skip: changes based on feedback

canonical · Oct 10, 2024 · b2f1e34 · b2f1e34
1 parent 9fd484b
commit b2f1e34
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 23 deletions.
diff --git a/.../workflows/get-published-image-names.yaml → ...flows/get-image-names-from-rockcraft.yaml b/.../workflows/get-published-image-names.yaml → ...flows/get-image-names-from-rockcraft.yaml
@@ -1,15 +1,15 @@
-name: Get oci-images names from Dockerhub
+name: Get oci-images names from rockcraft files
 
 on:
   workflow_call:
     outputs:
       images-names:
-        description: A JSON array of images that Paths in this repository where rockcraft projects are stored
+        description: "A JSON array of all images that have their rockcraft project stored in this repository"
         value: ${{ jobs.get-images-names.outputs.images-names }}
 
 jobs:
   get-images-names:
-    name: Get all rockcraft.yaml paths
+    name: Get image names
     runs-on: ubuntu-22.04
     outputs:
       images-names: ${{ steps.get-images.outputs.images-names }}

diff --git a/.github/workflows/get-published-images-scan-and-report.yaml b/.github/workflows/get-published-images-scan-and-report.yaml
@@ -1,4 +1,4 @@
-name: Get ROCKs modified and build-scan-test-publish them
+name: Get image names and report vulnerabilties in Github
 
 on:
   workflow_call:
@@ -20,11 +20,12 @@ on:
 
 jobs:
   get-published-images-names:
-    name: Get published images names
-    uses: ./.github/workflows/get-published-image-names.yaml
+    name: Get images names from rockcraft
+    uses: ./.github/workflows/get-image-names-from-rockcraft.yaml
 
   scan-report-vulnerability:
     needs: get-published-images-names
+    name: Scan and report
     strategy:
       fail-fast: false
       matrix:

diff --git a/.github/workflows/scan-from-dockerhub-report-issue.yaml b/.github/workflows/scan-from-dockerhub-report-issue.yaml
@@ -1,4 +1,4 @@
-name: Scan from published image and report vulnerabilities
+name: Scan published image and report vulnerabilities
 
 on:
   workflow_call:
@@ -19,20 +19,19 @@ on:
         default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
 jobs:
   scan:
-    # uses: canonical/charmed-kubeflow-workflows/.github/workflows/scan-from-published-image.yaml@KF-6331-add-scan-reusable-workflow
     uses: ./.github/workflows/scan-from-published-image.yaml
     secrets: inherit
     with:
       image-name: ${{ inputs.image-name }}
       report-vulnerabilities: ${{ inputs.report-vulnerabilities }}
       severity: ${{ inputs.severity }}
 
-  # Leaving it here in case we ever want to enable scan and reports on_merge
   report-vulnerability:
     needs: scan
     uses: ./.github/workflows/report-vulnerability-in-gh.yaml
     secrets: inherit
     if: ${{ always() && (needs.scan.result == 'failure') }}
     with:
       issue-title: 'Vulnerabilities found for'
-      image-name: ${{ needs.scan.outputs.image-name-dashes }}
+      image-name: ${{ inputs.image-name }}
+      vulnerability-report-artefact: ${{ needs.scan.outputs.vulnerability-report-artefact-name }}
diff --git a/.github/workflows/scan-from-published-image.yaml b/.github/workflows/scan-from-published-image.yaml
@@ -3,9 +3,9 @@ name: Scan
 on:
   workflow_call:
     outputs:
-      image-name-dashes:
-        description: "The image name with format <image-name>-<version>"
-        value: ${{ jobs.scan.outputs.image-name-dashes }}
+      vulnerability-report-artefact-name:
+        description: "The name of the artefact that contains the vulnerability report."
+        value: ${{ jobs.scan.outputs.vulnerability-report-artefact-name }}
     inputs:
       container-registry:
         description: "The name of the container registry where images are hosted."
@@ -31,8 +31,7 @@ jobs:
     name: Scan of ${{ inputs.image-name }}
     runs-on: ubuntu-22.04
     outputs:
-      image-name: ${{ steps.image-name.outputs.image-name }}
-      image-name-dashes: ${{ steps.image-name.outputs.image-name-dashes }}
+      vulnerability-report-artefact-name: ${{ steps.report-name.outputs.report-name }}
     strategy:
       fail-fast: false
     steps:
@@ -61,13 +60,12 @@ jobs:
             echo "exit-code=0" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Generate image name
-        id: image-name
+      - name: Generate report name
+        id: report-name
         run: |
           IMAGE_NAME=$(echo ${{ inputs.image-name }} | rev | cut -f2- -d"-" | rev)
           IMAGE_NAME_DASHES=$(echo $IMAGE_NAME | sed 's/\:/-/g')
-          echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
-          echo "image-name-dashes=${IMAGE_NAME_DASHES}" >> "$GITHUB_OUTPUT"
+          echo "report-name='trivy-report-${IMAGE_NAME_DASHES}'" >> "$GITHUB_OUTPUT"
 
       - name: Scan for vulnerabilities
         id: scan
@@ -80,7 +78,7 @@ jobs:
           scan-type: 'image'
           image-ref: '${{ inputs.container-registry }}/${{ inputs.image-name }}'
           format: 'table'
-          output: 'trivy-report-${{ steps.image-name.outputs.image-name-dashes }}.txt'
+          output: '${{ steps.report-name.outputs.report-name }}.txt'
           ignore-unfixed: true
           timeout: '50m0s'
           exit-code: ${{ steps.set-up-inputs.outputs.exit-code }}
@@ -92,13 +90,13 @@ jobs:
       - name: Print vulnerabilities report
         # The report should be printed regardless of the success of the previous step
         if: success() || failure()
-        run: cat trivy-report-${{ steps.image-name.outputs.image-name-dashes }}.txt
+        run: cat ${{ steps.report-name.outputs.report-name }}.txt
 
       - name: Upload Trivy reports
         # The report should be uploaded regardless of the success of the previous steps
         if: success() || failure()
         uses: actions/upload-artifact@v4
         with:
           compression-level: 0
-          name: trivy-report-${{ steps.image-name.outputs.image-name-dashes }}
-          path: trivy-report-${{ steps.image-name.outputs.image-name-dashes }}.txt
+          name: ${{ steps.report-name.outputs.report-name }}
+          path: ${{ steps.report-name.outputs.report-name }}.txt