Bump chart version to 0.36.0-rc2 #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CVE scan for default chart images when Chart.yaml or values.yaml (image defaults) change. | |
| # Generates a cve-report.md and uploads it as an artifact. | |
| name: CVE Scan (Chart Images) | |
| on: | |
| pull_request: | |
| branches: [ master ] | |
| paths: | |
| - 'charts/dify/Chart.yaml' | |
| permissions: | |
| contents: read | |
| security-events: write # optional: for SARIF upload | |
| jobs: | |
| cve-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Trivy | |
| run: | | |
| sudo apt-get update -qq && sudo apt-get install -y wget | |
| TRIVY_VERSION="0.49.0" | |
| wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | |
| tar -xzf "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -C /usr/local/bin trivy | |
| trivy --version | |
| - name: Extract default images from chart | |
| id: images | |
| run: | | |
| pip install --quiet pyyaml | |
| python3 ci/scripts/extract-chart-images.py | tee image-list.txt | |
| echo "count=$(wc -l < image-list.txt)" >> "$GITHUB_OUTPUT" | |
| - name: Run Trivy on each image | |
| if: steps.images.outputs.count != '0' | |
| run: | | |
| mkdir -p trivy-results | |
| while IFS= read -r image; do | |
| [ -z "$image" ] && continue | |
| safe=$(echo "$image" | tr '/:' '__') | |
| trivy image --format json --output "trivy-results/${safe}.json" --timeout 10m "$image" || true | |
| done < image-list.txt | |
| - name: Generate CVE report | |
| if: steps.images.outputs.count != '0' | |
| run: | | |
| app_version=$(grep -E '^appVersion:' charts/dify/Chart.yaml | sed -n 's/.*"\(.*\)".*/\1/p' || true) | |
| python3 ci/scripts/trivy-report-to-md.py trivy-results --version "${app_version:-unknown}" > cve-report.md | |
| echo "## Container Security Scan (CVE Report)" >> "$GITHUB_STEP_SUMMARY" | |
| echo "" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| cat cve-report.md >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| - name: Upload CVE report | |
| if: steps.images.outputs.count != '0' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cve-report | |
| path: cve-report.md |