Skip to content

Commit

Permalink
fix: boolean conditioning
Browse files Browse the repository at this point in the history
  • Loading branch information
zhijie-yang committed Nov 22, 2024
1 parent aca9bfe commit ebad923
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 9 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/Continuous-Testing.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,10 @@ jobs:
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.prepare-test-matrix.outputs.released-revisions-matrix) }}
uses: canonical/oci-factory/.github/workflows/Vulnerability-Scan.yaml@main
uses: ./.github/workflows/Vulnerability-Scan.yaml
with:
oci-image-name: "${{ matrix.source-image }}"
oci-image-path: "oci/${{ matrix.name }}"
date-last-scan: ${{ needs.prepare-test-matrix.outputs.last-scan }}
is-from-release: 'true'
secrets: inherit
26 changes: 18 additions & 8 deletions .github/workflows/Vulnerability-Scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ jobs:
name: Notify on failure
needs:
- test-vulnerabilities
if: ${{ !cancelled() && needs.test-vulnerabilities.outputs.notify }}
if: ${{ !cancelled() && needs.test-vulnerabilities.outputs.notify == 'true'}}
steps:
- uses: actions/checkout@v4

Expand Down Expand Up @@ -222,6 +222,7 @@ jobs:
img_revision=$(echo "${img_name_with_tag}" | cut -d '_' -f 2)
echo "img_name=$img_name" >> "$GITHUB_OUTPUT"
echo "img_revision=$img_revision" >> "$GITHUB_OUTPUT"
echo "img_name_with_tag=$img_name_with_tag" >> "$GITHUB_OUTPUT"
# We assume that the sources within image.yaml are the same
- name: Get image repo
Expand All @@ -236,8 +237,9 @@ jobs:
run: |
set -x
num_vulns=$(echo '${{ needs.test-vulnerabilities.outputs.vulnerabilities }}' | jq -r 'length')
echo "vulnerability-exists=$([[ $num_vulns -gt 0 ]] && echo 'true' || echo 'false')" >> "$GITHUB_OUTPUT"
if [[ $vulnerability-exists == 'false' ]]; then
vulnerability_exists=$([[ $num_vulns -gt 0 ]] && echo 'true' || echo 'false')
echo "vulnerability-exists=$vulnerability_exists" >> "$GITHUB_OUTPUT"
if [[ $vulnerability_exists == 'true' ]]; then
title="Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name_with_tag }}"
echo "## $title" > issue.md
echo "| ID | Target | Severity | Package |" >> issue.md
Expand All @@ -254,15 +256,23 @@ jobs:
echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
fi
- name: Debug messages
run: |
set -x
echo ${{ inputs.is-from-release }}
echo ${{ inputs.is-from-release == 'false' }}
echo ${{ steps.create-markdown.outputs.vulnerability-exists }}
echo ${{ steps.create-markdown.outputs.vulnerability-exists == 'true' }}
- name: Write to summary
if: ${{ !inputs.is-from-release && steps.create-markdown.outputs.vulnerability-exists }}
if: ${{ inputs.is-from-release == 'false' && steps.create-markdown.outputs.vulnerability-exists == 'true' }}
run: |
img_name=$(echo ${{ steps.simplify-image-name.outputs.img_name_with_tag }} | sed -r 's|([a-zA-Z0-9-]+)_([0-9a-f]+)_([0-9a-z_-]+)_([0-9a-z.]+)|\1:\4@\2|')
img_name=$(echo ${{ inputs.oci-image-name }} | sed -r 's|([a-zA-Z0-9-]+)_([0-9a-f]+)_([0-9a-z_-]+)_([0-9a-z.]+)|\1:\4@\2|')
echo "# Vulnerabilities found for ${image_name}" >> $GITHUB_STEP_SUMMARY
cat ${{ steps.create-markdown.outputs.issue-body-file }} | tail -n +2 >> $GITHUB_STEP_SUMMARY
- id: issue-exists
if: ${{ inputs.is-from-release }}
if: ${{ inputs.is-from-release == 'true' }}
run: |
issue_number=$(gh issue list --repo ${{ steps.get-image-repo.outputs.img-repo }} --json "number,title" \
| jq -r '.[] | select(.title == "${{ steps.create-markdown.outputs.issue-title }}") | .number')
Expand All @@ -283,7 +293,7 @@ jobs:
# | F | F | F | nop |

- name: Notify via GitHub issue
if: ${{ steps.create-markdown.outputs.vulnerability-exists && inputs.is-from-release }}
if: ${{ steps.create-markdown.outputs.vulnerability-exists == 'true' && inputs.is-from-release == 'true' }}
run: |
set -x
op=nop
Expand All @@ -300,6 +310,6 @@ jobs:
fi
- name: Close issue
if: ${{ needs.test-vulnerabilities.result == 'success' && steps.issue-exists.outputs.issue-exists && !steps.create-markdown.outputs.vulnerability-exists == 'false' && inputs.is-from-release }}
if: ${{ needs.test-vulnerabilities.result == 'success' && steps.issue-exists.outputs.issue-exists == 'true' && steps.create-markdown.outputs.vulnerability-exists == 'false' && inputs.is-from-release == 'true'}}
run: |
gh issue close ${{ steps.issue-exists.outputs.issue-number }} --repo ${{ steps.get-image-repo.outputs.img-repo }}

0 comments on commit ebad923

Please sign in to comment.