Update rumble github actions

Signed-off-by: Jamon Camisso <jamonation+git@gmail.com>
chainguard-dev · Jan 29, 2024 · 0c18514 · 0c18514
1 parent b6fe483
commit 0c18514
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 177 deletions.
diff --git a/.github/workflows/rumble-cve-data.yaml b/.github/workflows/rumble-cve-data.yaml
diff --git a/.github/workflows/rumble-vulnerability-data.yaml b/.github/workflows/rumble-vulnerability-data.yaml
@@ -4,44 +4,69 @@ on:
     - cron: "1 5 * * *"
   workflow_dispatch:
   push:
-    branches: [rumble-vulnerability-data]
+    branches: [rumble-insights]
+
+env:
+  PROJECT_ID: "${{ secrets.PROJECT_ID }}"
+  WORKLOAD_IDENTITY_PROVIDER: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
+  SERVICE_ACCOUNT: "${{ secrets.GH_ACTION_SERVICE_ACCOUNT }}"
+  GH_TOKEN: ${{ github.token }}
 
 defaults:
   run:
     shell: bash
     working-directory: ./tools/rumble
 
 jobs:
-  generate-vulnerability-json:
+  generate-csvs-and-json:
     runs-on: ubuntu-latest
 
     permissions:
-      id-token: write # federate with GCP
-
+      contents: read
+      id-token: read
+
     steps:
       - name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
 
       - name: Set up Go
         uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # actions/setup-go@v4
         with:
-          go-version: '^1.20.0'
-
-      - name: Fetch latest Grype vulnerability database
-        shell: bash
-        run: |
-          curl -s \
-            $(curl -s https://toolbox-data.anchore.io/grype/databases/listing.json \
-            |jq -r '.available."5" | .[0] .url') -o- \
-            |tar xvz
+          go-version: '^1.21.0'
 
       - name: Authenticate to Google Cloud
+        id: auth
         uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0
         with:
           token_format: 'access_token'
-          project_id: "${{ secrets.PROJECT_ID }}"
-          workload_identity_provider: "${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}"
-          service_account: "${{ secrets.GH_ACTION_SERVICE_ACCOUNT }}"
+          project_id: "${{ env.PROJECT_ID }}"
+          workload_identity_provider: "${{ env.WORKLOAD_IDENTITY_PROVIDER }}"
+          service_account: "${{ env.SERVICE_ACCOUNT }}"
+
+      - name: Generate vulnerability JSON files
+        run: |
+          go run main.go vulns \
+            --project prod-images-c6e5 \
+            --db insights_ds \
+            --gcs-project chainguard-academy \
+            --bucket chainguard-academy \
+            --upload
+
+      - name: Generate image comparison CSVs
+        run: |
+          go run main.go image-csv \
+            --project prod-images-c6e5 \
+            --db insights_ds \
+            --gcs-project chainguard-academy \
+            --bucket chainguard-academy \
+            --rumble-json-path ../../data/rumble.json \
+            --upload
 
-      - name: Generate Rumble JSON files
-        run: go run .
+      - name: Generate legacy comparison CSV
+        run: |
+          go run main.go legacy-csv \
+            --project prod-images-c6e5 \
+            --db insights_ds \
+            --gcs-project chainguard-academy \
+            --bucket chainguard-academy \
+            --upload
diff --git a/.github/workflows/rumble.yaml b/.github/workflows/rumble.yaml