[upgrade] latest workflows

2025-07-11 07:39:26 +02:00
parent 525d571a6f
commit 6279ff8a3e
2 changed files with 74 additions and 4 deletions
--- a/.github/workflows/cve.yml
+++ b/.github/workflows/cve.yml
@@ -0,0 +1,70 @@
+name: cve
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 15 */2 * *"
+
+jobs:
+  cve:
+    runs-on: ubuntu-latest
+    steps:
+      - name: init / checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ github.ref_name }}
+          fetch-depth: 0
+
+      - name: init / setup environment
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { existsSync, readFileSync } = require('node:fs');
+            const { resolve } = require('node:path');
+            const { inspect } = require('node:util');
+            const { Buffer } = require('node:buffer');
+            const inputs = `${{ toJSON(github.event.inputs) }}`;
+            const opt = {input:{}, dot:{}};            
+
+            try{
+              if(inputs.length > 0){
+                opt.input = JSON.parse(inputs);
+                if(opt.input?.etc){
+                  opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
+                }
+              }
+            }catch(e){
+              core.warning('could not parse github.event.inputs');
+            }
+
+            try{
+              const path = resolve('.json');
+              if(existsSync(path)){
+                try{
+                  opt.dot = JSON.parse(readFileSync(path).toString());
+                }catch(e){
+                  throw new Error('could not parse .json');
+                }
+              }else{
+                throw new Error('.json does not exist');
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+            core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
+
+            core.exportVariable('WORKFLOW_IMAGE', `${opt.dot.image}:${(opt.dot?.semver?.version === undefined) ? 'rolling' : opt.dot.semver.version}`);
+            core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
+
+
+      - name: grype / scan
+        id: grype
+        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
+        with:
+          image: ${{ env.WORKFLOW_IMAGE }}
+          fail-build: true
+          severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
+          output-format: 'sarif'
+          by-cve: true
+          cache-db: true