chore(ci-snyk): Refactor Snyk workflows to avoid 'no disk space' issues for Snyk (#7002)

* Remove security scans for v1 and v2; v1 will be split into 2 files

* Add Snyk scans for python images

* Add Snyk scans for go images + Rclone

* Add Snyk scan for go.mod operator and executor, and the python package

Author: vtaskow

.github/workflows/security_code_tests_v1.yml

@@ -4,54 +4,53 @@ on:
   push:
     branches: [ master ]
   pull_request:
-    branches: [ master ]
+    # TODO remove release-1.19.0-prep before merge to master
+    branches:
+      - master
+      - release-1.19.0-prep
   workflow_dispatch:
 
 jobs:
   security-python:
     runs-on: ubuntu-latest
-    container: snyk/snyk:python-3.8
+    container: snyk/snyk:python-3.12-preview
     steps:
-    - uses: actions/checkout@v2
-    - name: security-python
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      run: |
-        pip install -e python/.
-        snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high
+      - uses: actions/checkout@v4
+      - name: security-python
+        # NOTE: [all] installs tensorflow as well as an extra
+        run: |
+          pip install -e python/.[all]
+          snyk test --file=python/setup.py --fail-on=upgradable --severity-threshold=high
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   security-operator:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: security-operator
-      # NOTE: We use the Snyk action (instead of the Snyk base image) so that
-      # it respects the Go version we use.
-      uses: snyk/actions/golang@master
-      with:
-        args: --fail-on=upgradable
-          --severity-threshold=high
-          --file=operator/go.mod
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - uses: actions/checkout@v4
+      - uses: snyk/actions/setup@master
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '1.24.7'
+      - name: security-operator
+        run: snyk test --file=operator/go.mod --fail-on=upgradable --severity-threshold=high
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   security-executor:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: snyk/actions/setup@master
-    - uses: actions/setup-go@v3
-      with:
-        go-version: '^1.24.7'
-    - name: Set up executor's environment
-      # NOTE: The executor needs a couple extra steps before we can build it,
-      # like copying the operator's package into the executor's folder so that
-      # it's accessible.
-      run: make -C executor/ executor
-    - name: security-executor
-      run: snyk test \
-        --fail-on=upgradable
-        --severity-threshold=high
-        --file=executor/go.mod
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - uses: actions/checkout@v4
+      - uses: snyk/actions/setup@master
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '1.24.7'
+      - name: Set up executor's environment
+        # NOTE: The executor needs a couple extra steps before we can build it,
+        # like copying the operator's package into the executor's folder so that
+        # it's accessible.
+        run: make -C executor/ executor
+      - name: security-executor
+        run: snyk test --file=executor/go.mod --fail-on=upgradable --severity-threshold=high
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/security_tests_go_v1.yml

@@ -0,0 +1,82 @@
+name: V1 Security Tests Go Images
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # TODO remove release-1.19.0-prep before merge to master
+    branches:
+      - master
+      - release-1.19.0-prep
+  workflow_dispatch:
+
+jobs:
+  image-executor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Generate and set docker image tag
+        run: |
+          TAG="executor-test-$(date +%s)-$(openssl rand -hex 4)"
+          echo "SELDON_EXECUTOR_IMG=$TAG" >> $GITHUB_ENV
+          echo "Generated tag: SELDON_EXECUTOR_IMG"
+      - name: Build docker image
+        working-directory: ./executor/
+        env:
+          VERSION: ${{ steps.docker-tag.outputs.value }}
+        run: |
+          make docker-build
+      - name: Scan docker image for CVEs
+        uses: snyk/actions/docker@master
+        continue-on-error: false
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.SELDON_EXECUTOR_IMG }}
+          args: --app-vulns --severity-threshold=high --file=executor/Dockerfile.executor --fail-on=upgradable
+
+  image-operator:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Generate and set docker image tag
+        run: |
+          TAG="operator-test-$(date +%s)-$(openssl rand -hex 4)"
+          echo "SELDON_OPERATOR_IMG=$TAG" >> $GITHUB_ENV
+          echo "Generated tag: SELDON_OPERATOR_IMG"
+      - name: Build docker image
+        working-directory: ./operator/
+        env:
+          VERSION: ${{ steps.docker-tag.outputs.value }}
+        run: |
+          make docker-build
+      - name: Scan docker image for CVEs
+        uses: snyk/actions/docker@master
+        continue-on-error: false
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.SELDON_OPERATOR_IMG }}
+          args:  --app-vulns --severity-threshold=high --file=operator/Dockerfile --fail-on=upgradable
+
+  image-rclone-storage-initializer:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build (rclone initializer)
+        working-directory: ./components/rclone-storage-initializer
+        run: |
+          export RCLONE_IMAGE_TAG="sec-tests.io/rclone-$(date +%s)-$(openssl rand -hex 4):test"
+          echo "RCLONE_IMAGE_TAG=$RCLONE_IMAGE_TAG" >> $GITHUB_ENV
+          make IMAGE_TAG=$RCLONE_IMAGE_TAG docker-build
+      - name: Scan rclone
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.RCLONE_IMAGE_TAG }}
+          args: --app-vulns --severity-threshold=high --file=components/rclone-storage-initializer/Dockerfile --fail-on=upgradable