updates #270

Workflow file for this run

.github/workflows/updates.yaml at 76bddb6

	name: updates

	on:
	schedule:
	- cron: "/60 * * *" # Every 60 minutes
	push:
	branches: [main]
	paths:
	- '.github/workflows/updates.yaml'
	- '.github/chainguard/updates.sts.yaml'
	workflow_dispatch: # Allows manual triggering

	env:
	REDIS_IMAGE: "cgr.dev/cgr-demo.com/redis-server-bitnami"

	jobs:
	check-for-fixes:
	runs-on: ubuntu-latest
	permissions:
	actions: read
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	contents: read
	packages: write
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	ref: main

	- name: Setup Go environment
	uses: actions/setup-go@v5.1.0
	with:
	cache: false

	- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
	id: octo-sts
	with:
	scope: chainguard-dev/auto-deploy-demo
	identity: updates

	- name: Install Crane
	run: go install github.com/google/go-containerregistry/cmd/crane@latest

	- name: Install Grype
	run: \|
	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \| sh -s -- -b /usr/local/bin

	- name: Install Cosign
	uses: sigstore/cosign-installer@v3.7.0

	- uses: chainguard-dev/setup-chainctl@v0.2.4
	with:
	identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/a662f56b58103354"

	- name: 'Auth to Registry'
	run: \|
	chainctl auth configure-docker

	- name: Extract unique image.tag value
	id: extract_unique_tag
	run: \|
	CURRENT_UNIQUE_IMAGE=$(yq '.image.tag' helm/redis/values.yaml)
	echo "Extracted Unique Tags: $CURRENT_UNIQUE_IMAGE"
	echo "CURRENT_UNIQUE_TAG=$CURRENT_UNIQUE_IMAGE" >> $GITHUB_ENV

	- name: Get latest unique tag
	id: get_current_unique_tag
	run: \|
	LATEST_UNIQUE_TAG=$(crane ls ${{ env.REDIS_IMAGE }} \| grep -E '^[^ ]+-[0-9]{12}$' \| grep -v '^latest' \| grep -v '\-dev' \| sort -Vr \| head -n 1)
	echo "LATEST_UNIQUE_TAG=${LATEST_UNIQUE_TAG}" >> $GITHUB_ENV

	- name: Compare unique tags
	id: compare_unique_tags
	run: \|
	echo "CURRENT_UNIQUE_TAG=${{ env.CURRENT_UNIQUE_TAG }}"
	echo "LATEST_UNIQUE_TAG=${{ env.LATEST_UNIQUE_TAG }}"
	if [ "${{ env.CURRENT_UNIQUE_TAG }}" != "${{ env.LATEST_UNIQUE_TAG }}" ]; then
	echo "UNIQUE_TAGS_CHANGED=true" >> $GITHUB_ENV
	else
	echo "UNIQUE_TAGS_CHANGED=false" >> $GITHUB_ENV
	fi

	- name: Cosign Verify
	if: env.UNIQUE_TAGS_CHANGED == 'true'
	id: cosign-verify
	continue-on-error: false
	run: \|
	OLD_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.CURRENT_UNIQUE_TAG }}"
	NEW_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.LATEST_UNIQUE_TAG }}"

	cosign verify \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
	--certificate-identity=https://github.com/chainguard-images/images-private/.github/workflows/release.yaml@refs/heads/main \
	$NEW_IMAGE \| jq

	echo "OLD_IMAGE=$OLD_IMAGE" >> $GITHUB_ENV
	echo "NEW_IMAGE=$NEW_IMAGE" >> $GITHUB_ENV

	- name: Run chainctl images diff
	if: env.UNIQUE_TAGS_CHANGED == 'true'
	id: diff_vulnerabilities
	run: \|

	CVE_LIST_JSON=$(chainctl images diff "${{ env.OLD_IMAGE }}" "${{ env.NEW_IMAGE }}" 2>/dev/null \| jq -c '[.vulnerabilities.removed[] \| select(.severity == "Critical" or .severity == "High") \| .id]')
	echo "CVE_LIST=$CVE_LIST_JSON" >> $GITHUB_ENV

	if [ -n "$CVE_LIST_JSON" ]; then
	echo "Found CVE fixes for the following CVES: $CVE_LIST_JSON"
	echo "FIX_CVE=true" >> $GITHUB_ENV
	else
	echo "No CVE fixes available"
	echo "FIX_CVE=false" >> $GITHUB_ENV
	fi

	- name: Scan New Image with Grype
	if: env.FIX_CVE == 'true'
	run: \|
	grype $NEW_IMAGE -o sarif > grype-results.sarif
	SARIF_SUMMARY=$(grype $NEW_IMAGE 2>&1 \| tee)
	echo "SARIF_SUMMARY=${SARIF_SUMMARY}" >> $GITHUB_ENV

	- name: Upload SARIF results
	if: env.FIX_CVE == 'true'
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: grype-results.sarif

	- name: Update Helm Values
	if: env.FIX_CVE == 'true'
	shell: bash
	run: yq -i ".image.tag = \"${{ env.LATEST_UNIQUE_TAG }}\"" helm/redis/values.yaml

	- name: Run git diff
	if: env.FIX_CVE == 'true'
	id: create_pr_update
	shell: bash
	run: \|
	git diff --stat
	echo "create_pr_update=false" >> $GITHUB_OUTPUT
	if [[ $(git diff --stat) != '' ]]; then
	echo "create_pr_update=true" >> $GITHUB_OUTPUT
	echo "diff<<EOF" >> "${GITHUB_OUTPUT}"
	git diff >> "${GITHUB_OUTPUT}"
	echo "EOF" >> "${GITHUB_OUTPUT}"
	fi

	- uses: chainguard-dev/actions/setup-gitsign@57cb0b7560d9b9b081c15ac5ef689f73f4dda03e # main branch as of 2024-08-02

	- name: Delete existing branch and PR
	if: env.FIX_CVE == 'true'
	env:
	GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
	run: \|
	PR_NUMBER=$(gh pr list --head "apply-cve-fix" --json number --jq '.[0].number')
	if [ -n "$PR_NUMBER" ]; then
	echo "Closing PR #$PR_NUMBER"
	gh pr close "$PR_NUMBER" --delete-branch
	else
	echo "No PR found for branch 'apply-cve-fix'"
	fi

	- name: Create Pull Request
	if: env.FIX_CVE == 'true'
	uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
	id: pull_request
	with:
	token: ${{ steps.octo-sts.outputs.token }}
	commit-message: 'Update images digests'
	title: 'Apply CVE Fix'
	body: \|
	<details>
	<summary>Grype Scan Summary after updating to ${{ env.LATEST_UNIQUE_TAG }}</summary>

	```json
	${{ env.SARIF_SUMMARY }}
	```
	</details>

	## Changes
	<details>
	<summary>File Changes</summary>

	```diff
	${{ steps.create_pr_update.outputs.diff }}
	```
	</details>
	labels: automated pr, cve, patch
	branch: 'apply-cve-fix'
	committer: 'github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>'
	author: '${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>'
	delete-branch: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

updates #270

Workflow file

updates #270

Jobs

Run details

Workflow file for this run