chore: add workflow to update quality test db (#1961)

--------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2024-11-10 06:34:13 +00:00 · 2024-06-25 10:38:37 -04:00 · 2024-06-25 10:38:37 -04:00 · 84cbf10b9c
commit 84cbf10b9c
parent cbd6346527
4 changed files with 48 additions and 2 deletions
--- a/.github/workflows/update-quality-gate-db.yml
+++ b/.github/workflows/update-quality-gate-db.yml
@ -0,0 +1,38 @@
+name: PR for upgrading quality gate test DB
+on:
+  schedule:
+    - cron: "0 16 1 * *" # first day of each month @ 11 AM EST
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  update-test-db-url:
+    runs-on: ubuntu-latest
+    if: github.repository == 'anchore/grype' # only run for main repo
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+
+      - name: "Update quality DB"
+        run: |
+          make update-quality-gate-db
+
+      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.TOKEN_APP_ID }}
+          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c #v6.1.0
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/update-quality-test-db
+          labels: test, changelog-ignore
+          commit-message: 'test: update quality gate db to latest version'
+          title: 'test: update quality gate db to latest version'
+          body: |
+            This is an auto-generated pull request to update the quality gate db to latest version
+          token: ${{ steps.generate-token.outputs.token }}
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@ -100,6 +100,12 @@ tasks:
    cmd: "{{ .TOOL_DIR }}/binny update -v"
    silent: true

+  update-quality-gate-db:
+    desc: Update pinned version of quality gate database
+    cmds:
+      - cmd: "go run cmd/grype/main.go db list -o json | jq -r .[0].url > test/quality/test-db-url"
+        silent: true
+
  list-tools:
    desc: List all tools needed for CI and local development
    deps: [binny]
--- a/test/quality/Makefile
+++ b/test/quality/Makefile
@ -8,7 +8,8 @@ VULNERABILITY_LABELS = ./vulnerability-labels
 RESULT_SET = pr_vs_latest_via_sbom

 # update periodically with values from "grype db list"
-TEST_DB_URL = https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-06-24T01:29:58Z_1719202889.tar.gz
+TEST_DB_URL_FILE = ./test-db-url
+TEST_DB_URL = $(shell cat $(TEST_DB_URL_FILE))
 TEST_DB = db.tar.gz
 LISTING_FILE = https://toolbox-data.anchore.io/grype/databases/listing.json

@ -43,7 +44,7 @@ check-db:
 	@echo "DB is fresh enough to be used for testing!"

 $(TEST_DB):
-	curl -o $(TEST_DB) -SsL $(TEST_DB_URL)
+	@curl -o $(TEST_DB) -SsL $(TEST_DB_URL)

 .PHONY: sboms
 sboms: $(YARDSTICK_RESULT_DIR) venv clear-results ## Collect and store all syft results (deletes all existing results)
--- a/test/quality/test-db-url
+++ b/test/quality/test-db-url
@ -0,0 +1 @@
+https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-06-24T01:29:58Z_1719202889.tar.gz
				`@ -0,0 +1 @@`
				`https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-06-24T01:29:58Z_1719202889.tar.gz`