Check Floating Tags for CVE fixes #14

Workflow file for this run

.github/workflows/check-for-updates.yml at b37c586

	name: Check for CVE fixes

	on:
	# schedule:
	# - cron: "/60 * * *" # Every 60 minutes
	workflow_dispatch: # Allows manual triggering

	env:
	REDIS_IMAGE: "cgr.dev/cgr-demo.com/redis"
	REDIS_IMAGE_TAG: "latest"
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GH_REPO: ${{ github.repository }}
	PINNED: true
	CLOSE_PREVIOUS: true

	jobs:
	check-for-fixes:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	id-token: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Install Cosign
	uses: sigstore/cosign-installer@v3.7.0

	- uses: chainguard-dev/setup-chainctl@v0.2.4
	with:
	identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/360614f2fd18f22d"

	- name: 'Auth to Registry'
	run: \|
	chainctl auth configure-docker

	- name: 'ENV Setup'
	run: \|
	echo "REDIS_IMAGE_FULL_REF=${{ env.REDIS_IMAGE }}:${{ env.REDIS_IMAGE_TAG }}" >> $GITHUB_ENV

	- name: 'Verify Redis Image Signature && pre-pull image'
	run: \|
	cosign verify \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
	--certificate-identity=https://github.com/chainguard-images/images-private/.github/workflows/release.yaml@refs/heads/main \
	${{ env.REDIS_IMAGE_FULL_REF }} \| jq
	docker pull ${{ env.REDIS_IMAGE_FULL_REF }}

	- name: Get current image digest
	id: get_digest
	run: \|
	CURRENT_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.REDIS_IMAGE_FULL_REF }})
	echo "CURRENT_DIGEST=${CURRENT_DIGEST}" >> $GITHUB_ENV

	- name: Download previous digest
	id: download_previous_digest
	uses: actions/download-artifact@v4
	with:
	name: redis-image-digest
	path: digest.txt

	- name: Compare digests
	id: compare_digests
	run: \|
	if [ -f digest.txt ]; then
	PREVIOUS_DIGEST=$(cat digest.txt)
	else
	PREVIOUS_DIGEST=""
	fi

	if [ "$PREVIOUS_DIGEST" != "$CURRENT_DIGEST" ]; then
	echo "DIGEST_CHANGED=true" >> $GITHUB_ENV
	else
	echo "DIGEST_CHANGED=false" >> $GITHUB_ENV
	fi

	- name: Save current digest
	if: env.DIGEST_CHANGED == 'true'
	run: echo "${{ env.CURRENT_DIGEST }}" > digest.txt

	- name: Upload current digest as artifact
	uses: actions/upload-artifact@v4
	with:
	name: redis-image-digest
	path: digest.txt

	- name: Run chainctl images diff
	if: env.DIGEST_CHANGED == 'true'
	id: diff_vulnerabilities
	run: \|
	OLD_IMAGE="${{ env.REDIS_IMAGE_NAME }}@${{ env.PREVIOUS_DIGEST }}"
	NEW_IMAGE="${{ env.REDIS_IMAGE_NAME }}@${{ env.CURRENT_DIGEST }}"

	DIFF_OUTPUT=$(chainctl images diff $OLD_IMAGE $NEW_IMAGE 2>/dev/null \| jq '.vulnerabilities.removed[] \| select(.severity == "Critical" or .severity == "High") .id' -r)
	echo "DIFF_OUTPUT=$DIFF_OUTPUT" >> $GITHUB_ENV

	if [ -n "$DIFF_OUTPUT" ]; then
	CVE_LIST=$(echo "$DIFF_OUTPUT" \| tr '\n' ',' \| sed 's/,$//')
	echo "CVE_LIST=${CVE_LIST}" >> $GITHUB_ENV
	echo "FIX_CVE=true" >> $GITHUB_ENV
	else
	echo "FIX_CVE=false" >> $GITHUB_ENV

	- name: Create a CVE Triage issue
	if: env.FIX_CVE == 'true'
	run: \|
	TITLE="$REDIS_IMAGE_FULL_REF has an available CVE Fix"
	BODY="### Fixed CVEs\n\n- $(echo "$DIFF_OUTPUT" \| sed 's/^/- /')"
	if [[ $CLOSE_PREVIOUS == true ]]; then
	previous_issue_number=$(gh issue list \
	--label "$CVE_LIST" \
	--json number \
	--jq '.[0].number')
	if [[ -n $previous_issue_number ]]; then
	gh issue close "$previous_issue_number"
	gh issue unpin "$previous_issue_number"
	fi
	fi
	new_issue_url=$(gh issue create \
	--title "$TITLE" \
	--label "$CVE_LIST" \
	--body "$BODY")
	if [[ $PINNED == true ]]; then
	gh issue pin "$new_issue_url"
	fi

	# - name: Trigger release workflow
	# if: env.FIX_CVE == 'true'
	# uses: github.actions@v3
	# with:
	# workflow: release.yml
	# ref: main

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check Floating Tags for CVE fixes #14

Workflow file

Check Floating Tags for CVE fixes #14

Jobs

Run details

Workflow file for this run