From 467084c691428690b8169ebb29a8c7de123415b3 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 16:51:00 -0800 Subject: [PATCH 01/24] WIP cron vulns --- .../workflows/ci-cron-vulnerability-scans.yml | 67 +++++++++++++++++++ .github/workflows/ci-vulnerability-scans.yml | 1 + 2 files changed, 68 insertions(+) create mode 100644 .github/workflows/ci-cron-vulnerability-scans.yml diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml new file mode 100644 index 000000000..8ca789eb5 --- /dev/null +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -0,0 +1,67 @@ +# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image +# to ensure images built are secure before they are deployed. + +name: CI Vulnerability Scans + +on: + pull_request: + paths: + - .grype.yml + - .hadolint.yaml + - .trivyignore + - .github/workflows/ci-vulnerability-scans.yml + +jobs: + vulnerability-scans: + name: Vulnerability Scans + strategy: + matrix: + app_name: ["frontend", "api", "analytics"] + uses: ./.github/workflows/vulnerability-scans.yml + with: + app_name: ${{ matrix.app_name }} + + send-slack-notification: + name: Send Slack notification on failure + runs-on: ubuntu-latest + if: failure() # Only runs if a previous step fails + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + run: | + curl -X POST -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ + -H "Content-Type: application/json" \ + --data '{ + "channel": "'"$SLACK_CHANNEL_ID"'", + "text": ":x: *GitHub Actions Failure Alert*", + "attachments": [ + { + "color": "#ff0000", + "title": "Workflow *${{ github.workflow }}* failed", + "fields": [ + { + "title": "Repository", + "value": "${{ github.repository }}", + "short": true + }, + { + "title": "Branch", + "value": "${{ github.ref_name }}", + "short": true + }, + { + "title": "Commit", + "value": "${{ github.sha }}", + "short": true + }, + { + "title": "Workflow URL", + "value": "${{ github.run_url }}" + } + ], + "footer": "GitHub Actions", + "footer_icon": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png", + "ts": '$(date +%s)' + } + ] + }' https://slack.com/api/chat.postMessage diff --git a/.github/workflows/ci-vulnerability-scans.yml b/.github/workflows/ci-vulnerability-scans.yml index 2d174b166..72495ce88 100644 --- a/.github/workflows/ci-vulnerability-scans.yml +++ b/.github/workflows/ci-vulnerability-scans.yml @@ -20,3 +20,4 @@ jobs: uses: ./.github/workflows/vulnerability-scans.yml with: app_name: ${{ matrix.app_name }} +# trigger CI From 01cca3634afe3ce57411bacba5514c9f4c89f87e Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 16:55:02 -0800 Subject: [PATCH 02/24] checkpoint-kai-1731027301 --- .../workflows/ci-cron-vulnerability-scans.yml | 76 ++++++++++--------- 1 file changed, 39 insertions(+), 37 deletions(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index 8ca789eb5..81eaa8bae 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -24,44 +24,46 @@ jobs: send-slack-notification: name: Send Slack notification on failure runs-on: ubuntu-latest - if: failure() # Only runs if a previous step fails + if: failure() env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} - run: | - curl -X POST -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ - -H "Content-Type: application/json" \ - --data '{ - "channel": "'"$SLACK_CHANNEL_ID"'", - "text": ":x: *GitHub Actions Failure Alert*", - "attachments": [ - { - "color": "#ff0000", - "title": "Workflow *${{ github.workflow }}* failed", - "fields": [ + SLACK_CHANNEL_ID: ${{ secrets.SLACK_ALERTS_CHANNEL_ID }} + steps: + - name: Send Slack notification + run: | + curl -X POST -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ + -H "Content-Type: application/json" \ + --data '{ + "channel": "'"$SLACK_CHANNEL_ID"'", + "text": ":x: *GitHub Actions Failure Alert*", + "attachments": [ { - "title": "Repository", - "value": "${{ github.repository }}", - "short": true - }, - { - "title": "Branch", - "value": "${{ github.ref_name }}", - "short": true - }, - { - "title": "Commit", - "value": "${{ github.sha }}", - "short": true - }, - { - "title": "Workflow URL", - "value": "${{ github.run_url }}" + "color": "#ff0000", + "title": "Workflow *${{ github.workflow }}* failed", + "fields": [ + { + "title": "Repository", + "value": "${{ github.repository }}", + "short": true + }, + { + "title": "Branch", + "value": "${{ github.ref_name }}", + "short": true + }, + { + "title": "Commit", + "value": "${{ github.sha }}", + "short": true + }, + { + "title": "Workflow URL", + "value": "${{ github.run_url }}" + } + ], + "footer": "GitHub Actions", + "footer_icon": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png", + "ts": '$(date +%s)' } - ], - "footer": "GitHub Actions", - "footer_icon": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png", - "ts": '$(date +%s)' - } - ] - }' https://slack.com/api/chat.postMessage + ] + }' https://slack.com/api/chat.postMessage From d221769032b27e76407e813149ce5b092d34036d Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 16:55:45 -0800 Subject: [PATCH 03/24] needs --- .github/workflows/ci-cron-vulnerability-scans.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index 81eaa8bae..d68f5607b 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -23,6 +23,7 @@ jobs: send-slack-notification: name: Send Slack notification on failure + needs: vulnerability-scans runs-on: ubuntu-latest if: failure() env: From f698b50b72bbe9552ad9666eca61f1b2b0980dc5 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 16:57:19 -0800 Subject: [PATCH 04/24] fix run URL --- .github/workflows/ci-cron-vulnerability-scans.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index d68f5607b..bec348180 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -59,7 +59,7 @@ jobs: }, { "title": "Workflow URL", - "value": "${{ github.run_url }}" + "value": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" } ], "footer": "GitHub Actions", From a5a3e5f15bb77b216903b6cc347320cdcc78c9d7 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 17:02:46 -0800 Subject: [PATCH 05/24] test slack --- .../workflows/ci-cron-vulnerability-scans.yml | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index bec348180..b0764705d 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -11,6 +11,12 @@ on: - .trivyignore - .github/workflows/ci-vulnerability-scans.yml +# on: +# workflow_dispatch: +# schedule: +# # Run every day at 07:00 UTC (3am ET, 12am PT) after engineers are likely done with work +# - cron: "0 7 * * *" + jobs: vulnerability-scans: name: Vulnerability Scans @@ -23,9 +29,9 @@ jobs: send-slack-notification: name: Send Slack notification on failure - needs: vulnerability-scans + # needs: vulnerability-scans runs-on: ubuntu-latest - if: failure() + # if: failure() env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} SLACK_CHANNEL_ID: ${{ secrets.SLACK_ALERTS_CHANNEL_ID }} @@ -35,36 +41,36 @@ jobs: curl -X POST -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ -H "Content-Type: application/json" \ --data '{ - "channel": "'"$SLACK_CHANNEL_ID"'", + "channel": "'"${SLACK_CHANNEL_ID}"'", "text": ":x: *GitHub Actions Failure Alert*", "attachments": [ { "color": "#ff0000", - "title": "Workflow *${{ github.workflow }}* failed", + "title": "Workflow *'"${{ github.workflow }}"'* failed", "fields": [ { "title": "Repository", - "value": "${{ github.repository }}", + "value": "'"${{ github.repository }}"'", "short": true }, { "title": "Branch", - "value": "${{ github.ref_name }}", + "value": "'"${{ github.ref_name }}"'", "short": true }, { "title": "Commit", - "value": "${{ github.sha }}", + "value": "'"${{ github.sha }}"'", "short": true }, { "title": "Workflow URL", - "value": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + "value": "'"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"'" } ], "footer": "GitHub Actions", "footer_icon": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png", - "ts": '$(date +%s)' + "ts": "'"$(date +%s)"' } ] }' https://slack.com/api/chat.postMessage From 7a074fbb5439ef0229d908e3050380b0b019d7f2 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 17:04:49 -0800 Subject: [PATCH 06/24] charset --- .github/workflows/ci-cron-vulnerability-scans.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index b0764705d..d60595279 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -39,7 +39,7 @@ jobs: - name: Send Slack notification run: | curl -X POST -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ - -H "Content-Type: application/json" \ + -H "Content-Type: application/json; charset=utf-8" \ --data '{ "channel": "'"${SLACK_CHANNEL_ID}"'", "text": ":x: *GitHub Actions Failure Alert*", From 793469777419f0b7f868efd2e88c370f0b53fd40 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 17:07:25 -0800 Subject: [PATCH 07/24] fix json hopefully --- .../workflows/ci-cron-vulnerability-scans.yml | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index d60595279..f02da8fec 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -39,38 +39,38 @@ jobs: - name: Send Slack notification run: | curl -X POST -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ - -H "Content-Type: application/json; charset=utf-8" \ - --data '{ - "channel": "'"${SLACK_CHANNEL_ID}"'", - "text": ":x: *GitHub Actions Failure Alert*", - "attachments": [ - { - "color": "#ff0000", - "title": "Workflow *'"${{ github.workflow }}"'* failed", - "fields": [ - { - "title": "Repository", - "value": "'"${{ github.repository }}"'", - "short": true - }, - { - "title": "Branch", - "value": "'"${{ github.ref_name }}"'", - "short": true - }, - { - "title": "Commit", - "value": "'"${{ github.sha }}"'", - "short": true - }, - { - "title": "Workflow URL", - "value": "'"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"'" - } - ], - "footer": "GitHub Actions", - "footer_icon": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png", - "ts": "'"$(date +%s)"' - } - ] - }' https://slack.com/api/chat.postMessage + -H "Content-Type: application/json; charset=utf-8" \ + --data '{ + "channel": "'"$SLACK_CHANNEL_ID"'", + "text": ":x: *GitHub Actions Failure Alert*", + "attachments": [ + { + "color": "#ff0000", + "title": "Workflow *'"${{ github.workflow }}"'* failed", + "fields": [ + { + "title": "Repository", + "value": "'"${{ github.repository }}"'", + "short": true + }, + { + "title": "Branch", + "value": "'"${{ github.ref_name }}"'", + "short": true + }, + { + "title": "Commit", + "value": "'"${{ github.sha }}"'", + "short": true + }, + { + "title": "Workflow URL", + "value": "'"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"'" + } + ], + "footer": "GitHub Actions", + "footer_icon": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png", + "ts": '$(date +%s)' + } + ] + }' https://slack.com/api/chat.postMessage From e4ad088ac86cdc16bc75a59b33b77911c44e7372 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 17:09:14 -0800 Subject: [PATCH 08/24] fix secrets --- .github/workflows/ci-cron-vulnerability-scans.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index f02da8fec..e927e2559 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -32,16 +32,13 @@ jobs: # needs: vulnerability-scans runs-on: ubuntu-latest # if: failure() - env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - SLACK_CHANNEL_ID: ${{ secrets.SLACK_ALERTS_CHANNEL_ID }} steps: - name: Send Slack notification run: | - curl -X POST -H "Authorization: Bearer $SLACK_BOT_TOKEN" \ + curl -X POST -H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ - "channel": "'"$SLACK_CHANNEL_ID"'", + "channel": "'"${{ secrets.SLACK_ALERTS_CHANNEL_ID }}"'", "text": ":x: *GitHub Actions Failure Alert*", "attachments": [ { From 9d79c1e7b348be20e4f406d1df5726337fefaafe Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 17:10:11 -0800 Subject: [PATCH 09/24] simple channel --- .github/workflows/ci-cron-vulnerability-scans.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index e927e2559..f1666575b 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -38,7 +38,7 @@ jobs: curl -X POST -H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ - "channel": "'"${{ secrets.SLACK_ALERTS_CHANNEL_ID }}"'", + "channel": "#internal-alerts-infra", "text": ":x: *GitHub Actions Failure Alert*", "attachments": [ { From 941530b75a6650c68d3aa819fb0fa9e5ef1e4a98 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Thu, 7 Nov 2024 17:11:53 -0800 Subject: [PATCH 10/24] channel, again --- .github/workflows/ci-cron-vulnerability-scans.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index f1666575b..ab89e6831 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -38,7 +38,7 @@ jobs: curl -X POST -H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ - "channel": "#internal-alerts-infra", + "channel": "${{ secrets.SLACK_ALERTS_CHANNEL_ID }}", "text": ":x: *GitHub Actions Failure Alert*", "attachments": [ { From bf79cdb7aa052af3c4f06a20928af8b94da5d75d Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Fri, 8 Nov 2024 08:37:49 -0800 Subject: [PATCH 11/24] Update ci-cron-vulnerability-scans.yml --- .github/workflows/ci-cron-vulnerability-scans.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index ab89e6831..ee89f8058 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Send Slack notification run: | - curl -X POST -H "Authorization: Bearer ${{ secrets.SLACK_BOT_TOKEN }}" \ + curl -X POST -H "Authorization: Bearer ${{ secrets.SLACK_TOKEN_ALERTS_BOT }}" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ "channel": "${{ secrets.SLACK_ALERTS_CHANNEL_ID }}", From f1c82eaf57cb59380658bb7ffdc86bf62055b24b Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Fri, 8 Nov 2024 08:40:31 -0800 Subject: [PATCH 12/24] Update ci-cron-vulnerability-scans.yml --- .github/workflows/ci-cron-vulnerability-scans.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index ee89f8058..c4212a4fa 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Send Slack notification run: | - curl -X POST -H "Authorization: Bearer ${{ secrets.SLACK_TOKEN_ALERTS_BOT }}" \ + curl -X POST -H "Authorization: Bearer ${{ secrets.ALERTS_SLACK_BOT_TOKEN }}" \ -H "Content-Type: application/json; charset=utf-8" \ --data '{ "channel": "${{ secrets.SLACK_ALERTS_CHANNEL_ID }}", From 1637dfee19b98e9f3c78e816dde32bed1e7f58de Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 08:42:55 -0800 Subject: [PATCH 13/24] checkpoint-kai-1731084175 --- .github/workflows/ci-analytics-vulnerability-scans.yml | 2 +- .github/workflows/ci-api-vulnerability-scans.yml | 2 +- .github/workflows/ci-cron-vulnerability-scans.yml | 2 +- .github/workflows/vulnerability-scans.yml | 2 ++ 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-analytics-vulnerability-scans.yml b/.github/workflows/ci-analytics-vulnerability-scans.yml index 2125e4708..51484cac6 100644 --- a/.github/workflows/ci-analytics-vulnerability-scans.yml +++ b/.github/workflows/ci-analytics-vulnerability-scans.yml @@ -9,7 +9,7 @@ on: - .grype.yml - .hadolint.yaml - .trivyignore - - .github/workflows/ci-vulnerability-scans.yml + - .github/workflows/vulnerability-scans.yml - analytics/Dockerfile - analytics/pyproject.toml - analytics/poetry.lock diff --git a/.github/workflows/ci-api-vulnerability-scans.yml b/.github/workflows/ci-api-vulnerability-scans.yml index 6947ce406..4918cd7e3 100644 --- a/.github/workflows/ci-api-vulnerability-scans.yml +++ b/.github/workflows/ci-api-vulnerability-scans.yml @@ -9,7 +9,7 @@ on: - .grype.yml - .hadolint.yaml - .trivyignore - - .github/workflows/ci-vulnerability-scans.yml + - .github/workflows/vulnerability-scans.yml - api/Dockerfile - api/pyproject.toml - api/poetry.lock diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index c4212a4fa..5cee1d3d1 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -9,7 +9,7 @@ on: - .grype.yml - .hadolint.yaml - .trivyignore - - .github/workflows/ci-vulnerability-scans.yml + - .github/workflows/vulnerability-scans.yml # on: # workflow_dispatch: diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 01014f2bc..76f217a28 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -1,6 +1,8 @@ # GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image # to ensure images built are secure before they are deployed. +# RUN A TEST + name: Vulnerability Scans on: From 951ea31882a77181750e0a41226c1d027e1025ad Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 08:43:47 -0800 Subject: [PATCH 14/24] run frontend scans on correct file change --- .github/workflows/ci-frontend-vulnerability-scans.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-frontend-vulnerability-scans.yml b/.github/workflows/ci-frontend-vulnerability-scans.yml index 3e9156fe0..08c6367d2 100644 --- a/.github/workflows/ci-frontend-vulnerability-scans.yml +++ b/.github/workflows/ci-frontend-vulnerability-scans.yml @@ -9,7 +9,7 @@ on: - .grype.yml - .hadolint.yaml - .trivyignore - - .github/workflows/ci-vulnerability-scans.yml + - .github/workflows/vulnerability-scans.yml - frontend/Dockerfile - frontendpi/package.json - frontend/package-lock.json From 272abfd86b8a0ca1246506b81b2b91efcbc4915b Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 08:48:04 -0800 Subject: [PATCH 15/24] post actually useful stuff --- .github/workflows/ci-cron-vulnerability-scans.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index 5cee1d3d1..4e9daeb97 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -45,19 +45,9 @@ jobs: "color": "#ff0000", "title": "Workflow *'"${{ github.workflow }}"'* failed", "fields": [ - { - "title": "Repository", - "value": "'"${{ github.repository }}"'", - "short": true - }, - { - "title": "Branch", - "value": "'"${{ github.ref_name }}"'", - "short": true - }, { "title": "Commit", - "value": "'"${{ github.sha }}"'", + "value": "'"${{ github.server_url }}/${{ github.repository }}/tree/${{ github.sha }}"'", "short": true }, { From 1930dc3bb13d26f0bc3c13ff18ad93ee2ea4c6de Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 08:57:44 -0800 Subject: [PATCH 16/24] remove useless stuff --- .github/workflows/ci-cron-vulnerability-scans.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index 4e9daeb97..a79974e87 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -45,11 +45,6 @@ jobs: "color": "#ff0000", "title": "Workflow *'"${{ github.workflow }}"'* failed", "fields": [ - { - "title": "Commit", - "value": "'"${{ github.server_url }}/${{ github.repository }}/tree/${{ github.sha }}"'", - "short": true - }, { "title": "Workflow URL", "value": "'"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"'" From 56cf2b6b44a06b600313858cb3b49707b53a0590 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 09:02:18 -0800 Subject: [PATCH 17/24] make it real --- .../workflows/ci-cron-vulnerability-scans.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index a79974e87..a259046cb 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -4,18 +4,10 @@ name: CI Vulnerability Scans on: - pull_request: - paths: - - .grype.yml - - .hadolint.yaml - - .trivyignore - - .github/workflows/vulnerability-scans.yml - -# on: -# workflow_dispatch: -# schedule: -# # Run every day at 07:00 UTC (3am ET, 12am PT) after engineers are likely done with work -# - cron: "0 7 * * *" + workflow_dispatch: + schedule: + # Run every day at 07:00 UTC (3am ET, 12am PT) after engineers are likely done with work + - cron: "0 7 * * *" jobs: vulnerability-scans: @@ -29,7 +21,7 @@ jobs: send-slack-notification: name: Send Slack notification on failure - # needs: vulnerability-scans + needs: vulnerability-scans runs-on: ubuntu-latest # if: failure() steps: From 1eceee705ae3a8c3b352097dde079331a1a3c8c5 Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Fri, 8 Nov 2024 09:12:12 -0800 Subject: [PATCH 18/24] Update ci-cron-vulnerability-scans.yml --- .github/workflows/ci-cron-vulnerability-scans.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml index a259046cb..21d2e6503 100644 --- a/.github/workflows/ci-cron-vulnerability-scans.yml +++ b/.github/workflows/ci-cron-vulnerability-scans.yml @@ -6,8 +6,8 @@ name: CI Vulnerability Scans on: workflow_dispatch: schedule: - # Run every day at 07:00 UTC (3am ET, 12am PT) after engineers are likely done with work - - cron: "0 7 * * *" + # Run every day at (8am ET, 11am PT) right before the start of the workday + - cron: "0 12 * * *" jobs: vulnerability-scans: From 3326a10575f7313fd9625b88cfc2e4a8a8f93704 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 09:21:20 -0800 Subject: [PATCH 19/24] fix ci hopefully --- .github/actionlint.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/actionlint.yml diff --git a/.github/actionlint.yml b/.github/actionlint.yml new file mode 100644 index 000000000..5c5d74c66 --- /dev/null +++ b/.github/actionlint.yml @@ -0,0 +1,5 @@ +paths: + # actionlint doesn't know how to handle the json inside of this file + ci-cron-vulnerability-scans.yml: + ignore: + - Quote this to prevent word splitting From 2fe3a9bdf18233f863c6efdc20c988ce6f20af01 Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 15:58:01 -0800 Subject: [PATCH 20/24] try again --- .github/actionlint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actionlint.yml b/.github/actionlint.yml index 5c5d74c66..a86e58e1e 100644 --- a/.github/actionlint.yml +++ b/.github/actionlint.yml @@ -2,4 +2,4 @@ paths: # actionlint doesn't know how to handle the json inside of this file ci-cron-vulnerability-scans.yml: ignore: - - Quote this to prevent word splitting + - \*Quote this to prevent word splitting\* From d1fe5c05c6dbf4cbc8f0c8defebe81fd34cc2f1e Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 15:59:25 -0800 Subject: [PATCH 21/24] try again again --- .github/actionlint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actionlint.yml b/.github/actionlint.yml index a86e58e1e..00d772ee3 100644 --- a/.github/actionlint.yml +++ b/.github/actionlint.yml @@ -2,4 +2,4 @@ paths: # actionlint doesn't know how to handle the json inside of this file ci-cron-vulnerability-scans.yml: ignore: - - \*Quote this to prevent word splitting\* + - "[.*]Quote this to prevent word splitting[.*]" From 3aa260ecd170d9bdbc048c1112492b7d9d9f242c Mon Sep 17 00:00:00 2001 From: Kai Siren Date: Fri, 8 Nov 2024 16:01:12 -0800 Subject: [PATCH 22/24] full path... duh --- .github/actionlint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actionlint.yml b/.github/actionlint.yml index 00d772ee3..e95e855b6 100644 --- a/.github/actionlint.yml +++ b/.github/actionlint.yml @@ -1,5 +1,5 @@ paths: # actionlint doesn't know how to handle the json inside of this file - ci-cron-vulnerability-scans.yml: + .github/workflows/ci-cron-vulnerability-scans.yml: ignore: - "[.*]Quote this to prevent word splitting[.*]" From 5c7bd9418b0d9e2150e440d1271354b6961ec89a Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Tue, 12 Nov 2024 08:30:10 -0800 Subject: [PATCH 23/24] Update actionlint.yml --- .github/actionlint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actionlint.yml b/.github/actionlint.yml index e95e855b6..56a4fefcd 100644 --- a/.github/actionlint.yml +++ b/.github/actionlint.yml @@ -2,4 +2,4 @@ paths: # actionlint doesn't know how to handle the json inside of this file .github/workflows/ci-cron-vulnerability-scans.yml: ignore: - - "[.*]Quote this to prevent word splitting[.*]" + - ".*SC2046.*" From 440b5083864e46b472f16d8022cf6e51c5d331b8 Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Tue, 12 Nov 2024 10:18:23 -0800 Subject: [PATCH 24/24] Update .github/workflows/vulnerability-scans.yml Co-authored-by: Michael Chouinard <46358556+chouinar@users.noreply.github.com> --- .github/workflows/vulnerability-scans.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 76f217a28..01014f2bc 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -1,8 +1,6 @@ # GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image # to ensure images built are secure before they are deployed. -# RUN A TEST - name: Vulnerability Scans on: