }} == 'true' \
&& ${{ needs.test-vulnerabilities.outputs.notify }} == 'true' ]]; then
op="edit ${{ steps.issue-exists.outputs.issue-number }}"
fi
if [[ $op != 'nop' ]]; then
gh issue $op --repo ${{ steps.get-image-repo.outputs.img-repo }} \
--title "Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name }}" \
--body-file "${{ steps.create-markdown.outputs.issue-body-file }}"
fi

- name: Close issue
if: ${{ needs.test-vulnerabilities.result == 'success' && steps.issue-exists.outputs.issue-exists == 'true' && steps.create-markdown.outputs.vulnerability-exists == 'false' }}
run: |
gh issue close ${{ steps.issue-exists.outputs.issue-number }} --repo ${{ steps.get-image-repo.outputs.img-repo }}
14 changes: 7 additions & 7 deletions oci/mock-rock/_releases.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,31 +35,31 @@
"1.1-22.04": {
"end-of-life": "2030-05-01T00:00:00Z",
"candidate": {
"target": "803"
"target": "817"
},
"beta": {
"target": "803"
"target": "817"
},
"edge": {
"target": "803"
"target": "817"
}
},
"1-22.04": {
"end-of-life": "2030-05-01T00:00:00Z",
"candidate": {
"target": "803"
"target": "817"
},
"beta": {
"target": "803"
"target": "817"
},
"edge": {
"target": "803"
"target": "817"
}
},
"1.2-22.04": {
"end-of-life": "2030-05-01T00:00:00Z",
"beta": {
"target": "804"
"target": "818"
},
"edge": {
"target": "1.2-22.04_beta"
Expand Down