From 84cbf10b9c84f60be87fc0d3f22bcc1bcba8381c Mon Sep 17 00:00:00 2001 From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Date: Tue, 25 Jun 2024 10:38:37 -0400 Subject: [PATCH] chore: add workflow to update quality test db (#1961) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --- .github/workflows/update-quality-gate-db.yml | 38 ++++++++++++++++++++ Taskfile.yaml | 6 ++++ test/quality/Makefile | 5 +-- test/quality/test-db-url | 1 + 4 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/update-quality-gate-db.yml create mode 100644 test/quality/test-db-url diff --git a/.github/workflows/update-quality-gate-db.yml b/.github/workflows/update-quality-gate-db.yml new file mode 100644 index 00000000..8815c280 --- /dev/null +++ b/.github/workflows/update-quality-gate-db.yml @@ -0,0 +1,38 @@ +name: PR for upgrading quality gate test DB +on: + schedule: + - cron: "0 16 1 * *" # first day of each month @ 11 AM EST + + workflow_dispatch: + +permissions: + contents: read + +jobs: + update-test-db-url: + runs-on: ubuntu-latest + if: github.repository == 'anchore/grype' # only run for main repo + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + + - name: "Update quality DB" + run: | + make update-quality-gate-db + + - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 + id: generate-token + with: + app_id: ${{ secrets.TOKEN_APP_ID }} + private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} + + - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c #v6.1.0 + with: + signoff: true + delete-branch: true + branch: auto/update-quality-test-db + labels: test, changelog-ignore + commit-message: 'test: update quality gate db to latest version' + title: 'test: update quality gate db to latest version' + body: | + This is an auto-generated pull request to update the quality gate db to latest version + token: ${{ steps.generate-token.outputs.token }} diff --git a/Taskfile.yaml b/Taskfile.yaml index f1559485..2cfc9dee 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -100,6 +100,12 @@ tasks: cmd: "{{ .TOOL_DIR }}/binny update -v" silent: true + update-quality-gate-db: + desc: Update pinned version of quality gate database + cmds: + - cmd: "go run cmd/grype/main.go db list -o json | jq -r .[0].url > test/quality/test-db-url" + silent: true + list-tools: desc: List all tools needed for CI and local development deps: [binny] diff --git a/test/quality/Makefile b/test/quality/Makefile index 56d11c83..34346dc9 100644 --- a/test/quality/Makefile +++ b/test/quality/Makefile @@ -8,7 +8,8 @@ VULNERABILITY_LABELS = ./vulnerability-labels RESULT_SET = pr_vs_latest_via_sbom # update periodically with values from "grype db list" -TEST_DB_URL = https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-06-24T01:29:58Z_1719202889.tar.gz +TEST_DB_URL_FILE = ./test-db-url +TEST_DB_URL = $(shell cat $(TEST_DB_URL_FILE)) TEST_DB = db.tar.gz LISTING_FILE = https://toolbox-data.anchore.io/grype/databases/listing.json @@ -43,7 +44,7 @@ check-db: @echo "DB is fresh enough to be used for testing!" $(TEST_DB): - curl -o $(TEST_DB) -SsL $(TEST_DB_URL) + @curl -o $(TEST_DB) -SsL $(TEST_DB_URL) .PHONY: sboms sboms: $(YARDSTICK_RESULT_DIR) venv clear-results ## Collect and store all syft results (deletes all existing results) diff --git a/test/quality/test-db-url b/test/quality/test-db-url new file mode 100644 index 00000000..81961fd1 --- /dev/null +++ b/test/quality/test-db-url @@ -0,0 +1 @@ +https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-06-24T01:29:58Z_1719202889.tar.gz