Skip to content

Commit 114a15b

Browse files
JashBookJashBook
authored
chore: add cloud trivy scan workflow (#651)
1 parent e16a483 commit 114a15b

File tree

1 file changed

+155
-0
lines changed

1 file changed

+155
-0
lines changed

.github/workflows/trivy-scan-cloud.yml

Lines changed: 155 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,155 @@
1+
name: Trivy Scan Cloud
2+
3+
on:
4+
workflow_dispatch:
5+
schedule:
6+
- cron: '0 0 * * 1-5' # Runs at 08:00 UTC on Mon to Friday
7+
8+
env:
9+
GH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
10+
CLOUD_REPO: "apecloud/apecloud"
11+
MANIFESTS_FILE: "manifests/deploy-manifests.yaml"
12+
13+
14+
jobs:
15+
get-images:
16+
runs-on: ubuntu-latest
17+
outputs:
18+
cloud-tag: ${{ steps.get-cloud-tag.outputs.cloud-tag }}
19+
cloud-images: ${{ steps.get-images.outputs.cloud-images }}
20+
gemini-images: ${{ steps.get-images.outputs.gemini-images }}
21+
kubeblocks-images: ${{ steps.get-images.outputs.kubeblocks-images }}
22+
steps:
23+
- name: get cloud tag
24+
id: get-cloud-tag
25+
run: |
26+
CLOUD_TAG=$(gh release list --repo ${{ env.CLOUD_REPO }} | grep -v "alpha" | grep -v "beta" | awk 'NR==1{print $2}')
27+
echo "cloud-tag=${CLOUD_TAG}" >> $GITHUB_OUTPUT
28+
29+
- name: Checkout apecloud Code
30+
uses: actions/checkout@v4
31+
with:
32+
repository: ${{ env.CLOUD_REPO }}
33+
token: ${{ env.GH_TOKEN }}
34+
ref: ${{ steps.get-cloud-tag.outputs.cloud-tag }}
35+
36+
- name: get cloud tag
37+
id: get-images
38+
run: |
39+
MANIFESTS_FILE=${{ env.MANIFESTS_FILE }}
40+
CLOUD_TAG="${{ steps.get-cloud-tag.outputs.cloud-tag }}"
41+
42+
MANIFESTS_FILE="/Users/huangzhangshu/projects/apecloud/github/apecloud/manifests/deploy-manifests.yaml"
43+
CLOUD_TAG="v2.0.155"
44+
45+
# get cloud images
46+
cloud_images_list=$(yq e ".kubeblocks-cloud[].images" ${MANIFESTS_FILE} | (grep "${CLOUD_TAG}" || true) | awk '{print $2}' | sort -u)
47+
CLOUD_IMAGES=""
48+
for cloud_image in $(echo "${cloud_images_list}"); do
49+
if [[ -z "${CLOUD_IMAGES}" ]]; then
50+
CLOUD_IMAGES="docker.io/${cloud_image}"
51+
else
52+
CLOUD_IMAGES="${CLOUD_IMAGES}|docker.io/${cloud_image}"
53+
fi
54+
done
55+
kb_cloud_installer_image="docker.io/apecloud/kb-cloud-installer:v2.0.155"
56+
if [[ -z "${CLOUD_IMAGES}" ]]; then
57+
CLOUD_IMAGES="${kb_cloud_installer_image}"
58+
else
59+
CLOUD_IMAGES="${CLOUD_IMAGES}|${kb_cloud_installer_image}"
60+
fi
61+
62+
echo "CLOUD_IMAGES:${CLOUD_IMAGES}"
63+
echo "cloud-images=${CLOUD_IMAGES}" >> $GITHUB_OUTPUT
64+
65+
# get gemini images
66+
gemini_versions_list=$(yq e ".gemini[].version" ${MANIFESTS_FILE} | tr '\n' '|' | sed 's/|$//')
67+
68+
gemini_images_list=$(yq e ".gemini[].images" ${MANIFESTS_FILE} | (egrep "${gemini_versions_list}" || true) | awk '{print $2}' | sort -u)
69+
GEMINI_IMAGES=""
70+
for gemini_image in $(echo "${gemini_images_list}"); do
71+
if [[ -z "${GEMINI_IMAGES}" ]]; then
72+
GEMINI_IMAGES="docker.io/${gemini_image}"
73+
else
74+
GEMINI_IMAGES="${GEMINI_IMAGES}|docker.io/${gemini_image}"
75+
fi
76+
done
77+
78+
oteld_image=$(yq e ".gemini-monitor[].images" ${MANIFESTS_FILE} | awk 'NR==1{print $2}')
79+
if [[ -z "${GEMINI_IMAGES}" ]]; then
80+
GEMINI_IMAGES="docker.io/${oteld_image}"
81+
else
82+
GEMINI_IMAGES="${GEMINI_IMAGES}|docker.io/${oteld_image}"
83+
fi
84+
85+
echo "GEMINI_IMAGES:${GEMINI_IMAGES}"
86+
echo "gemini-images=${GEMINI_IMAGES}" >> $GITHUB_OUTPUT
87+
88+
# get kubeblocks images
89+
kubeblocks_versions_list=$(yq e ".kubeblocks[].version" ${MANIFESTS_FILE} | tr '\n' '|' | sed 's/|$//')
90+
kubeblocks_images_list=$(yq e ".kubeblocks[].images" ${MANIFESTS_FILE} | (egrep "${kubeblocks_versions_list}|datasafed" || true) | awk '{print $2}' | sort -u)
91+
KUBEBLOCKS_IMAGES=""
92+
for kubeblocks_image in $(echo "${kubeblocks_images_list}"); do
93+
if [[ -z "${KUBEBLOCKS_IMAGES}" ]]; then
94+
KUBEBLOCKS_IMAGES="docker.io/${kubeblocks_image}"
95+
else
96+
KUBEBLOCKS_IMAGES="${KUBEBLOCKS_IMAGES}|docker.io/${kubeblocks_image}"
97+
fi
98+
done
99+
100+
echo "KUBEBLOCKS_IMAGES:${KUBEBLOCKS_IMAGES}"
101+
echo "kubeblocks-images=${KUBEBLOCKS_IMAGES}" >> $GITHUB_OUTPUT
102+
103+
cloud:
104+
uses: ./.github/workflows/trivy-scan.yml
105+
needs: [ get-images ]
106+
with:
107+
ITEM: "cloud"
108+
IMAGES: "${{ needs.get-images.outputs.cloud-images }}"
109+
ADDON: false
110+
secrets: inherit
111+
112+
gemini:
113+
uses: ./.github/workflows/trivy-scan.yml
114+
needs: [ get-images ]
115+
with:
116+
ITEM: "gemini"
117+
IMAGES: "${{ needs.get-images.outputs.gemini-images }}"
118+
ADDON: false
119+
secrets: inherit
120+
121+
kubeblocks:
122+
uses: ./.github/workflows/trivy-scan.yml
123+
needs: [ get-images ]
124+
with:
125+
ITEM: "kubeblocks"
126+
IMAGES: "${{ needs.get-images.outputs.kubeblocks-images }}"
127+
ADDON: false
128+
secrets: inherit
129+
130+
send-message:
131+
if: ${{ always() }}
132+
runs-on: ubuntu-latest
133+
needs: [ get-images, cloud, gemini, kubeblocks ]
134+
steps:
135+
- uses: actions/checkout@v4
136+
with:
137+
repository: apecloud/apecloud-cd
138+
path: ./
139+
140+
- name: send message
141+
run: |
142+
CLOUD_TAG="${{ needs.get-images.outputs.cloud-tag }}"
143+
TEST_RESULT="${{ needs.cloud.outputs.total-vulnerabilities }}"
144+
TEST_RESULT="${TEST_RESULT}##${{ needs.gemini.outputs.total-vulnerabilities }}"
145+
TEST_RESULT="${TEST_RESULT}##${{ needs.kubeblocks.outputs.total-vulnerabilities }}"
146+
147+
export TZ='Asia/Shanghai'
148+
date_ret=$(date +%Y-%m-%d-%T)
149+
test_title="[${CLOUD_TAG}] Trivy Scan Vulnerabilities [${date_ret}]"
150+
151+
python3 .github/utils/send_mesage.py \
152+
--send-type trivy \
153+
--url "${{ vars.CICD_WEBHOOK }}" \
154+
--title "$test_title" \
155+
--result "$TEST_RESULT"

0 commit comments

Comments
 (0)