ci: add cron job to cache trivy db (#284)

Signed-off-by: Binbin Li <[email protected]>
binbin-li · Nov 6, 2024 · ff845a9 · ff845a9
1 parent 716fb8a
commit ff845a9
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 29 deletions.
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -11,14 +11,19 @@ on:
 permissions: read-all
 
 jobs:
+  restore_trivy_cache:
+    uses: ./.github/workflows/restore-trivy-cache.yml
+
   call_test_cli:
+    needs: ["restore_trivy_cache"]
     uses: ./.github/workflows/e2e-cli.yml
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   call_test_e2e_basic:
     name: "run e2e on basic matrix"
     if: ${{ ! (contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch') }}
+    needs: ["restore_trivy_cache"]
     permissions:
       contents: read
     strategy:
@@ -34,6 +39,7 @@ jobs:
   build_test_e2e_full_conditional:
     name: "run e2e on full test matrix with conditions"
     if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch'
+    needs: ["restore_trivy_cache"]
     strategy:
       fail-fast: false
       matrix:
@@ -47,6 +53,7 @@ jobs:
   build_test_aks_e2e_conditional:
     name: "Build and run e2e Test on AKS with conditions"
     if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
+    needs: ["restore_trivy_cache"]
     permissions:
       id-token: write
       contents: read

diff --git a/.github/workflows/restore-trivy-cache.yml b/.github/workflows/restore-trivy-cache.yml
@@ -0,0 +1,22 @@
+name: 'Restore Trivy cache directory'
+on:
+  workflow_call:
+
+permissions: read-all
+
+jobs:
+  restore_trivy_cache:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+      - name: Restore trivy cache directory
+        uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
+      - name: Set up trivy cache directory
+        run: |
+          mkdir -p ~/.cache/trivy
+          cp -r ${{ github.workspace }}/.cache/trivy/db ~/.cache/trivy
diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
@@ -33,9 +33,13 @@ jobs:
           check-latest: true
       - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
 
+  restore_trivy_cache:
+    uses: ./.github/workflows/restore-trivy-cache.yml
+
   scan_vulnerabilities:
     name: "[Trivy] Scan for vulnerabilities"
     runs-on: ubuntu-22.04
+    needs: ["restore_trivy_cache"]
     timeout-minutes: 15
     env:
       TRIVY_VERSION: 0.49.1
@@ -54,16 +58,6 @@ jobs:
           wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
           tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
           echo "$(pwd)" >> $GITHUB_PATH
-      
-      - name: Download vulnerability database
-        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
-        with:
-          max_attempts: 3
-          retry_on: error
-          timeout_seconds: 30
-          retry_wait_seconds: 5
-          command: |
-            trivy image --download-db-only
 
       - name: Run trivy on git repository
         run: |

diff --git a/.github/workflows/update-trivy-cache.yml b/.github/workflows/update-trivy-cache.yml
@@ -0,0 +1,41 @@
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.2.1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Prepare DB directory
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+      
+      - name: Download vulnerability database
+        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+        with:
+          max_attempts: 10
+          retry_on: error
+          timeout_seconds: 30
+          retry_wait_seconds: 60
+          command: |
+            oras pull ghcr.io/aquasecurity/trivy-db:2
+            tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+            rm db.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/Makefile b/Makefile
@@ -467,25 +467,6 @@ e2e-trivy-setup:
 	curl -L https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz --output .staging/trivy/trivy.tar.gz
 	tar -zxf .staging/trivy/trivy.tar.gz -C .staging/trivy
 
-	# Download vulnerability database in retry mode
-	max_retries=3; \
-	attempt=1; \
-	wait_time=2; \
-	while [ $$attempt -le $$max_retries ]; do \
-		echo "Attempt $$attempt of $$max_retries..."; \
-		if .staging/trivy/trivy image --download-db-only; then \
-			break; \
-		fi; \
-		if [ $$attempt -eq $$max_retries ]; then \
-			echo "Failed after $$max_retries attempts."; \
-			exit 1; \
-		fi; \
-		echo "Failed. Retrying in $$wait_time seconds..."; \
-		sleep $$wait_time; \
-		wait_time=$$(( wait_time * 2 )); \
-		attempt=$$(( attempt + 1 )); \
-	done
-
 e2e-schemavalidator-setup:
 	rm -rf .staging/schemavalidator
 	mkdir -p .staging/schemavalidator