|
17 | 17 | CR_PAT: |
18 | 18 | required: true |
19 | 19 | SLACK_SECURITY_WEBHOOK_URL: |
20 | | - required: true |
| 20 | + required: false |
21 | 21 |
|
22 | | -env: |
23 | | - TERM: dumb |
24 | 22 | jobs: |
25 | | - docker: |
26 | | - runs-on: ubuntu-latest |
27 | | - |
28 | | - env: |
29 | | - GH_TOKEN: ${{ secrets.CR_PAT }} |
30 | | - |
31 | | - steps: |
32 | | - # This first checkout is needed to use `ci/vuln-check/*` |
33 | | - - uses: actions/checkout@v4 |
34 | | - |
35 | | - - id: prepare-target-ref |
36 | | - name: Prepare target-ref |
37 | | - run: | |
38 | | - # Find the latest release name if `find-latest-release` is set to true. Use the value of `target-ref` as is otherwise. |
39 | | - if [[ ${{ inputs.find-latest-release }} = 'true' ]]; then |
40 | | - releases=$(ci/vuln-check/fetch_gh_releases "${{ github.event.repository.owner.login }}" "${{ github.event.repository.name }}") |
41 | | - echo ------------- |
42 | | - echo "releases: $releases" |
43 | | - echo ------------- |
44 | | - target_release='' |
45 | | - if [[ -n $releases ]]; then |
46 | | - target_release=$(ci/vuln-check/find_latest_release "${{ inputs.target-ref }}" $releases) |
47 | | - fi |
48 | | - if [[ -z $target_release ]]; then |
49 | | - echo "Can't find a target release" |
50 | | - exit 1 |
51 | | - fi |
52 | | - echo $target_release |
53 | | - echo "target-ref=$target_release" >> $GITHUB_OUTPUT |
54 | | - else |
55 | | - echo "target-ref=${{ inputs.target-ref }}" >> $GITHUB_OUTPUT |
56 | | - fi |
57 | | -
|
58 | | - - uses: actions/checkout@v4 |
59 | | - with: |
60 | | - ref: ${{ steps.prepare-target-ref.outputs.target-ref }} |
61 | | - |
62 | | - - name: Set up JDK 8 |
63 | | - uses: actions/setup-java@v4 |
64 | | - with: |
65 | | - java-version: '8' |
66 | | - distribution: 'temurin' |
67 | | - |
68 | | - - name: Login to GitHub Container Registry |
69 | | - if: always() |
70 | | - uses: docker/login-action@v3 |
71 | | - with: |
72 | | - registry: ghcr.io |
73 | | - username: ${{ github.repository_owner }} |
74 | | - password: ${{ secrets.CR_PAT }} |
75 | | - |
76 | | - - name: Setup Gradle |
77 | | - uses: gradle/actions/setup-gradle@v4 |
78 | | - |
79 | | - - name: Docker build |
80 | | - if: always() |
81 | | - run: ./gradlew docker |
82 | | - |
83 | | - - name: Set version |
84 | | - if: always() |
85 | | - id: version |
86 | | - run: | |
87 | | - VERSION=$(./gradlew :core:properties -q | grep "version:" | awk '{print $2}') |
88 | | - echo "version=${VERSION}" >> $GITHUB_OUTPUT |
89 | | -
|
90 | | - - name: Run Trivy vulnerability scanner for ScalarDB Schema Loader |
91 | | - if: always() |
92 | | - uses: aquasecurity/trivy-action@master |
93 | | - with: |
94 | | - image-ref: ghcr.io/scalar-labs/scalardb-schema-loader:${{ steps.version.outputs.version }} |
95 | | - format: 'table' |
96 | | - exit-code: '1' |
97 | | - ignore-unfixed: true |
98 | | - severity: 'CRITICAL,HIGH' |
99 | | - timeout: '60m' |
100 | | - |
101 | | - - name: Post Trivy vulnerability check failure for ScalarDB Schema Loader to Slack |
102 | | - if: failure() |
103 | | - |
104 | | - with: |
105 | | - payload: | |
106 | | - { |
107 | | - "blocks": [ |
108 | | - { |
109 | | - "type": "section", |
110 | | - "text": { |
111 | | - "type": "mrkdwn", |
112 | | - "text": ":octagonal_sign: The vulnerability check for ScalarDB Schema Loader on `${{ github.repository }}` <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|failed> with `${{ steps.prepare-target-ref.outputs.target-ref }}`" |
113 | | - } |
114 | | - } |
115 | | - ] |
116 | | - } |
117 | | - env: |
118 | | - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }} |
119 | | - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |
| 23 | + call-vuln-check: |
| 24 | + uses: scalar-labs/actions/.github/workflows/vuln-check-reusable.yaml@main |
| 25 | + with: |
| 26 | + target-ref: ${{ inputs.target-ref }} |
| 27 | + find-latest-release: ${{ inputs.find-latest-release }} |
| 28 | + images: '[["ScalarDB Schema Loader", "scalardb-schema-loader"]]' |
| 29 | + version-command: "./gradlew :core:properties -q | grep version: | awk '{print $2}'" |
| 30 | + secrets: |
| 31 | + CR_PAT: ${{ secrets.CR_PAT }} |
| 32 | + SLACK_SECURITY_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK_URL }} |
0 commit comments