diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index 272f4333e..c70c27382 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -11,7 +11,11 @@ on: permissions: read-all jobs: + restore_trivy_cache: + uses: ./.github/workflows/restore-trivy-cache.yml + call_test_cli: + needs: ["restore_trivy_cache"] uses: ./.github/workflows/e2e-cli.yml secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} @@ -19,6 +23,7 @@ jobs: call_test_e2e_basic: name: "run e2e on basic matrix" if: ${{ ! (contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch') }} + needs: ["restore_trivy_cache"] permissions: contents: read strategy: @@ -34,6 +39,7 @@ jobs: build_test_e2e_full_conditional: name: "run e2e on full test matrix with conditions" if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' + needs: ["restore_trivy_cache"] strategy: fail-fast: false matrix: @@ -47,6 +53,7 @@ jobs: build_test_aks_e2e_conditional: name: "Build and run e2e Test on AKS with conditions" if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'workflow_dispatch' || github.event_name == 'push' + needs: ["restore_trivy_cache"] permissions: id-token: write contents: read diff --git a/.github/workflows/restore-trivy-cache.yml b/.github/workflows/restore-trivy-cache.yml new file mode 100644 index 000000000..f613dc7e9 --- /dev/null +++ b/.github/workflows/restore-trivy-cache.yml @@ -0,0 +1,22 @@ +name: 'Restore Trivy cache directory' +on: + workflow_call: + +permissions: read-all + +jobs: + restore_trivy_cache: + runs-on: ubuntu-latest + steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + - name: Restore trivy cache directory + uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + - name: Set up trivy cache directory + run: | + mkdir -p ~/.cache/trivy + cp -r ${{ github.workspace }}/.cache/trivy/db ~/.cache/trivy \ No newline at end of file diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 1a554a6e8..ccf6cf19b 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -33,9 +33,13 @@ jobs: check-latest: true - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 + restore_trivy_cache: + uses: ./.github/workflows/restore-trivy-cache.yml + scan_vulnerabilities: name: "[Trivy] Scan for vulnerabilities" runs-on: ubuntu-22.04 + needs: ["restore_trivy_cache"] timeout-minutes: 15 env: TRIVY_VERSION: 0.49.1 @@ -54,16 +58,6 @@ jobs: wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz echo "$(pwd)" >> $GITHUB_PATH - - - name: Download vulnerability database - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 - with: - max_attempts: 3 - retry_on: error - timeout_seconds: 30 - retry_wait_seconds: 5 - command: | - trivy image --download-db-only - name: Run trivy on git repository run: | diff --git a/.github/workflows/update-trivy-cache.yml b/.github/workflows/update-trivy-cache.yml new file mode 100644 index 000000000..c4aef43e0 --- /dev/null +++ b/.github/workflows/update-trivy-cache.yml @@ -0,0 +1,41 @@ +name: Update Trivy Cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: + +permissions: read-all + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Setup oras + uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.2.1 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Prepare DB directory + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + + - name: Download vulnerability database + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 + with: + max_attempts: 10 + retry_on: error + timeout_seconds: 30 + retry_wait_seconds: 60 + command: | + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Cache DBs + uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file diff --git a/Makefile b/Makefile index 3d06df53b..fde9cad09 100644 --- a/Makefile +++ b/Makefile @@ -467,25 +467,6 @@ e2e-trivy-setup: curl -L https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz --output .staging/trivy/trivy.tar.gz tar -zxf .staging/trivy/trivy.tar.gz -C .staging/trivy - # Download vulnerability database in retry mode - max_retries=3; \ - attempt=1; \ - wait_time=2; \ - while [ $$attempt -le $$max_retries ]; do \ - echo "Attempt $$attempt of $$max_retries..."; \ - if .staging/trivy/trivy image --download-db-only; then \ - break; \ - fi; \ - if [ $$attempt -eq $$max_retries ]; then \ - echo "Failed after $$max_retries attempts."; \ - exit 1; \ - fi; \ - echo "Failed. Retrying in $$wait_time seconds..."; \ - sleep $$wait_time; \ - wait_time=$$(( wait_time * 2 )); \ - attempt=$$(( attempt + 1 )); \ - done - e2e-schemavalidator-setup: rm -rf .staging/schemavalidator mkdir -p .staging/schemavalidator