Add scheduled scan

corneliusludmann · corneliusludmann · commit 5b188a94fba5 · 2025-05-08T09:11:13.000Z
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -16,6 +16,14 @@ on:
         type: string
         description: "Whether to recreate the VM"
         default: "false"
+      simulate_scheduled_run:
+        required: false
+        type: boolean
+        description: "Simulate a scheduled run"
+        default: false
+  schedule:
+    # Run at midnight UTC every day
+    - cron: '0 0 * * *'
 
 jobs:
   create-runner:
@@ -36,6 +44,7 @@ jobs:
       cancel-in-progress: true
     outputs:
       is_main_branch: ${{ (github.head_ref || github.ref) == 'refs/heads/main' }}
+      is_scheduled_run: ${{ github.event_name == 'schedule' || inputs.simulate_scheduled_run == true }}
       version: ${{ steps.branches.outputs.sanitized-branch-name }}-gha.${{github.run_number}}
       preview_enable: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft with-preview') || (steps.output.outputs.with_integration_tests != '') }}
       preview_name: ${{ github.head_ref || github.ref_name }}
@@ -98,7 +107,8 @@ jobs:
     name: Build previewctl
     if: |
       (needs.configuration.outputs.pr_no_diff_skip != 'true') &&
-      (needs.configuration.outputs.preview_enable == 'true')
+      (needs.configuration.outputs.preview_enable == 'true') &&
+      (needs.configuration.outputs.is_scheduled_run != 'true')
     needs: [ configuration, create-runner ]
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-previewctl
@@ -126,7 +136,8 @@ jobs:
     if: |
       (needs.configuration.outputs.pr_no_diff_skip != 'true') &&
       (needs.configuration.outputs.preview_enable == 'true') &&
-      (needs.configuration.outputs.is_main_branch != 'true')
+      (needs.configuration.outputs.is_main_branch != 'true') &&
+      (needs.configuration.outputs.is_scheduled_run != 'true')
     runs-on: ${{ needs.create-runner.outputs.label }}
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
@@ -299,7 +310,7 @@ jobs:
 
           exit $RESULT
       - name: Tag the release
-        if: github.ref == 'refs/heads/main'
+        if: github.ref == 'refs/heads/main' && needs.configuration.outputs.is_scheduled_run != 'true'
         run: |
           git config --global user.name $GITHUB_USER
           git config --global user.email $GITHUB_EMAIL
@@ -309,6 +320,11 @@ jobs:
           GITHUB_USER: roboquat
           GITHUB_EMAIL: roboquat@gitpod.io
           VERSION: ${{ needs.configuration.outputs.version }}
+      - name: Add failOn to workspace config (when scheduled)
+        if: needs.configuration.outputs.is_scheduled_run == 'true'
+        run: |
+          # Add failOn: ["critical"] to the sbom block in WORKSPACE.yaml
+          sed -i '/sbom:/,/^[a-z]/ s/enabled: true/enabled: true\n  failOn: ["critical"]/' WORKSPACE.yaml
       - name: Scan for Vulnerabilities
         id: scan
         shell: bash
@@ -382,7 +398,7 @@ jobs:
   install-app:
     runs-on: ${{ needs.create-runner.outputs.label }}
     needs: [ configuration, build-gitpod, create-runner ]
-    if: ${{ needs.configuration.outputs.is_main_branch == 'true' }}
+    if: ${{ needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' }}
     strategy:
       fail-fast: false
       matrix:
@@ -421,6 +437,7 @@ jobs:
       - build-gitpod
       - infrastructure
       - create-runner
+    if: needs.configuration.outputs.is_scheduled_run != 'true'
     runs-on: ${{ needs.create-runner.outputs.label }}
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
@@ -471,7 +488,7 @@ jobs:
     name: "Install Monitoring Satellite"
     needs: [ infrastructure, build-previewctl, create-runner ]
     runs-on: ${{ needs.create-runner.outputs.label }}
-    if: needs.configuration.outputs.with_monitoring == 'true'
+    if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-monitoring
       cancel-in-progress: true
@@ -502,7 +519,7 @@ jobs:
     runs-on: ${{ needs.create-runner.outputs.label }}
     container:
       image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:clu-leeway-sbom-scan-gha.32460
-    if: needs.configuration.outputs.with_integration_tests != ''
+    if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true'
     concurrency:
       group: ${{ needs.configuration.outputs.preview_name }}-integration-test
       cancel-in-progress: true
@@ -532,7 +549,7 @@ jobs:
       - configuration
       - build-gitpod
       - create-runner
-    if: needs.configuration.outputs.is_main_branch == 'true'
+    if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     uses: ./.github/workflows/workspace-integration-tests.yml
     with:
       version: ${{ needs.configuration.outputs.version }}
@@ -544,7 +561,7 @@ jobs:
       - configuration
       - build-gitpod
       - create-runner
-    if: needs.configuration.outputs.is_main_branch == 'true'
+    if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     uses: ./.github/workflows/code-updates.yml
     secrets: inherit
 
@@ -554,10 +571,31 @@ jobs:
       - configuration
       - build-gitpod
       - create-runner
-    if: needs.configuration.outputs.is_main_branch == 'true'
+    if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     uses: ./.github/workflows/jetbrains-updates.yml
     secrets: inherit
 
+  notify-scheduled-failure:
+    name: "Notify on scheduled run failure"
+    if: needs.configuration.outputs.is_scheduled_run == 'true' && failure()
+    needs:
+      - configuration
+      - build-gitpod
+      - workspace-integration-tests-main
+      - ide-code-updates
+      - ide-jb-updates
+    runs-on: ubuntu-latest
+    steps:
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.ENTERPRISE_JOBS_SLACK_WEBHOOK }}
+          SLACK_ICON_EMOJI: ":x:"
+          SLACK_USERNAME: "Scheduled Build"
+          SLACK_COLOR: "danger"
+          SLACK_MESSAGE: "Daily scheduled build failed! Please check the logs for details."
+          SLACK_FOOTER: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Workflow Logs>"
+
   delete-runner:
     if: always()
     needs:
@@ -570,6 +608,7 @@ jobs:
       - install
       - monitoring
       - integration-test
+      - notify-scheduled-failure
     uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main
     secrets:
       gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
