feat: add from-release and summary

canonical · Nov 21, 2024 · 8ec8a29 · 8ec8a29
1 parent 3694421
commit 8ec8a29
Showing 1 changed file with 33 additions and 16 deletions.
diff --git a/.github/workflows/Vulnerability-Scan.yaml b/.github/workflows/Vulnerability-Scan.yaml
@@ -27,6 +27,11 @@ on:
         required: false
         type: string
         default: '9999-12-31T23:59:59'
+      is-from-release:
+        description: 'If the image is from a release, we create issues when vulnerabilities are found'
+        required: false
+        type: boolean
+        default: false
 
 env:
   TEST_IMAGE_NAME: 'test-img'
@@ -163,7 +168,7 @@ jobs:
     name: Notify on failure
     needs:
       - test-vulnerabilities
-    if: ${{ !cancelled() && needs.test-vulnerabilities.outputs.notify == 'true' }}
+    if: ${{ !cancelled() && needs.test-vulnerabilities.outputs.notify }}
     steps:
       - uses: actions/checkout@v4
 
@@ -226,26 +231,38 @@ jobs:
           echo "img-repo=$img_repo" >> "$GITHUB_OUTPUT"
 
       # We have to walk through the vulnerabilities since trivy does not support outputting the results as Markdown
-      - name: Create Markdown Content
+      - name: Create markdown content
         id: create-markdown
         run: |
           set -x
-          title="Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name_with_tag }}"
-          revision_to_released_tags=$(python3 -m src.shared.release_info get_revision_to_released_tags --all-releases ${{ inputs.oci-image-path }}/_releases.json)
-          affected_tracks=$(echo "${revision_to_released_tags}" | jq -r '."${{ steps.simplify-image-name.outputs.img_revision }}" | map("- `\(.)`") | join("\n")')
-          echo "## $title" > issue.md
-          echo "| ID | Target | Severity | Package |" >> issue.md
-          echo "| -- | ----- | -------- | ------- |" >> issue.md
-          echo '${{ needs.test-vulnerabilities.outputs.vulnerabilities }}' | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"\n' >> issue.md
-          echo -e "Affected tracks:\n" >> issue.md
-          echo -e "${affected_tracks}\n" >> issue.md
-          echo -e "Details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md
           num_vulns=$(echo '${{ needs.test-vulnerabilities.outputs.vulnerabilities }}' | jq -r 'length')
-          echo "issue-title=$title" >> "$GITHUB_OUTPUT"
-          echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
           echo "vulnerability-exists=$([[ $num_vulns -gt 0 ]] && echo 'true' || echo 'false')" >> "$GITHUB_OUTPUT"
+          if [[ $vulnerability-exists == 'false' ]]; then
+            title="Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name_with_tag }}"
+            echo "## $title" > issue.md
+            echo "| ID | Target | Severity | Package |" >> issue.md
+            echo "| -- | ----- | -------- | ------- |" >> issue.md
+            echo '${{ needs.test-vulnerabilities.outputs.vulnerabilities }}' | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> issue.md
+            if [[ ${{ inputs.is-from-release }} == 'true' ]]; then
+              revision_to_released_tags=$(python3 -m src.shared.release_info get_revision_to_released_tags --all-releases ${{ inputs.oci-image-path }}/_releases.json)
+              affected_tracks=$(echo "${revision_to_released_tags}" | jq -r '."${{ steps.simplify-image-name.outputs.img_revision }}" | map("- `\(.)`") | join("\n")')
+              echo -e "Affected tracks:" >> issue.md
+              echo -e "${affected_tracks}" >> issue.md
+              echo -e "Details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md
+            fi
+            echo "issue-title=$title" >> "$GITHUB_OUTPUT"
+            echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Write to summary
+        if: ${{ !inputs.is-from-release && steps.create-markdown.outputs.vulnerability-exists }}
+        run: |
+          img_name=$(echo ${{ steps.simplify-image-name.outputs.img_name_with_tag }} | sed -r 's|([a-zA-Z0-9-]+)_([0-9a-f]+)_([0-9a-z_-]+)_([0-9a-z.]+)|\1:\4@\2|')
+          echo "# Vulnerabilities found for ${image_name}" >> $GITHUB_STEP_SUMMARY
+          cat ${{ steps.create-markdown.outputs.issue-body-file }} | tail -n +2 >> $GITHUB_STEP_SUMMARY
 
       - id: issue-exists
+        if: ${{ inputs.is-from-release }}
         run: |
           issue_number=$(gh issue list --repo ${{ steps.get-image-repo.outputs.img-repo }} --json "number,title" \
                   | jq -r '.[] | select(.title == "${{ steps.create-markdown.outputs.issue-title }}") | .number')
@@ -266,7 +283,7 @@ jobs:
       # |      F       |   F    |          F           |   nop  |
 
       - name: Notify via GitHub issue
-        if: ${{ steps.create-markdown.outputs.vulnerability-exists == 'true' }}
+        if: ${{ steps.create-markdown.outputs.vulnerability-exists && inputs.is-from-release }}
         run: |
           set -x
           op=nop
@@ -283,6 +300,6 @@ jobs:
           fi
 
       - name: Close issue
-        if: ${{ needs.test-vulnerabilities.result == 'success' && steps.issue-exists.outputs.issue-exists == 'true' && steps.create-markdown.outputs.vulnerability-exists == 'false' }}
+        if: ${{ needs.test-vulnerabilities.result == 'success' && steps.issue-exists.outputs.issue-exists && !steps.create-markdown.outputs.vulnerability-exists == 'false' && inputs.is-from-release }}
         run: |
           gh issue close ${{ steps.issue-exists.outputs.issue-number }} --repo ${{ steps.get-image-repo.outputs.img-repo }}