ci: notify on failed vuln scan

.github/workflows/Continuous-Testing.yaml

@@ -2,14 +2,15 @@ name: Continuous image testing
 
 on:
   schedule:
-    - cron: "0 1 * * *"
+    - cron: "*/4 * * * *"
 
 jobs:
-  list-released-images:
+  prepare-test-matrix:
     runs-on: ubuntu-latest
-    name: List the revisions of released images
+    name: Prepare released image revisions to be tested
     outputs:
       released-revisions-matrix: ${{ steps.prepare-test-matrix.outputs.released-revisions-matrix }}
+      last-scan: ${{ steps.last-scan.outputs.date }}
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
@@ -21,43 +22,24 @@ jobs:
         id: prepare-test-matrix
         run: ./src/tests/get_released_revisions.py --oci-images-path $PWD/oci
 
-  dispatch-tests:
-    runs-on: ubuntu-latest
-    name: Dispatch tests for released images
-    needs: [list-released-images]
-    strategy:
-      fail-fast: false
-      matrix: ${{ fromJSON(needs.list-released-images.outputs.released-revisions-matrix) }}
-    steps:
-      - name: Run tests for ${{ matrix.source-image }}
-        # Using this actions cause others can have this problem:
-        # https://github.com/convictional/trigger-workflow-and-wait/issues/61
-        uses: mathze/[email protected]
-        id: run-tests
-        env:
-          IS_A_ROCK: ${{ matrix.dockerfile-build == '' && true || false }}
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          ref: ${{ github.ref_name }}
-          fail-on-error: true
-          workflow-name: Tests.yaml
-          # For continuous auditing, let's assume all images are NOT ROCKs and
-          # thus only run the most generic tests
-          payload: '{ "oci-image-name": "${{ matrix.source-image }}", "oci-image-path": "oci/${{ matrix.name }}", "is-a-rock": false, "test-from": "registry"}'
-          trigger-timeout: "5m"
-          wait-timeout: "45m"
-          run-id: dummy
-          use-marker-step: true
-
-      - name: Write step summary
+      - name: Infer date of last scan
+        id: last-scan
         run: |
-          url='${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ steps.run-tests.outputs.run-id }}'
-          echo " - Triggered tests for '${{ matrix.source-image }}' at [${url}](${url})" >> "$GITHUB_STEP_SUMMARY"
+          # This is scheduled to run every day, so let's look at the previous
+          # 26 hours, roughly
+          set -ex
+          last_scan="$(date --date='26 hours ago' +'%Y-%m-%dT%H:%M:00Z')"
+          echo "date=$last_scan" >> "$GITHUB_OUTPUT"
 
-      - name: Enforce test conclusion
-        if: ${{ steps.run-tests.outputs.run-conclusion != 'success' }}
-        # The previous step doesn't always raise an error
-        run: |
-          url='${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ steps.run-tests.outputs.run-id }}'
-          echo "Testing of image '${{ matrix.source-image }}' failed at [${url}](${url})."
-          exit 1
+  run-tests:
+    name: Run tests for released images
+    needs: [prepare-test-matrix]
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.prepare-test-matrix.outputs.released-revisions-matrix) }}
+    uses: canonical/oci-factory/.github/workflows/Vulnerability-Scan.yaml@main
+    with:
+      oci-image-name: "${{ matrix.source-image }}"
+      oci-image-path: "oci/${{ matrix.name }}"
+      date-last-scan: ${{ needs.prepare-test-matrix.outputs.last-scan }}
+    secrets: inherit

.github/workflows/Image.yaml

@@ -218,6 +218,7 @@ jobs:
       is-a-rock: ${{ matrix.dockerfile-build == '' && true || false }}
       test-from: "cache"
       cache-key: "${{ github.run_id }}-${{ matrix.name }}_${{ matrix.commit }}_${{ matrix.revision }}"
+    secrets: inherit
 
   upload:
     runs-on: ubuntu-22.04

.github/workflows/Tests.yaml

@@ -31,11 +31,6 @@ on:
         required: false
         type: string
         default: '.vulnerability-report.json'
-      external_ref_id: #(1)
-        description: 'Optional ID for unique run detection'
-        required: false
-        type: string
-        default: "default-id"
   workflow_dispatch:
     inputs:
       oci-image-name:
@@ -84,6 +79,8 @@ jobs:
   fetch-oci-image:
     runs-on: ubuntu-22.04
     name: Fetch OCI image for testing
+    outputs:
+      test-cache-key: ${{ steps.cache.outputs.key }}
     steps:
       - name: ${{ inputs.external_ref_id }} #(2)
         run: echo 'Started by ${{ inputs.external_ref_id }}' >> "$GITHUB_STEP_SUMMARY"
@@ -118,6 +115,10 @@ jobs:
           path: ${{ env.TEST_IMAGE_NAME}}
           key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }}
 
+      - name: Save cache key
+        id: cache
+        run: echo "key=${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }}" >> "$GITHUB_OUTPUT"
+
 
   test-oci-compliance:
     runs-on: ubuntu-22.04
@@ -127,7 +128,7 @@ jobs:
       - uses: actions/cache/restore@v3
         with:
           path: ${{ env.TEST_IMAGE_NAME}}
-          key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }}
+          key: ${{ needs.fetch-oci-image.outputs.test-cache-key }}
 
       - name: Install Umoci
         run: |
@@ -155,7 +156,7 @@ jobs:
       - uses: actions/cache/restore@v3
         with:
           path: ${{ env.TEST_IMAGE_NAME}}
-          key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }}
+          key: ${{ needs.fetch-oci-image.outputs.test-cache-key }}
 
       - name: Copy image to Docker daemon
         run: |
@@ -189,7 +190,7 @@ jobs:
       - uses: actions/cache/restore@v3
         with:
           path: ${{ env.TEST_IMAGE_NAME}}
-          key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }}
+          key: ${{ needs.fetch-oci-image.outputs.test-cache-key }}
 
       - name: Copy image to Docker daemon
         run: |
@@ -212,74 +213,16 @@ jobs:
 
 
   test-vulnerabilities:
-    runs-on: ubuntu-22.04
     name: Vulnerability scan
     needs: [fetch-oci-image]
-    outputs:
-      vulnerability-report: ${{ steps.vulnerability-report.outputs.name }}
-    steps:
-      - uses: actions/checkout@v3
-
-      - id: vulnerability-report
-        run: |
-          full_name="${{ inputs.oci-image-name }}${{ inputs.vulnerability-report-suffix }}"
-          final_name="$(echo ${full_name} | sed 's/ghcr.io\/canonical\/oci-factory\///g' | tr ':' '_')"
-          echo "name=$final_name" >> "$GITHUB_OUTPUT" 
-
-      - uses: actions/cache/restore@v3
-        with:
-          path: ${{ env.TEST_IMAGE_NAME}}
-          key: ${{ github.run_id }}-${{ inputs.oci-image-name }}-${{ env.TEST_IMAGE_NAME }}
-
-      - name: Copy image to Docker daemon
-        run: |
-          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-            -v $PWD:/workdir -w /workdir \
-            ${{ env.SKOPEO_IMAGE }} \
-            copy oci:${{ env.TEST_IMAGE_NAME}}:${{ env.TEST_IMAGE_TAG }} \
-            docker-daemon:${{ env.TEST_IMAGE_NAME}}:${{ env.TEST_IMAGE_TAG }}
-
-      - name: Check for .trivyignore
-        id: trivyignore
-        run: |
-          if [ -f ${{ inputs.oci-image-path }}/.trivyignore ]
-          then
-            file=${{ inputs.oci-image-path }}/.trivyignore
-          else
-            # dummy .trivyignore file
-            file=.trivyignore
-            touch $file
-          fi
-          echo "file=$file" >> "$GITHUB_OUTPUT"
-
-      - name: Scan for vulnerabilities
-        uses: aquasecurity/[email protected]
-        with:
-          # NOTE: we're allowing images with vulnerabilities to be published
-          ignore-unfixed: true
-          trivyignores: ${{ steps.trivyignore.outputs.file }}
-          format: 'cosign-vuln'
-          severity: 'HIGH,CRITICAL'
-          exit-code: '1'
-          # NOTE: pebble is flagged with a HIGH vuln because of golang.org/x/crypto
-          # CVE-2021-43565, CVE-2022-27191
-          skip-files: /bin/pebble
-          # missing ${{ runner.arch }}
-          output: '${{ steps.vulnerability-report.outputs.name }}'
-          image-ref: '${{ env.TEST_IMAGE_NAME}}:${{ env.TEST_IMAGE_TAG }}'
-
-      - if: ${{ always() }}
-        run: |
-          cat ${{ steps.vulnerability-report.outputs.name }}
-          echo "report=$report" >> "$GITHUB_OUTPUT"
+    uses: canonical/oci-factory/.github/workflows/Vulnerability-Scan.yaml@main
+    with:
+      oci-image-name: "${{ inputs.oci-image-name }}"
+      oci-image-path: "${{ inputs.oci-image-path }}"
+      cache-key: "${{ needs.fetch-oci-image.outputs.test-cache-key }}"
+      vulnerability-report-suffix: "${{ inputs.vulnerability-report-suffix}}"
 
-      - uses: actions/cache/save@v3
-        if: ${{ always() }}
-        with:
-          path: ${{ steps.vulnerability-report.outputs.name }}
-          key: ${{ github.run_id }}-${{ steps.vulnerability-report.outputs.name }}
 
-
   test-malware:
     runs-on: ubuntu-22.04
     name: Malware scan
@@ -314,26 +257,3 @@ jobs:
       - name: Scan for malware
         run: |
           ./src/tests/malware_scan.py --filesystem ./raw/rootfs
-
-
-  upload-test-artefacts:
-    name: Upload test artefacts
-    runs-on: ubuntu-22.04
-    if: ${{ always() }}
-    needs:
-      - test-vulnerabilities
-      - test-black-box
-      - test-oci-compliance
-      - test-malware
-      - test-efficiency
-    steps:
-      - name: Restore vulnerability report for upload
-        uses: actions/cache/restore@v3
-        with:
-          path: ${{ needs.test-vulnerabilities.outputs.vulnerability-report }}
-          key: ${{ github.run_id }}-${{ needs.test-vulnerabilities.outputs.vulnerability-report }}
-
-      - uses: actions/upload-artifact@v3
-        with:
-          name: ${{ needs.test-vulnerabilities.outputs.vulnerability-report }}
-          path: ${{ needs.test-vulnerabilities.outputs.vulnerability-report }}