Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: run Trivy only when the Build job _actually_ ran #239

Closed
paullatzelsperger opened this issue Apr 18, 2023 · 0 comments · Fixed by #240
Closed

CI: run Trivy only when the Build job _actually_ ran #239

paullatzelsperger opened this issue Apr 18, 2023 · 0 comments · Fixed by #240
Assignees
@paullatzelsperger
Labels
bug Something isn't working gh-actions good first issue Good for newcomers

Comments

@paullatzelsperger
Copy link
Contributor

WHAT

We need to modify our trivy.yaml job to run only when the build.yaml workflow has actually ran. Currently, the Trivy job is executed as soon as the Build job has completed.

WHY

Trivy scans the docker images for vulnerabilities, and it uses the Git SHA as Docker tag. However, Docker images are not produced during pull requests or on forks, so the Trivy job cannot resolve the docker image, and thus will always fail.

IMPLEMENTATION PROPOSAL

  1. Option 1: prevent Trivy runs on pull requests
    simply add if: ${{ github.event_name != 'pull_request' }} to the git-sha7 job. That will not prevent it from running in forks!

  2. Option 2: use repository_dispatch and define a custom event
    Check here

  3. Option 3: upload custom data using workflow_run
    Check the official documentation

Personally I think Option 3 is the most elegant one, because it will allow us to send a boolean flag (and potentially more data) as event payload, that indicates whether docker images were actually produced or not.
@paullatzelsperger paullatzelsperger added the enhancement New feature or request label Apr 18, 2023
@paullatzelsperger paullatzelsperger moved this to Todo in EDC Board Apr 18, 2023
@paullatzelsperger paullatzelsperger added bug Something isn't working gh-actions good first issue Good for newcomers and removed enhancement New feature or request labels Apr 18, 2023
@paullatzelsperger paullatzelsperger mentioned this issue Apr 18, 2023
Merged
@paullatzelsperger paullatzelsperger moved this from Todo to In Progress in EDC Board Apr 18, 2023
@paullatzelsperger paullatzelsperger self-assigned this Apr 18, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in EDC Board Apr 19, 2023
@stephanbcbauer stephanbcbauer moved this from Open to Done in EDC Board Apr 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paullatzelsperger paullatzelsperger

Labels
bug Something isn't working gh-actions good first issue Good for newcomers
Projects
EDC Board
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: only run trivy when docker images were actually built paullatzelsperger/tractusx-edc
1 participant
@paullatzelsperger