-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (117 loc) · 4.52 KB
/
check-for-updates.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Check for CVE fixes
on:
# schedule:
# - cron: "*/60 * * * *" # Every 60 minutes
workflow_dispatch: # Allows manual triggering
env:
REDIS_IMAGE: "cgr.dev/cgr-demo.com/redis"
REDIS_IMAGE_TAG: "latest"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
PINNED: true
CLOSE_PREVIOUS: true
jobs:
check-for-fixes:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
- uses: chainguard-dev/setup-chainctl@v0.2.4
with:
identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/360614f2fd18f22d"
- name: 'Auth to Registry'
run: |
chainctl auth configure-docker
- name: 'Env Setup'
run: |
echo "REDIS_IMAGE_FULL_REF=${{ env.REDIS_IMAGE }}:${{ env.REDIS_IMAGE_TAG }}" >> $GITHUB_ENV
- name: 'Verify Redis Image Signature && pre-pull image'
run: |
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity=https://github.com/chainguard-images/images-private/.github/workflows/release.yaml@refs/heads/main \
${{ env.REDIS_IMAGE_FULL_REF }} | jq
docker pull ${{ env.REDIS_IMAGE_FULL_REF }}
- name: Get current image digest
id: get_digest
run: |
CURRENT_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.REDIS_IMAGE_FULL_REF }})
echo "CURRENT_DIGEST=${CURRENT_DIGEST}" >> $GITHUB_ENV
- name: Download previous digest
id: download_previous_digest
uses: actions/download-artifact@v4
with:
name: redis-image-digest
path: digest.txt
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Compare digests
id: compare_digests
run: |
if [ -f digest.txt ]; then
PREVIOUS_DIGEST=$(cat digest.txt)
else
PREVIOUS_DIGEST=""
fi
if [ "$PREVIOUS_DIGEST" != "$CURRENT_DIGEST" ]; then
echo "DIGEST_CHANGED=true" >> $GITHUB_ENV
else
echo "DIGEST_CHANGED=false" >> $GITHUB_ENV
fi
- name: Save current digest
if: env.DIGEST_CHANGED == 'true'
run: echo "${{ env.CURRENT_DIGEST }}" > digest.txt
- name: Upload current digest as artifact
if: env.DIGEST_CHANGED == 'true'
uses: actions/upload-artifact@v4
with:
name: redis-image-digest
path: digest.txt
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Run chainctl images diff
if: env.DIGEST_CHANGED == 'true'
id: diff_vulnerabilities
run: |
OLD_IMAGE="${{ env.REDIS_IMAGE_NAME }}@${{ env.PREVIOUS_DIGEST }}"
NEW_IMAGE="${{ env.REDIS_IMAGE_NAME }}@${{ env.CURRENT_DIGEST }}"
DIFF_OUTPUT=$(chainctl images diff $OLD_IMAGE $NEW_IMAGE 2>/dev/null | jq '.vulnerabilities.removed[] | select(.severity == "Critical" or .severity == "High") .id' -r)
echo "DIFF_OUTPUT=$DIFF_OUTPUT" >> $GITHUB_ENV
if [ -n "$DIFF_OUTPUT" ]; then
CVE_LIST=$(echo "$DIFF_OUTPUT" | tr '\n' ',' | sed 's/,$//')
echo "CVE_LIST=${CVE_LIST}" >> $GITHUB_ENV
echo "FIX_CVE=true" >> $GITHUB_ENV
else
echo "FIX_CVE=false" >> $GITHUB_ENV
- name: Create a CVE Triage issue
if: env.FIX_CVE == 'true'
run: |
TITLE="$REDIS_IMAGE_FULL_REF has an available CVE Fix"
BODY="### Fixed CVEs\n\n- $(echo "$DIFF_OUTPUT" | sed 's/^/- /')"
if [[ $CLOSE_PREVIOUS == true ]]; then
previous_issue_number=$(gh issue list \
--label "$CVE_LIST" \
--json number \
--jq '.[0].number')
if [[ -n $previous_issue_number ]]; then
gh issue close "$previous_issue_number"
gh issue unpin "$previous_issue_number"
fi
fi
new_issue_url=$(gh issue create \
--title "$TITLE" \
--label "$CVE_LIST" \
--body "$BODY")
if [[ $PINNED == true ]]; then
gh issue pin "$new_issue_url"
fi
# - name: Trigger release workflow
# if: env.FIX_CVE == 'true'
# uses: github.actions@v3
# with:
# workflow: release.yml
# ref: main