Rumble Vulnerability Data #945
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Rumble Vulnerability Data | |
| on: | |
| schedule: | |
| - cron: "1 5 * * *" | |
| workflow_dispatch: | |
| push: | |
| branches: [rumble-insights] | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| defaults: | |
| run: | |
| shell: bash | |
| working-directory: ./tools/rumble | |
| permissions: {} | |
| jobs: | |
| generate-csvs-and-json: | |
| runs-on: ubuntu-latest | |
| if: github.repository == 'chainguard-dev/edu' | |
| permissions: | |
| contents: read | |
| id-token: write # federate with GCP | |
| steps: | |
| - name: 'Github Actions Runner' | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: 'Checkout default branch to $GITHUB_WORKSPACE dir' | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version-file: ./tools/rumble/go.mod | |
| check-latest: true | |
| - name: Authenticate to Google Cloud | |
| id: auth | |
| uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1 | |
| with: | |
| service_account: "github-chainguard-academy@chainguard-academy.iam.gserviceaccount.com" | |
| workload_identity_provider: "projects/456977358484/locations/global/workloadIdentityPools/chainguard-academy/providers/chainguard-edu" | |
| - name: Generate vulnerability JSON files | |
| run: | | |
| go run main.go vulns \ | |
| --project prod-enforce-fabc \ | |
| --db cloudevents_grype_scan_results \ | |
| --gcs-project chainguard-academy \ | |
| --bucket chainguard-academy \ | |
| --upload | |
| - name: Generate image comparison CSVs | |
| run: | | |
| go run main.go image-csv \ | |
| --project prod-enforce-fabc \ | |
| --db cloudevents_grype_scan_results \ | |
| --gcs-project chainguard-academy \ | |
| --bucket chainguard-academy \ | |
| --rumble-json-path ../../data/rumble.json \ | |
| --upload | |
| - name: Generate legacy comparison CSV | |
| run: | | |
| go run main.go legacy-csv \ | |
| --project prod-enforce-fabc \ | |
| --db cloudevents_grype_scan_results \ | |
| --gcs-project chainguard-academy \ | |
| --bucket chainguard-academy \ | |
| --upload | |
| - name: Post failure notice to Slack | |
| uses: step-security/action-slack-notify@e04c77a65bae8b6c0373478a1cb8fd7e012637e6 # v2.3.5 | |
| if: ${{ failure() }} | |
| env: | |
| SLACK_ICON: http://github.com/chainguard-dev.png?size=48 | |
| SLACK_USERNAME: guardian | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |
| SLACK_CHANNEL: 'alerts-edu' | |
| SLACK_COLOR: '#8E1600' | |
| MSG_MINIMAL: 'true' | |
| SLACK_TITLE: 'Rumble vuln data failed - ${{ github.repository }}' | |
| SLACK_MESSAGE: | | |
| For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} |