diff --git a/.github/workflows/build-image-ci.yaml b/.github/workflows/build-image-ci.yaml index a5720c482..a3424011c 100644 --- a/.github/workflows/build-image-ci.yaml +++ b/.github/workflows/build-image-ci.yaml @@ -182,7 +182,7 @@ jobs: # docker cache after the workflow "Image CI Cache Cleaner" was terminated. push: ${{ env.push }} platforms: linux/amd64 - outputs: type=tar,dest=/tmp/${{ matrix.name }}-race.tar + outputs: type=docker,dest=/tmp/${{ matrix.name }}-race.tar github-token: ${{ secrets.WELAN_PAT }} tags: | ${{ env.ONLINE_REGISTER }}/${{ github.repository }}/${{ matrix.name }}-ci:${{ env.tag }}-race @@ -231,7 +231,7 @@ jobs: push: ${{ env.push }} platforms: linux/amd64 github-token: ${{ secrets.WELAN_PAT }} - outputs: type=tar,dest=/tmp/${{ matrix.name }}-race.tar + outputs: type=docker,dest=/tmp/${{ matrix.name }}-race.tar tags: | ${{ env.ONLINE_REGISTER }}/${{ github.repository }}/${{ matrix.name }}-ci:${{ env.tag }}-race build-args: | diff --git a/.github/workflows/e2e-init.yaml b/.github/workflows/e2e-init.yaml index 0257bdfda..c87e297a0 100644 --- a/.github/workflows/e2e-init.yaml +++ b/.github/workflows/e2e-init.yaml @@ -122,8 +122,12 @@ jobs: for ITEM in $TAR_FILES ; do IMAGE_NAME=${ITEM%*.tar} echo ${IMAGE_NAME} - cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ inputs.image_tag }} + docker load -i test/.download/${ITEM} + ITEM_IMAGE_ID=$(docker images | grep ${IMAGE_NAME} | grep ${{ inputs.image_tag }} | awk '{print $3}') + docker tag ${ITEM_IMAGE_ID} ${IMAGE_NAME}:${{ inputs.image_tag }} done + echo "list docker images" + docker images # test against commit version # https://github.com/kubernetes-sigs/kind/issues/2863 @@ -164,7 +168,7 @@ jobs: else echo "RUN_SETUP_KIND_CLUSTER_PASS=false" >> $GITHUB_ENV fi - if [ -f "test/e2edebugLog" ] ; then + if [ -f "test/e2edebugLog.txt" ] ; then echo "UPLOAD_SETUP_KIND_CLUSTER_LOG=true" >> $GITHUB_ENV else echo "UPLOAD_SETUP_KIND_CLUSTER_LOG=false" >> $GITHUB_ENV diff --git a/.github/workflows/trivy-scan-image.yaml b/.github/workflows/trivy-scan-image.yaml index 19e9bbdd7..49ba3e4e3 100644 --- a/.github/workflows/trivy-scan-image.yaml +++ b/.github/workflows/trivy-scan-image.yaml @@ -35,24 +35,22 @@ jobs: name: image-tar-spiderpool-controller path: test/.download - - name: Load And Scan Images - run: | - TAR_FILES=` ls test/.download ` - echo $TAR_FILES - for ITEM in $TAR_FILES ; do - IMAGE_NAME=${ITEM%*.tar} - echo ${IMAGE_NAME} - cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ inputs.image_tag }} - echo "---------trivy checkout image ${IMAGE_NAME}:${{ inputs.image_tag }} --------------------" - make lint_image_trivy -e IMAGE_NAME=${IMAGE_NAME}:${{ inputs.image_tag }} \ - || { echo "RUN_IMAGE_TRIVY_FAIL=true" >> $GITHUB_ENV ; echo "error, image ${IMAGE_NAME}:${{ inputs.image_tag }} is bad" ; } - done + - name: List downloaded files + run: ls -al test/.download - - name: Show Trivy Scan Report - run: | - if [ "${{ env.RUN_IMAGE_TRIVY_FAIL }}" == "true" ] ; then - echo "error, image is not secure, see detail on Step 'Load And Scan Images' " - exit 1 - else - exit 0 - fi + # https://github.com/aquasecurity/trivy-action/issues/389 + - name: load and scan spiderpool-agent image + uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db + with: + input: test/.download/spiderpool-agent-trivy.tar + severity: 'CRITICAL,HIGH' + + - name: load and scan spiderpool-controller image + uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db + with: + input: test/.download/spiderpool-controller-trivy.tar + severity: 'CRITICAL,HIGH' diff --git a/Makefile b/Makefile index 7677890d7..2d80b2e87 100644 --- a/Makefile +++ b/Makefile @@ -501,4 +501,3 @@ lint_chart_trivy: .PHONY: build-chart build-chart: @ cd charts ; make -