ci(trivy): disable caching, notify nightly failures (#436)

* ci(trivy): disable caching * ci(nightlies): notify pipeline failures * style: fmt
newrelic · Oct 15, 2024 · bf2ebda · bf2ebda
1 parent f5c5a78
commit bf2ebda
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 11 deletions.
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -38,6 +38,7 @@ jobs:
           exit-code: 1
           ignore-unfixed: true
           severity: CRITICAL,HIGH
+          cache: false
 
       - uses: docker/login-action@v3
         with:
@@ -48,3 +49,14 @@ jobs:
           export AGENT_VERSION=`go run ./downloader.go -agent-version-latest -staging`
           ./docker-build.sh . --push
 
+  notify-failure:
+    if: ${{ always() && failure() }}
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify failure via Slack
+        uses: archive/github-actions-slack@master
+        with:
+          slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }}
+          slack-channel: ${{ secrets.CAOS_COREINT_SLACK_CHANNEL }}
+          slack-text: "❌ `newrelic/infrastructure-bundle`: [Nightly release failed](${{ github.server_url }}/newrelic/infrastructure-bundle/actions/runs/${{ github.run_id }})."
diff --git a/.github/workflows/on-demand.yml b/.github/workflows/on-demand.yml
@@ -3,7 +3,7 @@ on:
   workflow_dispatch:
     inputs:
       agent_version:
-        description: 'Agent version'
+        description: "Agent version"
         required: true
 jobs:
   build:
@@ -37,11 +37,11 @@ jobs:
           exit-code: 1
           ignore-unfixed: true
           severity: CRITICAL,HIGH
+          cache: false
 
       - uses: docker/login-action@v3
         with:
           username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
           password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
       - name: Build and push docker image
         run: ./docker-build.sh . --push
-
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -11,7 +11,7 @@ jobs:
   build:
     name: Build and scan image
     runs-on: ubuntu-latest
-    env:  # Variables as understood by docker-build.sh
+    env: # Variables as understood by docker-build.sh
       DOCKER_IMAGE: newrelic/infrastructure-bundle
       DOCKER_IMAGE_TAG: ci
     steps:
@@ -39,26 +39,27 @@ jobs:
           format: table
           exit-code: 1
           ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
+          severity: "CRITICAL,HIGH"
+          cache: false
 
       - name: Run Trivy in report mode
         # Only generate sarif when running nightly on the main branch.
         if: ${{ github.event_name == 'schedule' }}
         uses: aquasecurity/[email protected]
         with:
           image-ref: ${{ env.DOCKER_IMAGE }}:${{ env.DOCKER_IMAGE_TAG }}
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          ignore-unfixed: false  # Get full report when running nightly.
-          severity: 'CRITICAL,HIGH'
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+          ignore-unfixed: false # Get full report when running nightly.
+          severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
         # Only upload sarif when running nightly on the main branch.
         if: ${{ github.event_name == 'schedule' }}
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
 
       - name: Run Snyk to check Docker image for vulnerabilities
         uses: snyk/actions/docker@master
@@ -67,7 +68,7 @@ jobs:
         with:
           image: ${{ env.DOCKER_IMAGE }}:${{ env.DOCKER_IMAGE_TAG }}
           args: --file=Dockerfile --severity-threshold=critical
-  
+
   notify-failure:
     if: ${{ github.event_name == 'schedule' && failure() }}
     needs: [build]