Skip to content

Update notebook image security reports #1

Update notebook image security reports

Update notebook image security reports #1

Workflow file for this run

---
# The aim of this GitHub workflow is to update the `ci/securitty-scan/security_scan_results.md` with latest security scan results.
name: Update notebook image security reports
on: # yamllint disable-line rule:truthy
workflow_dispatch:
inputs:
branch:
required: true
description: "Provide the name of the branch you want to update ex main, vYYYYx etc: "
schedule:
- cron: "0 0 */21 * 5" # Scheduled every third Friday
env:
SEC_SCAN_BRANCH: sec-scan-${{ github.run_id }}
BRANCH_NAME: main
RELEASE_VERSION_N: 2023b
RELEASE_VERSION_N_1: 2023a
jobs:
initialize:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Install Skopeo CLI
shell: bash
run: |
sudo apt-get -y update
sudo apt-get -y install skopeo
# Checkout the branch
- name: Checkout branch
uses: actions/checkout@v3
with:
ref: ${{ env.BRANCH_NAME }}
# Create a new branch
- name: Create a new branch
run: |
echo ${{ env.SEC_SCAN_BRANCH }}
git checkout -b ${{ env.SEC_SCAN_BRANCH }}
git push --set-upstream origin ${{ env.SEC_SCAN_BRANCH }}
check-vulnerabilities:
needs: [initialize]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Configure Git
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "GitHub Actions"
# Get the latest weekly build commit hash: https://github.com/opendatahub-io/notebooks/commits/2023b
- name: Checkout upstream notebooks repo
uses: actions/checkout@v3
with:
repository: opendatahub-io/notebooks.git
ref: ${{ env.RELEASE_VERSION_N }}
- name: Retrieve latest weekly commit hash from the "N" branch
id: hash-n
shell: bash
run: |
echo "HASH_N=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT}
- name: Checkout "N - 1" branch
uses: actions/checkout@v3
with:
repository: opendatahub-io/notebooks.git
ref: ${{ env.RELEASE_VERSION_N_1 }}
- name: Retrieve latest weekly commit hash from the "N - 1" branch
id: hash-n-1
shell: bash
run: |
echo "HASH_N_1=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT}
- name: Checkout "main" branch
uses: actions/checkout@v3
with:
repository: opendatahub-io/notebooks.git
ref: main
- name: Retrieve latest weekly commit hash from the "main" branch
id: hash-main
shell: bash
run: |
echo "LATEST_MAIN_COMMIT=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT}
# Checkout the release branch to apply the updates
- name: Checkout release branch
uses: actions/checkout@v3
with:
ref: ${{ env.SEC_SCAN_BRANCH }}
- name: setup python
uses: actions/setup-python@v4
with:
python-version: '3.10' # install the python version needed
- name: install python packages
run: |
python -m pip install --upgrade pip
pip install requests
- name: execute py script # run trial.py
env:
HASH_N: ${{ steps.hash-n.outputs.HASH_N }}
RELEASE_VERSION_N: ${{ env.RELEASE_VERSION_N }}
HASH_N_1: ${{ steps.hash-n-1.outputs.HASH_N_1 }}
RELEASE_VERSION_N_1: ${{ env.RELEASE_VERSION_N_1 }}
LATEST_MAIN_COMMIT: ${{ steps.hash-main.outputs.LATEST_MAIN_COMMIT }}
run: make scan-image-vulnerabilities
- name: Push the files
run: |
git fetch origin ${{ env.SEC_SCAN_BRANCH }} && git pull origin ${{ env.SEC_SCAN_BRANCH }} && git add . && git commit -m "Update security scans" && git push origin ${{ env.SEC_SCAN_BRANCH }}
# Creates the Pull Request
open-pull-request:
needs: [check-vulnerabilities]
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: pull-request
uses: repo-sync/pull-request@v2
with:
source_branch: ${{ env.SEC_SCAN_BRANCH }}
destination_branch: ${{ env.BRANCH_NAME}}
github_token: ${{ secrets.GITHUB_TOKEN }}
pr_label: "automated pr"
pr_title: "[Security Scanner Action] Weekly update of security vulnerabilities reported by Quay"
pr_body: |
:rocket: This is an automated Pull Request.
This PR updates:
* `ci/security-scan/security_scan_results.md` file with the latest security vulnerabilities reported by Quay.
* `ci/security-scan/weekly_commit_ids` with the latest updated SHA digests of the notebooks (N & N-1)
Created by `/.github/workflows/sec-scan.yaml`
:exclamation: **IMPORTANT NOTE**: Remember to delete the ` ${{ env.SEC_SCAN_BRANCH }}` branch after merging the changes