[ISSUE 435] Fix vulnerability checks #452
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
7 times, most recently
from
051951e to
eec8a1f
Compare
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
6 times, most recently
from
366c03e to
5b1dbef
Compare
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
3 times, most recently
from
b8e6ed3 to
e12e855
Compare
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
from
e12e855 to
215d7ac
Compare
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
from
71d8134 to
63801cf
Compare
daphnegold
changed the title
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
2 times, most recently
from
83e3247 to
22698af
Compare
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
from
22698af to
102e517
Compare
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
4 times, most recently
from
0688ce0 to
91e32e3
Compare
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
from
91e32e3 to
341befb
Compare
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
from
2b1f84d to
c07a116
Compare
…at if cache wasn't hit
daphnegold
force-pushed
the
daphnegold/issue-435-bar-the-gates
branch
2 times, most recently
from
1f65498 to
1ff7e81
Compare
SammySteiner
approved these changes
Sep 6, 2023
There was a problem hiding this comment.
This looks great, I was checking other ci-vulnerability-scans and seems like even when it doesn't have it in the cache it takes a 7ish minute run down to 3ish minute run!
One note regarding the cache limit, seems like github deletes older entries from the cache automatically after exceeding 10gb or 7 days, so this run should be fine, but I noticed another workflow uses the cache ci-frontend.yml, but I don't think it will be a problem. If it does, we could consider adding a step to delete the items from the cache: https://github.com/actions/cache/blob/main/tips-and-workarounds.md#force-deletion-of-caches-overriding-default-cache-eviction-policy
| @@ -1,8 +1,6 @@ | |||
| # GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image | |||
| # to ensure images built are secure before they are deployed. | |||
|
|
|||
| # NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image. | |||
| # A future PR will pass the image between the scans to reduce overhead and increase speed | |||
| trivy-scan: | ||
| name: Trivy Scan | ||
| runs-on: ubuntu-latest | ||
| needs: build-and-cache |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #435
Time to review: 15 mins
Changes proposed
Use caching strategy to pass docker image between scan jobs and also for faster builds with docker layer caching. Seems like Docker build time is more than halved.
Context for reviewers
Observe action output as test.
Other strategies to share image across jobs were slow 🐌
Comments & Questions
Is this worth it? The time-to-run halved (~2 min to <=1 min) and it is a gateway to better outcomes if we leverage build caching across workflows as an end goal someday. What that looks like might become clearer when work is done on [Task]: Fix deploy Github Actions workflow #406.
Do we need to invalidate the caches, will it fill up quickly because we are using it short-term or will it get managed automagically?
https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policyhttps://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy
Before (2 mins 18 secs)
With cached layers (46 secs)
With cache-hit == true (10 secs)