Run scheduled CVE scans #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run scheduled CVE scans | |
| on: | |
| schedule: | |
| - cron: "0 6 * * 3" # Every Wednesday at 6:00 AM UTC | |
| workflow_dispatch: | |
| # Allows manual triggering of the workflow | |
| inputs: | |
| dry-run: | |
| description: "Run the workflow in dry-run mode" | |
| required: false | |
| type: boolean | |
| default: false | |
| jobs: | |
| run-cves-scan: | |
| name: Run CVE scan | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Authenticate with GCP | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: "projects/841522437311/locations/global/workloadIdentityPools/github-actions/providers/github-actions" | |
| service_account: "[email protected]" | |
| - id: get-secrets | |
| name: Get secrets from GCP Secret Manager | |
| # This step retrieves secrets from GCP Secret Manager and sets them as outputs | |
| # The secrets can then be accessed in subsequent steps using ${{ steps.get-secrets.outputs.<secret_name> }} | |
| uses: "google-github-actions/get-secretmanager-secrets@v3" | |
| with: | |
| secrets: |- | |
| github-pat:projects/626836145334/secrets/GITHUB_CI_PAT | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| with: | |
| token: ${{ steps.get-secrets.outputs.github-pat }} | |
| - name: Log into ghcr.io | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ steps.get-secrets.outputs.github-pat }} | |
| - name: Install Syft and Grype | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin | |
| shell: bash | |
| - name: Ensure we authenticate the GH CLI | |
| run: | | |
| gh auth status || echo "Not authenticated" | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ steps.get-secrets.outputs.github-pat }} | |
| - name: Run CVE scan | |
| run: ./scripts/security/run-scans.sh | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ steps.get-secrets.outputs.github-pat }} | |
| - name: Create a PR with the update | |
| if: ${{ !inputs.dry-run }} | |
| id: cpr | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| commit-message: "ci: update cve scan results" | |
| signoff: true | |
| base: main | |
| branch: ci_update_cve-scan-results | |
| delete-branch: true | |
| title: "ci: update cve scan results" | |
| token: ${{ steps.get-secrets.outputs.github-pat }} | |
| labels: ci,automerge | |
| body: | | |
| Update CVE scan results: | |
| - Created by ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| - Auto-generated by create-pull-request: https://github.com/peter-evans/create-pull-request | |
| draft: false | |
| - name: Check outputs | |
| if: ${{ steps.cpr.outputs.pull-request-number }} | |
| run: | | |
| echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" | |
| echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" | |
| shell: bash | |
| - name: Enable Pull Request Automerge | |
| if: ${{ steps.cpr.outputs.pull-request-number }} | |
| run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}" | |
| env: | |
| GH_TOKEN: ${{ steps.get-secrets.outputs.github-pat }} | |
| shell: bash |