From a6039f49cfceaa29170c3682a4882827674bd5ab Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Fri, 16 Aug 2024 05:58:37 -0500 Subject: [PATCH 1/2] chore(ci): Ability to skip scan-images job during grype cdn failures Add grype GH cache to reuse across jobs Add GH timeout for scan-images job --- .github/workflows/release.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fc3b3ac895f9..c5bcb4133a72 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -436,8 +436,12 @@ jobs: name: Scan Images - ${{ matrix.label }} needs: [metadata, build-images] runs-on: ubuntu-22.04 + timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} + # Use DISABLE_SCA_SCAN to completely disable the scan in case of emergency purposes and revert it back when notified. + vars.DISABLE_SCA_SCAN == 'false' if: |- always() + && vars.DISABLE_SCA_SCAN == 'false' && fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != '' && needs.build-images.result == 'success' && (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')) @@ -488,6 +492,16 @@ jobs: asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64 image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} + - name: Cache Grype DB + id: cache-grype + uses: actions/cache@v3 + env: + cache-name: cache-grype-db + with: + # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS + path: ~/.cache/grype/db + key: ${{ env.cache-name }} + - name: Scan ARM64 Image digest if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' id: sbom_action_arm64 From 7423df92e46c1c0f1146f2a58fb2bf494ee9cff2 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Fri, 16 Aug 2024 06:42:51 -0500 Subject: [PATCH 2/2] fix cache for first sca scan Signed-off-by: saisatishkarra --- .github/workflows/release.yml | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c5bcb4133a72..02252a89018a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -437,8 +437,6 @@ jobs: needs: [metadata, build-images] runs-on: ubuntu-22.04 timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} - # Use DISABLE_SCA_SCAN to completely disable the scan in case of emergency purposes and revert it back when notified. - vars.DISABLE_SCA_SCAN == 'false' if: |- always() && vars.DISABLE_SCA_SCAN == 'false' @@ -487,25 +485,15 @@ jobs: - name: Scan AMD64 Image digest id: sbom_action_amd64 if: steps.image_manifest_metadata.outputs.amd64_sha != '' - uses: Kong/public-shared-actions/security-actions/scan-docker-image@v2 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@a2132654dffda2a5dd121bbd077a205b4cae8ec0 with: asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64 image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} - - name: Cache Grype DB - id: cache-grype - uses: actions/cache@v3 - env: - cache-name: cache-grype-db - with: - # Grype cache files are stored in `~/.cache/grype/db` on Linux/macOS - path: ~/.cache/grype/db - key: ${{ env.cache-name }} - - name: Scan ARM64 Image digest if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' id: sbom_action_arm64 - uses: Kong/public-shared-actions/security-actions/scan-docker-image@v2 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@a2132654dffda2a5dd121bbd077a205b4cae8ec0 with: asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-arm64 image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}