Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changed to execute a scan job when the build job is finished. #340

Merged
merged 10 commits into from
Nov 20, 2024
Merged

Changed to execute a scan job when the build job is finished. #340

merged 10 commits into from
Nov 20, 2024

Conversation

012xx
Copy link
Contributor

@012xx 012xx commented Nov 15, 2024
edited
Loading

Overview

  • Changed to execute a scan job when the build job is finished.

Why

  • Due to the increasing frequency of yamory scan failures

What

  • I did not want to execute curl -sSf -L https://mw-receiver.yamory.io/image/script/trivyin in parallel.
  • For this reason, I used a for loop and other methods to execute the scan sequentially.
  • I also made changes to use the needs context so that the scan is executed after the build is complete.
  • Due to the separation of jobs, it became difficult to pass data in the BUILDS file created during the build, so I decided to execute the scan by putting the image name in an environment variable.

takahiro-yamada
takahiro-yamada requested changes Nov 15, 2024
View reviewed changes
.github/workflows/release.yaml Outdated
Comment on lines 98 to 102
scan:
name: Scan images
runs-on: ubuntu-24.04
needs: build
steps:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By splitting a job, we can't refer BUILD file generated at build job at scan job.
You can use GITHUB_OUTPUT variable to pass key-value pairs across jobs.

takahiro-yamada
takahiro-yamada requested changes Nov 19, 2024
View reviewed changes
Copy link
Contributor

@takahiro-yamada takahiro-yamada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned at other place, we need to consider how to use GITHUB_OUTPUT

@012xx 012xx changed the title Change to scan job when the build job is finished. Changed to execute a scan job when the build job is finished. Nov 19, 2024
takahiro-yamada
takahiro-yamada requested changes Nov 19, 2024
View reviewed changes
.github/workflows/release.yaml Outdated Show resolved Hide resolved
.github/workflows/release.yaml Outdated
YAMORY_IMAGE_IDENTIFIER="${d}:$BRANCH" YAMORY_IMAGE_NAME="${d}:$TAG" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
done
for ubuntu_version in ${{ env.ubuntu-version }}; do
cd $ubuntu_version
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Q]
Does this work?
It may fail from second loop because the second time it run the cd command from ${WORK_DIR}/20.04 to ${WORK_DIR}/20.04/22.04.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found out that it didn't work when I debugged it on my own, so I fixed the way I wrote it 🙏

takahiro-yamada
takahiro-yamada requested changes Nov 20, 2024
View reviewed changes
.github/workflows/release.yaml Outdated
@@ -6,8 +6,8 @@ on:
env:
go-version: 1.23
jobs:
release:
name: release images
build:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks better the job identifier remain "release" since its main purpose is release.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@012xx
How about this?

.github/workflows/release.yaml Outdated
Comment on lines 115 to 122
cd ${ubuntu_version}
TAG=$(cat TAG)
for ubuntu_image in ${{ env.ubuntu-image }}; do
echo
echo "scanning $d:$TAG ..."
YAMORY_IMAGE_IDENTIFIER="${d}:$BRANCH" YAMORY_IMAGE_NAME="${d}:$TAG" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
echo "scanning ${ubuntu_image}:${TAG} ..."
YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/${ubuntu_image}:${ubuntu_version}" YAMORY_IMAGE_NAME="${ubuntu_image}:${TAG}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
done
cd ../
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned another PR, we don't need to cd but only specify the paths from parent path.

e.g., TAG=$(cat "${ubuntu_version}/TAG")

takahiro-yamada
takahiro-yamada requested changes Nov 20, 2024
View reviewed changes
.github/workflows/release.yaml Outdated
echo "scanning $d:$TAG ..."
YAMORY_IMAGE_IDENTIFIER="${d}:$BRANCH" YAMORY_IMAGE_NAME="${d}:$TAG" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
echo "scanning ${ubuntu_image}:${TAG} ..."
YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/${ubuntu_image}:${ubuntu_version}" YAMORY_IMAGE_NAME="${ubuntu_image}:${TAG}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think YAMORY_IMAGE_NAME should be modified.
Please check the file before you modified here.

Suggested change
YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/${ubuntu_image}:${ubuntu_version}" YAMORY_IMAGE_NAME="${ubuntu_image}:${TAG}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/${ubuntu_image}:${ubuntu_version}" YAMORY_IMAGE_NAME="ghcr.io/cybozu/${ubuntu_image}:${TAG}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"

@012xx 012xx self-assigned this Nov 20, 2024
takahiro-yamada
takahiro-yamada requested changes Nov 20, 2024
View reviewed changes
.github/workflows/release.yaml Outdated
@@ -6,8 +6,8 @@ on:
env:
go-version: 1.23
jobs:
release:
name: release images
build:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@012xx
How about this?

takahiro-yamada
takahiro-yamada approved these changes Nov 20, 2024
View reviewed changes
Copy link
Contributor

@takahiro-yamada takahiro-yamada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@012xx 012xx merged commit 70dbf40 into main Nov 20, 2024
3 checks passed
@012xx 012xx deleted the scan-compatible branch November 20, 2024 05:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@takahiro-yamada takahiro-yamada takahiro-yamada approved these changes

Assignees

@012xx 012xx

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@012xx @takahiro-yamada