fix workflow (#7615)

* fix workflow Signed-off-by: Chip Zoller <chipzoller@gmail.com> * save Signed-off-by: Chip Zoller <chipzoller@gmail.com> * jq to compact output Signed-off-by: Chip Zoller <chipzoller@gmail.com> * fix Signed-off-by: Chip Zoller <chipzoller@gmail.com> * fix Signed-off-by: Chip Zoller <chipzoller@gmail.com> --------- Signed-off-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-29 10:55:05 +00:00 · 2023-06-21 11:15:55 -04:00 · 2023-06-21 11:15:55 -04:00 · 4b8361bcc6
commit 4b8361bcc6
parent f2bfc13edb
1 changed files with 10 additions and 11 deletions
--- a/.github/workflows/report-on-vulnerabilities.yaml
+++ b/.github/workflows/report-on-vulnerabilities.yaml
@ -13,7 +13,7 @@ env:

 jobs:
  scan:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
@ -32,18 +32,19 @@ jobs:
      id: parse-results
      continue-on-error: true
      run: |
-        VULNS=$(cat scan.json | jq '.Results[] | has("Vulnerabilities")')
-        if echo $VULNS | grep -q 'true'; then
-          echo "Vulnerabilities found, creating issue"
-          echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT
-        else
+        VULNS=$(cat scan.json | jq '.Results[] | select(.Target=="ko-app/kyverno") | length')
+        if [[ $VULNS -eq 0 ]]
+        then
          echo "No vulnerabilities found, halting"
          echo "results=nothing" >> $GITHUB_OUTPUT
+        else
+          echo "Vulnerabilities found, creating issue"
+          echo "results=found" >> $GITHUB_OUTPUT
        fi

    - name: Upload vulnerability scan report
      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-      if: contains(steps.parse-results.outputs.results, 'SchemaVersion')
+      if: steps.parse-results.outputs.results == 'found'
      with:
        name: scan.json
        path: scan.json
@ -51,7 +52,7 @@ jobs:

  open-issue:
    runs-on: ubuntu-latest
-    if: contains(needs.scan.outputs.results, 'SchemaVersion')
+    if: needs.scan.outputs.results == 'found'
    needs: scan
    permissions:
      contents: read
@ -59,15 +60,13 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Setup build env
-        uses: ./.github/actions/setup-build-env
      - name: Download scan
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: scan.json
      - name: Set scan output
        id: set-scan-output
-        run: echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT
+        run: echo "results=$(cat scan.json | jq -c)" >> $GITHUB_OUTPUT
      - uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # v2.9.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}