Unverified Commit 005711fa authored by Derek Nola's avatar Derek Nola Committed by GitHub

Breakup trivy scan and check comment author (#10935)

* Check comment author on trivy scan * Breakup trivy workflow for better permission security Signed-off-by: 's avatarDerek Nola <derek.nola@suse.com>
parent ed14f7f8
...@@ -9,19 +9,29 @@ jobs: ...@@ -9,19 +9,29 @@ jobs:
if: github.event.issue.pull_request && github.event.comment.body == '/trivy' if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
pull-requests: write pull-requests: read
env:
GH_TOKEN: ${{ github.token }}
steps: steps:
- name: Check if comment author is a member of k3s-dev team
uses: actions/github-script@v7
with:
script: |
const org = context.repo.owner;
const team_slug = 'k3s-dev';
const username = context.payload.comment.user.login;
const { data: membership } = await github.teams.getMembershipForUserInOrg({
org,
team_slug,
username
});
if (membership.state !== 'active') {
core.setFailed(`User ${username} is not an active member of the ${team_slug} team`);
}
- name: Checkout PR code - name: Checkout PR code
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
ref: refs/pull/${{ github.event.issue.number }}/head ref: refs/pull/${{ github.event.issue.number }}/head
- name: Comment Status on PR
run: |
gh repo set-default ${{ github.repository }}
gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
- name: Build K3s Image - name: Build K3s Image
run: | run: |
...@@ -37,19 +47,47 @@ jobs: ...@@ -37,19 +47,47 @@ jobs:
severity: "HIGH,CRITICAL" severity: "HIGH,CRITICAL"
output: "trivy-report.txt" output: "trivy-report.txt"
- name: Add Trivy Report to PR - name: Upload Trivy Report
run: | uses: actions/upload-artifact@v4
sudo chown runner:runner trivy-report.txt with:
if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then name: trivy-report
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt path: trivy-report.txt
echo '```' >> trivy-report.txt retention-days: 2
gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt if-no-files-found: error
else
echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt trivy_report:
gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt needs: trivy_scan
fi runs-on: ubuntu-latest
permissions:
- name: Report Failure pull-requests: write
if: ${{ failure() }} env:
run: | GH_TOKEN: ${{ github.token }}
gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:" steps:
- name: Download Trivy Report
uses: actions/download-artifact@v4
with:
name: trivy-report
path: trivy-report.txt
- name: Add Trivy Report to PR
run: |
sudo chown runner:runner trivy-report.txt
if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
echo '```' >> trivy-report.txt
gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt
else
echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt
gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt
fi
trivy_failure:
needs: trivy_scan
runs-on: ubuntu-latest
if: always() && needs.trivy_scan.result == 'failure'
permissions:
pull-requests: write
steps:
- name: Report Failure
run: |
gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:"
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment