Skip to content

updates

updates #11793

Workflow file for this run

name: updates
on:
schedule:
- cron: "*/60 * * * *" # Every 60 minutes
push:
branches: [main]
paths:
- '.github/workflows/updates.yaml'
- '.github/chainguard/updates.sts.yaml'
- 'helm/redis/values.yaml'
workflow_dispatch: # Allows manual triggering
env:
REDIS_IMAGE: "cgr.dev/cgr-demo.com/redis-server-bitnami"
permissions: {}
jobs:
check-for-fixes:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
ref: main
- name: Setup Go environment
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
id: octo-sts
with:
scope: chainguard-dev/chainguard-migration-demo
identity: updates
- name: Install Crane
run: go install github.com/google/go-containerregistry/cmd/crane@latest
- name: Install Grype
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- uses: chainguard-dev/setup-chainctl@8d93dcbef466d3cf3533f67084f52eb74ef9d262 # v0.2.4
with:
identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/360614f2fd18f22d"
- name: 'Auth to Registry'
run: |
chainctl auth configure-docker
- name: Extract unique image.tag value
id: extract_unique_tag
run: |
CURRENT_UNIQUE_IMAGE=$(yq '.image.tag' helm/redis/values.yaml)
echo "Extracted Unique Tags: $CURRENT_UNIQUE_IMAGE"
echo "CURRENT_UNIQUE_TAG=$CURRENT_UNIQUE_IMAGE" >> "$GITHUB_ENV"
- name: Get latest unique tag
id: get_current_unique_tag
run: |
LATEST_UNIQUE_TAG=$(crane ls "${REDIS_IMAGE}" | grep -E '^[^ ]+-[0-9]{12}$' | grep -v '^latest' | grep -v '\-dev' | sort -Vr | head -n 1)
echo "LATEST_UNIQUE_TAG=${LATEST_UNIQUE_TAG}" >> "$GITHUB_ENV"
- name: Compare unique tags
id: compare_unique_tags
run: |
echo "CURRENT_UNIQUE_TAG=${CURRENT_UNIQUE_TAG}"
echo "LATEST_UNIQUE_TAG=${LATEST_UNIQUE_TAG}"
if [ "${CURRENT_UNIQUE_TAG}" != "${LATEST_UNIQUE_TAG}" ]; then
echo "UNIQUE_TAGS_CHANGED=true" >> "$GITHUB_ENV"
else
echo "UNIQUE_TAGS_CHANGED=false" >> "$GITHUB_ENV"
fi
- name: Run chainctl images diff
if: env.UNIQUE_TAGS_CHANGED == 'true'
id: diff_vulnerabilities
run: |
OLD_IMAGE="${REDIS_IMAGE}:${CURRENT_UNIQUE_TAG}"
NEW_IMAGE="${REDIS_IMAGE}:${LATEST_UNIQUE_TAG}"
CVE_LIST_JSON=$(chainctl images diff "$OLD_IMAGE" "$NEW_IMAGE" 2>/dev/null | jq -c '[.vulnerabilities.removed[] | select(.severity == "Critical" or .severity == "High") | .id]')
echo "CVE_LIST=$CVE_LIST_JSON" >> "$GITHUB_ENV"
if [ -n "$CVE_LIST_JSON" ]; then
echo "Found CVE fixes for the following CVES: $CVE_LIST_JSON"
echo "FIX_CVE=true" >> "$GITHUB_ENV"
else
echo "No CVE fixes available"
echo "FIX_CVE=false" >> "$GITHUB_ENV"
fi
- env:
GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
run: |
gh repo list
- name: Update Helm Values
shell: bash
run: yq -i ".image.tag = strenv(LATEST_UNIQUE_TAG)" helm/redis/values.yaml
- name: Run git diff
id: create_pr_update
shell: bash
run: |
git diff --stat
echo "create_pr_update=false" >> "$GITHUB_OUTPUT"
if [[ $(git diff --stat) != '' ]]; then
echo "create_pr_update=true" >> "$GITHUB_OUTPUT"
echo "diff<<EOF" >> "${GITHUB_OUTPUT}"
git diff >> "${GITHUB_OUTPUT}"
echo "EOF" >> "${GITHUB_OUTPUT}"
fi
- uses: chainguard-dev/actions/setup-gitsign@57cb0b7560d9b9b081c15ac5ef689f73f4dda03e # main branch as of 2024-08-02
- name: Create Pull Request
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
id: pull_request
with:
token: ${{ steps.octo-sts.outputs.token }}
commit-message: 'Update images digests'
title: 'Apply CVE Fix'
body: |
"Update Helm Redis Image Tag to ${{ env.LATEST_UNIQUE_TAG }}"
## Changes
<details>
```diff
${{ steps.create_pr_update.outputs.diff }}
```
</details>
labels: automated pr, cve, patch
branch: 'apply-cve-fix'
committer: 'github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>'
author: '${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>'
delete-branch: true