4343 type : boolean
4444 required : false
4545 default : true
46- scan-upload :
47- description : Upload scanned images that have vulnerabilities?
46+ scan-push :
47+ description : Push scanned images that have vulnerabilities?
4848 type : boolean
4949 required : false
5050 default : true
@@ -135,11 +135,6 @@ jobs:
135135 run : |
136136 curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.44.0
137137
138- - name : Install jq
139- run : |
140- curl --output /usr/local/bin/jq -sfL https://github.com/jqlang/jq/releases/download/jq-1.6/jq-linux64
141- chmod +x /usr/local/bin/jq
142-
143138 - name : Setup networking
144139 run : |
145140 if ! ip l show breth1 >/dev/null 2>&1; then
@@ -186,7 +181,7 @@ jobs:
186181env :
187182 KAYOBE_VAULT_PASSWORD : ${{ secrets.KAYOBE_VAULT_PASSWORD }}
188183
189- - name : Build and push kolla overcloud images
184+ - name : Build kolla overcloud images
190185 run : |
191186 args="${{ github.event.inputs.regexes }}"
192187 args="$args -e kolla_base_distro=${{ matrix.distro }}"
@@ -198,7 +193,7 @@ jobs:
198193 KAYOBE_VAULT_PASSWORD : ${{ secrets.KAYOBE_VAULT_PASSWORD }}
199194 if : github.event.inputs.overcloud == 'true'
200195
201- - name : Build and push kolla seed images
196+ - name : Build kolla seed images
202197 run : |
203198 args="kolla_base_distro=${{ matrix.distro }}"
204199 args="$args -e kolla_tag=${{ needs.generate-tag.outputs.kolla_tag }}"
@@ -225,12 +220,12 @@ jobs:
225220 # Make a file of imagename:tag
226221 grep --invert-match --no-filename ^REPOSITORY ${{ matrix.distro }}-container-images |\
227222 sed 's/ \+/:/g' |\
228- cut -f 1,2 -d: > docker-images.txt
223+ cut -f 1,2 -d: > ${{ matrix.distro }}- docker-images.txt
229224
230225name : Scan built container images
231226 run : |
232- set -euo pipefail
233- mkdir -p image-scan-output
227+ set -xeuo pipefail
228+ mkdir -p ${{ matrix.distro }}- image-scan-output
234229
235230 rm -f images-to-push.txt
236231
@@ -244,18 +239,19 @@ jobs:
244239 --scanners vuln \
245240 --format json \
246241 --severity HIGH,CRITICAL \
247- --output image-scan-output/${filename}.json \
242+ --output ${{ matrix.distro }}- image-scan-output/${filename}.json \
248243 --ignore-unfixed \
249244 $image); then
250- echo "${image}" >> images-to-push.txt
251- rm image-scan-output/${filename}.json
245+ echo "${image}" >> ${{ matrix.distro }}-images-to-push.txt
252246 else
253- if [${{github.event.input .scan-upload}} == ' true' ]; then
254- echo "${image}" >> images-to-push.txt
247+ if [ " ${{github.event.inputs .scan-push}}" == " true" ]; then
248+ echo "${image}" >> ${{ matrix.distro }}- images-to-push.txt
255249 fi
256250
257- echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename}.csv
258- jq -r '.Results[].Vulnerabilities
251+ echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > ${{ matrix.distro }}-image-scan-output/${filename}.summary.csv
252+ jq -r '.Results[]
253+ | select(.Vulnerabilities)
254+ | .Vulnerabilities
259255 # Ignore packages with "kernel" in the PkgName
260256 | map(select(.PkgName | test("kernel") | not ))
261257 | group_by(.VulnerabilityID)
@@ -271,37 +267,35 @@ jobs:
271267 ]
272268 )
273269 | .[]
274- | @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv
270+ | @csv' ${{ matrix.distro }}- image-scan-output/${filename}.json >> ${{ matrix.distro }}- image-scan-output/${filename}.summary.csv
275271 fi
276- done < docker-images.txt
277- mv images-to-push.txt docker-images.txt
272+ done < ${{ matrix.distro }}- docker-images.txt
273+ mv ${{ matrix.distro }}- images-to-push.txt ${{ matrix.distro }}- docker-images.txt
278274shell : bash
279275 if : github.event.inputs.scan == 'true'
280276
281277 - name : Upload Trivy scan artefacts
282278 uses : actions/upload-artifact@v3
283279 with :
284- name : " trivy-scan-output"
285- path : |
286- 'image-scan-output/*.json'
287- 'image-scan-output/*.summary.csv'
280+ name : ${{ matrix.distro }}-image-scan-output
281+ path : ${{ matrix.distro }}-image-scan-output
288282 retention-days : 7
289- if : github.event.inputs.scan == 'true'
283+ if : always()
290284
291285 - name : Push images
292286 run : |
293287 source venvs/kayobe/bin/activate &&
294288 source src/kayobe-config/kayobe-env --environment ci-builder &&
295- kayobe playbook run ${KAYOBE_CONFIG_PATH}/ansible/docker-registry-login.yml
289+ kayobe playbook run --become ${KAYOBE_CONFIG_PATH}/ansible/docker-registry-login.yml
296290
297291 while read -r image; do
298292 # Retries!
299293 for i in {1..10}; do
300- docker push ${image} && break || sleep 5
294+ sudo docker push ${image} && break || sleep 5
301295 done
302- done < docker-images.txt
296+ done < ${{ matrix.distro }}- docker-images.txt
303297shell : bash
304- if : ${{ inputs.push }}
298+ if : github.event. inputs.push == 'true'
305299
306300 - name : Prune local Kolla container images over 1 week old
307301 run : |
0 commit comments