-
Notifications
You must be signed in to change notification settings - Fork 72
77 lines (66 loc) · 2.28 KB
/
rumble-vulnerability-data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: Rumble Vulnerability Data
on:
schedule:
- cron: "1 5 * * *"
workflow_dispatch:
push:
branches: [rumble-insights]
env:
PROJECT_ID: "${{ secrets.PROJECT_ID }}"
WORKLOAD_IDENTITY_PROVIDER: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
SERVICE_ACCOUNT: "${{ secrets.GH_ACTION_SERVICE_ACCOUNT }}"
GH_TOKEN: ${{ github.token }}
defaults:
run:
shell: bash
working-directory: ./tools/rumble
jobs:
generate-csvs-and-json:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # federate with GCP
steps:
- name: 'Github Actions Runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
- name: Set up Go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # actions/setup-go@v4
with:
go-version: '^1.21.0'
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0
with:
token_format: 'access_token'
project_id: "${{ env.PROJECT_ID }}"
workload_identity_provider: "${{ env.WORKLOAD_IDENTITY_PROVIDER }}"
service_account: "${{ env.SERVICE_ACCOUNT }}"
- name: Generate vulnerability JSON files
run: |
go run main.go vulns \
--project prod-images-c6e5 \
--db insights_ds \
--gcs-project chainguard-academy \
--bucket chainguard-academy \
--upload
- name: Generate image comparison CSVs
run: |
go run main.go image-csv \
--project prod-images-c6e5 \
--db insights_ds \
--gcs-project chainguard-academy \
--bucket chainguard-academy \
--rumble-json-path ../../data/rumble.json \
--upload
- name: Generate legacy comparison CSV
run: |
go run main.go legacy-csv \
--project prod-images-c6e5 \
--db insights_ds \
--gcs-project chainguard-academy \
--bucket chainguard-academy \
--upload