Skip to content

Update sec-scanners-config.yaml #499

Update sec-scanners-config.yaml

Update sec-scanners-config.yaml #499

name: Update sec-scanners-config.yaml
on:
schedule:
- cron: '21 * * * *'
permissions:
contents: write
pull-requests: write
jobs:
update-sec-scanners:
name: update sec-scanners-config.yaml
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- shell: bash
name: get latest tag
env:
IMAGE_TAG_REGEXP: v[0-9]{8}-[a-f0-9]{6,9}
run: |
# grab latest tag from sorted list of tags for given TAG_REGEXP
IMAGE_TAG=$(skopeo list-tags docker://europe-docker.pkg.dev/kyma-project/prod/istio-manager | jq -r ".Tags[] | select(.| test(\"$IMAGE_TAG_REGEXP\"))" | sort | tail -1)
if [[ -z $IMAGE_TAG ]]; then
echo Fetched image tag is empty, most likely your IMAGE_TAG_REGEXP is incorrect
exit 1
fi
echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV"
- shell: bash
name: Schedule security-config update
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git fetch origin
git checkout -f autobump/sec-scanners-config
git reset --hard origin/main
sed -i "s/europe-docker\.pkg\.dev\/kyma-project\/prod\/istio-manager\:.*/europe-docker\.pkg\.dev\/kyma-project\/prod\/istio-manager\:$IMAGE_TAG/" sec-scanners-config.yaml
git add .
if git diff-index --quiet HEAD; then
echo "No changes detected - no action required"
exit 0
fi
git commit -m "chore: automatic update sec-scanners-config.yaml" -m "Generated by GitHub Actions"
git push -f -u origin autobump/sec-scanners-config
gh pr create --base main --head autobump/sec-scanners-config --fill || true