Skip to content

Commit

Permalink
Continue the Trivy workflow when its data download fails
Browse files Browse the repository at this point in the history
Later steps will use data from the action cache and ignore its age.
The workflow fails when the download fails and the cache is empty.

Issue: PGO-1893
  • Loading branch information
cbandy committed Nov 17, 2024
1 parent 1534331 commit bd4a91e
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 2 deletions.
8 changes: 8 additions & 0 deletions .github/actions/trivy/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ inputs:
description: >-
What Trivy data to cache; one or more of restore, save, success, or use.
database:
default: update
description: >-
How Trivy should handle its data; one of update or skip.
setup:
default: v0.57.0,cache
description: >-
Expand Down Expand Up @@ -67,6 +72,9 @@ runs:
env:
TRIVY_CACHE_DIR: >-
${{ contains(fromJSON(steps.parsed.outputs.cache), 'use') && inputs.cache-directory || '' }}
TRIVY_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }}
TRIVY_SKIP_DB_UPDATE: ${{ inputs.database == 'skip' }}
TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.database == 'skip' }}
run: |
# Run Trivy
trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?
Expand Down
15 changes: 13 additions & 2 deletions .github/workflows/trivy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ jobs:
cache:
# Run only one of these jobs at a time across the entire project.
concurrency: { group: trivy-cache }
# Do not fail this workflow when this job fails.
continue-on-error: true

runs-on: ubuntu-latest
steps:
Expand All @@ -29,7 +31,11 @@ jobs:
TRIVY_SCANNERS: license,secret,vuln

licenses:
# Run this job after the cache job regardless of its success or failure.
needs: [cache]
if: >-
${{ !cancelled() }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -48,13 +54,16 @@ jobs:
TRIVY_SCANNERS: license
with:
cache: restore,use
database: skip

vulnerabilities:
if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
# Run this job after the cache job regardless of its success or failure.
needs: [cache]
if: >-
${{ github.repository == 'CrunchyData/postgres-operator' && !cancelled() }}
permissions:
security-events: write

needs: [cache]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -68,6 +77,7 @@ jobs:
TRIVY_SCANNERS: secret,vuln
with:
cache: restore,use
database: skip

# Produce a SARIF report of actionable results. This step fails only when
# Trivy is unable to scan.
Expand All @@ -80,6 +90,7 @@ jobs:
TRIVY_SCANNERS: secret,vuln
with:
cache: use
database: skip
setup: none

# Submit the SARIF report to GitHub code scanning. Pull requests checks
Expand Down

0 comments on commit bd4a91e

Please sign in to comment.