Skip to content

Update sec-scanners-config.yaml #2904

Update sec-scanners-config.yaml

Update sec-scanners-config.yaml #2904

name: Update sec-scanners-config.yaml
on:
schedule:
- cron: '21 * * * *'
jobs:
update-sec-scanners:
name: update sec-scanners-config.yaml
runs-on: ubuntu-latest
env:
IMAGE: europe-docker.pkg.dev/kyma-project/prod/istio/main/istio-manager
GITHUB_TOKEN: ${{ secrets.GOAT_BOT_REPO_ACCESS }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GOAT_BOT_REPO_ACCESS }}
- name: get latest tag
id: latest-sha
env:
IMAGE_TAG_REGEXP: v[0-9]{8}-[a-f0-9]{6,9}
run: |
# grab latest image associated with a commit in git history
while read -r SHA; do
if skopeo inspect "docker://$IMAGE:$SHA"; then
echo "found image: $IMAGE:$SHA"
echo "image-tag=$SHA" >> "$GITHUB_OUTPUT"
exit 0
fi
done < <(git rev-list HEAD)
- name: Schedule security-config update
if: steps.latest-sha.outputs.image-tag != ''
env:
GH_TOKEN: ${{ secrets.GOAT_BOT_REPO_ACCESS }}
IMAGE_TAG: ${{ steps.latest-sha.outputs.image-tag }}
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git fetch origin
git checkout -f autobump/sec-scanners-config
git reset --hard origin/main
sed -i "s/europe-docker\.pkg\.dev\/kyma-project\/prod\/istio\/main\/istio-manager\:.*/europe-docker\.pkg\.dev\/kyma-project\/prod\/istio\/main\/istio-manager\:$IMAGE_TAG/" sec-scanners-config.yaml
git add .
if git diff-index --quiet HEAD; then
echo "No changes detected - no action required"
exit 0
fi
git commit -m "chore: automatic update sec-scanners-config.yaml" -m "Generated by GitHub Actions"
git push -f -u origin autobump/sec-scanners-config
gh pr create --base main --head autobump/sec-scanners-config --fill --label dependencies || true