Skip to content
Check Unique Tags for CVE fixes

updates #24

Sign in to view logs

updates

updates #24

Workflow file for this run

.github/workflows/updates.yaml at d1e0b0e
name: Check Unique Tags for CVE fixes
on:
schedule:
- cron: "*/60 * * * *" # Every 60 minutes
push:
branches: [main]
paths:
- '.github/workflows/check-unique-tags.yml'
- 'helm/redis/values.yaml'
workflow_dispatch: # Allows manual triggering
env:
REDIS_IMAGE: "cgr.dev/cgr-demo.com/redis-server-bitnami"
jobs:
check-for-fixes:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: main
- name: Setup Go environment
uses: actions/setup-go@v5.1.0
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
id: octo-sts
with:
scope: ${{ github.repository }}
identity: updates
- name: Install Crane
run: go install github.com/google/go-containerregistry/cmd/crane@latest
- name: Install Grype
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
- uses: chainguard-dev/setup-chainctl@v0.2.4
with:
identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/360614f2fd18f22d"
- name: 'Auth to Registry'
run: |
chainctl auth configure-docker
- name: Extract unique image.tag value
id: extract_unique_tag
run: |
CURRENT_UNIQUE_IMAGE=$(yq '.image.tag' helm/redis/values.yaml)
echo "Extracted Unique Tags: $CURRENT_UNIQUE_IMAGE"
echo "CURRENT_UNIQUE_TAG=$CURRENT_UNIQUE_IMAGE" >> $GITHUB_ENV
- name: Get latest unique tag
id: get_current_unique_tag
run: |
LATEST_UNIQUE_TAG=$(crane ls ${{ env.REDIS_IMAGE }} | grep -E '^[^ ]+-[0-9]{12}$' | grep -v '^latest' | grep -v '\-dev' | sort -Vr | head -n 1)
echo "LATEST_UNIQUE_TAG=${LATEST_UNIQUE_TAG}" >> $GITHUB_ENV
- name: Compare unique tags
id: compare_unique_tags
run: |
echo "CURRENT_UNIQUE_TAG=${{ env.CURRENT_UNIQUE_TAG }}"
echo "LATEST_UNIQUE_TAG=${{ env.LATEST_UNIQUE_TAG }}"
if [ "${{ env.CURRENT_UNIQUE_TAG }}" != "${{ env.LATEST_UNIQUE_TAG }}" ]; then
echo "UNIQUE_TAGS_CHANGED=true" >> $GITHUB_ENV
else
echo "UNIQUE_TAGS_CHANGED=false" >> $GITHUB_ENV
fi
- name: Run chainctl images diff
if: env.UNIQUE_TAGS_CHANGED == 'true'
id: diff_vulnerabilities
run: |
OLD_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.CURRENT_UNIQUE_TAG }}"
NEW_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.LATEST_UNIQUE_TAG }}"
CVE_LIST_JSON=$(chainctl images diff $OLD_IMAGE $NEW_IMAGE 2>/dev/null | jq -c '[.vulnerabilities.removed[] | select(.severity == "Critical" or .severity == "High") | .id]')
echo "CVE_LIST=$CVE_LIST_JSON" >> $GITHUB_ENV
if [ -n "$CVE_LIST_JSON" ]; then
echo "Found CVE fixes for the following CVES: $CVE_LIST_JSON"
echo "FIX_CVE=true" >> $GITHUB_ENV
else
echo "No CVE fixes available"
echo "FIX_CVE=false" >> $GITHUB_ENV
fi
- name: Create a new branch and commit changes
if: env.FIX_CVE == 'true'
env:
CI_COMMIT_MESSAGE: "Update Helm Redis Image Tag"
CI_COMMIT_AUTHOR: github-actions[bot]
token: ${{ steps.octo-sts.outputs.token }}
run: |
git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global push.autoSetupRemote true
BRANCH_NAME="update-helm-redis-image-tag"
git checkout -b $BRANCH_NAME
yq -i ".image.tag = \"${{ env.LATEST_UNIQUE_TAG }}\"" helm/redis/values.yaml
git add helm/redis/values.yaml
git commit -m "${{ env.CI_COMMIT_MESSAGE }}"
git push
gh pr create \
--title "Update Helm Redis Image Tag" \
--body "This PR remdiates CVEs: \"${{ env.CVE_LIST }}\"" \
--head "$BRANCH_NAME" \
--base "main" \
--label "CVE-fix"