Skip to content
PR Comment Triggered Trivy Scan

Not able to join new server nodes to RKE2 HA cluster via AWS load balancer #1184

Sign in to view logs

Not able to join new server nodes to RKE2 HA cluster via AWS load balancer

Not able to join new server nodes to RKE2 HA cluster via AWS load balancer #1184

Workflow file for this run

.github/workflows/trivy.yaml at 7f20bc8
name: PR Comment Triggered Trivy Scan
on:
issue_comment:
types: [created]
jobs:
trivy_scan:
if: github.event.issue.pull_request && github.event.comment.body == '/trivy' && github.event.issue.state == 'open'
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
permissions:
pull-requests: read
steps:
- name: Check if comment author is a public member of rancher organization
uses: actions/github-script@v7
with:
# Catch 404 errors if user is not a member of the organization
# 302 is expected as the GHA is not a member of the organization
# Users must be set their membership to public for this to work
# https://github.com/orgs/rancher/people
script: |
const org = context.repo.owner;
const username = context.payload.comment.user.login;
try {
const result = await github.rest.orgs.checkMembershipForUser({
org,
username,
});
} catch (error) {
core.setFailed(`User ${username} is not an public member of the ${org} organization`);
}
- name: Checkout PR code
uses: actions/checkout@v4
with:
ref: refs/pull/${{ github.event.issue.number }}/head
# We don't care about the go version, as we only use it to capture ENV vars
- name: Install Go
uses: ./.github/actions/setup-go
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build RKE2 Image
id: build-image
run: |
SKIP_WINDOWS=true make build-image-runtime
TAG=$(docker images --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep "rancher/rke2-runtime" | sort -k2 -r | head -n1 | awk '{print $1}')
echo "TAG=${TAG}" >> "$GITHUB_OUTPUT"
- name: Download Rancher's VEX Hub report
run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
- name: Run Trivy on image
uses: aquasecurity/[email protected]
with:
image-ref: '${{ steps.build-image.outputs.TAG }}'
format: 'table'
severity: "HIGH,CRITICAL"
output: "trivy-image-report.txt"
env:
TRIVY_VEX: rancher.openvex.json
TRIVY_SHOW_SUPPRESSED: true
- name: Run Trivy on filesystem
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
severity: "HIGH,CRITICAL"
output: "trivy-fs-report.txt"
env:
TRIVY_VEX: rancher.openvex.json
TRIVY_SHOW_SUPPRESSED: true
- name: Upload Trivy Reports
uses: actions/upload-artifact@v4
with:
name: trivy-report
path: |
trivy-image-report.txt
trivy-fs-report.txt
retention-days: 2
if-no-files-found: error
trivy_report:
needs: trivy_scan
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
permissions:
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
GH_REPO: ${{ github.repository }}
steps:
- name: Download Trivy Report
uses: actions/download-artifact@v4
with:
name: trivy-report
- name: Add Trivy Report to PR
run: |
cat trivy-image-report.txt trivy-fs-report.txt > trivy-report.txt
if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
echo '```' >> trivy-report.txt
gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt
else
echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt
gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt
fi
trivy_failure:
needs: trivy_scan
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }}
if: always() && needs.trivy_scan.result == 'failure'
permissions:
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
GH_REPO: ${{ github.repository }}
steps:
- name: Report Failure
run: |
gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:"