-
Notifications
You must be signed in to change notification settings - Fork 191
133 lines (112 loc) · 4.55 KB
/
Copy pathcron.yml
File metadata and controls
133 lines (112 loc) · 4.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---
name: Trivy DB
on:
schedule:
- cron: "0 */6 * * *"
workflow_dispatch:
env:
REPO_OWNER: ${{ github.repository_owner }} # used in 'make db-build'
GH_USER: aqua-bot
VERSION: 2
jobs:
build:
name: Build DB
runs-on: ubuntu-24.04
steps:
# vuln-list dirs + language repositories use more than 31GB of storage
- name: Maximize build space
uses: AdityaGarg8/remove-unwanted-software@90e01b21170618765a73370fcc3abbd1684a7793
with:
remove-android: 'true'
remove-dotnet: 'true'
remove-haskell: 'true'
remove-codeql: 'true'
remove-docker-images: 'true'
remove-large-packages: 'true'
remove-cached-tools: 'true'
remove-swapfile: 'true'
- name: Check out code into the Go module directory
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version-file: go.mod
- name: Install bbolt
run: go install go.etcd.io/bbolt/cmd/bbolt@v1.3.5
- name: Download vuln-list and advisories
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: make db-fetch-langs db-fetch-vuln-list
- name: Build the binary
run: make build
- name: Build database
run: make db-build
- name: Compact DB
run: make db-compact
- name: Compress assets
run: make db-compress
- name: Move DB
run: mv assets/db.tar.gz .
- name: Login to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Packages Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ env.GH_USER }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to ECR
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: public.ecr.aws
username: ${{ secrets.ECR_ACCESS_KEY_ID }}
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Install oras
run: |
curl -LO https://github.com/oras-project/oras/releases/download/v1.2.0/oras_1.2.0_linux_amd64.tar.gz
tar -xvf ./oras_1.2.0_linux_amd64.tar.gz
- name: Upload assets to registries
run: |
lowercase_repo=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
echo "Starting artifact upload process..."
# Define an array of registry base URLs and their corresponding repository names
declare -A registries=(
["ghcr.io"]="${lowercase_repo}"
["public.ecr.aws"]="${lowercase_repo}"
["docker.io"]="${lowercase_repo}"
)
# Special case for docker.io if the organization is 'aquasecurity'
if [[ "${lowercase_repo}" == "aquasecurity/"* ]]; then
registries["docker.io"]="aquasec/${lowercase_repo#aquasecurity/}"
echo "Docker Hub repository adjusted for aquasecurity: ${registries["docker.io"]}"
fi
# Loop through each registry and push the artifact
for registry in "${!registries[@]}"; do
repo_name=${registries[$registry]}
full_registry_url="${registry}/${repo_name}"
echo "Processing registry: ${full_registry_url}"
tags=(latest ${{ env.VERSION }})
for tag in "${tags[@]}"; do
echo "Pushing artifact with tag: ${tag}"
if ./oras push --artifact-type application/vnd.aquasec.trivy.config.v1+json \
"${full_registry_url}:${tag}" \
db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip; then
echo "Successfully pushed to ${full_registry_url}:${tag}"
else
echo "Failed to push to ${full_registry_url}:${tag}"
exit 1
fi
done
done
echo "Artifact upload process completed."
- name: Microsoft Teams Notification
uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88
if: failure()
with:
webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}
needs: ${{ toJson(needs) }}
job: ${{ toJson(job) }}
steps: ${{ toJson(steps) }}