Check binaries #65
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check binaries | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: "0 16 * * 1-5" # min h d Mo DoW / 9am PST M-F | |
jobs: | |
check-for-vulnerabilities: | |
runs-on: ubuntu-latest | |
outputs: | |
report_contents: ${{ steps.save-output.outputs.report_contents }} | |
steps: | |
- name: Setup python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.11' | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
ref: main | |
- name: Download latest release | |
uses: robinraju/[email protected] | |
with: | |
latest: true | |
fileName: 'aws-lambda-rie*' | |
out-file-path: "bin" | |
- name: Run check for vulnerabilities | |
id: check-binaries | |
run: | | |
make check-binaries | |
- if: always() && failure() # `always()` to run even if the previous step failed. Failure means that there are vulnerabilities | |
name: Save content of the vulnerabilities report as GitHub output | |
id: save-output | |
run: | | |
report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)" # last file generated | |
if [ -z "$report_csv" ]; then | |
echo "No file with vulnerabilities. Probably a failure in previous step." | |
else | |
echo "Vulnerabilities stored in $report_csv" | |
fi | |
final_report="${report_csv}.txt" | |
awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report" # make the CSV nicer | |
echo "report_contents<<EOF" >> "$GITHUB_OUTPUT" | |
cat "$final_report" >> "$GITHUB_OUTPUT" | |
echo "EOF" >> "$GITHUB_OUTPUT" | |
- if: always() && steps.save-output.outputs.report_contents | |
name: Build new binaries and check vulnerabilities again | |
id: check-new-version | |
run: | | |
mkdir ./bin2 | |
mv ./bin/* ./bin2 | |
make compile-with-docker-all | |
latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq) | |
echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT" | |
make check-binaries | |
- if: always() && steps.save-output.outputs.report_contents | |
name: Save outputs for the check with the latest build | |
id: save-new-version | |
run: | | |
if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then | |
fixed="No" | |
else | |
fixed="Yes" | |
fi | |
echo "fixed=$fixed" >> "$GITHUB_OUTPUT" | |
- if: always() && steps.save-output.outputs.report_contents | |
name: Create GitHub Issue indicating vulnerabilities | |
id: create-issue | |
uses: dacbd/create-issue-action@main | |
with: | |
token: ${{ github.token }} | |
title: | | |
CVEs found in latest RIE release | |
body: | | |
### CVEs found in latest RIE release | |
``` | |
${{ steps.save-output.outputs.report_contents }} | |
``` | |
#### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?: | |
> **${{ steps.save-new-version.outputs.fixed }}** |