-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: store artifacts in cache by default #399
Conversation
It took me a while to understand why this test failed, while the run of entrypoint.sh succeeded, so I'm leaving it as a note: the checks bundle download fails due to GHCR's rate limit and falls back to the embedded checks. However, there is a difference between the embedded checks and the checks in GHCR, which also results in a difference in the results and causes this failure. If the download fails, it should not fall back so that the execution fails and the failure of the test can be more easily understood. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we are adding GitHub cache - some users may want to change the update interval (e.g. update trivy-db every 2 days).
I think the skip-db-update
(and flags for other DBs) flag can be added for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the other hand, we have these flags in config file.
But then perhaps we should mention these flags in the documents.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've also added an example for cronjob.
a8b935f
You're right but this is a one off case for the difference between what it downloads vs what's embedded as we're just transitioning to using the v1 checks bundle. This was just updated in the action. |
@knqyf263 do you have a test run where we can see the output? |
Yes, I have. However, this PR is making changes that will rewrite this action almost from scratch, and I would like to ask you guys (@simar7 and @DmitriyLewen ) to test it carefully in your own repositories. Since I'm not familiar with trivy-action, I'm really afraid of breaking something. |
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@knqyf263 I played with your changes in my test repository and didn't find issues.
I also tested it. Seems to be fine, you can see some tests here https://github.com/simar7/trivy-action-composite-test/actions - which indicate the cache was hit. |
using: 'composite' | ||
steps: | ||
- name: Install Trivy | ||
shell: bash | ||
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin ${{ inputs.version }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why was this switched from docker to running on the local system? It's not a good practice to grant sudo access to github action runners. I just had some actions fail because they attempted to use sudo. Unless I misunderstand what "composite" means?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It also means curl
is a requirement where it wasn't previously.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @mattnakama-skytap @danielnitsche
We migrated to local system to add the ability to store databases in cache.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DmitriyLewen You might want to consider installing via something like https://github.com/jaxxstorm/action-install-gh-release
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rvesse We just published.
https://github.com/aquasecurity/setup-trivy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bad request - jaxxstorm/[email protected] is not allowed to be used in apache/pulsar.
https://github.com/apache/pulsar/actions/runs/11267174066/job/31332113823?pr=23429#step:1:45
Addressing this for Apache Pulsar in this way: apache/pulsar#23431
Hey, This PR seems to cause a small breaking change for us. for |
I've tested it with v0.25.0, but got an error.
Where does your template (Ptrivy_markdown_template.tpl |
Yes, it's something that's located in our repo under We use the following template:
|
Honestly, I don't understand why it used to work in your environment. I tested it, but the directory doesn't exist.
Could you share a small snippet that has started to cause errors after this change? |
Hey, thnx for looking into this. I just did another test to confirm and this script works on
I took a look at your run and I think it failed while running the following command and thus didn't get to the trivy command. Perhaps you could try rerunning the action without this step?
|
Trivy failed, then I added them for debugging. |
Strange, so for me the configuration I gave works with |
After some googling I found that github actions set the WORKDIR in a container automatically to /github/workspace/ https://stackoverflow.com/questions/77871301/how-to-solve-error-cannot-find-module-in-custom-dockerfile-based-github-actions Maybe that's the reason? |
Trivy is a verified creator on GitHub Actions, so organizations that only allow verified actions in their repositories can use Trivy. Except now Trivy depends on
By including a dependency on |
Hello @markbaird |
aquasecurity/trivy-action#399 (comment) Signed-off-by: knqyf263 <[email protected]>
aquasecurity/trivy-action#399 (comment) Signed-off-by: knqyf263 <[email protected]>
@SimonRelu I copied your workflow file and deleted some unnecessary steps. I also put the template file. However, it still failed with v0.25.0.
https://github.com/knqyf263/trivy-action-test/actions/runs/11287781686/job/31394298976 Any ideas? Do |
Description
Store DBs and checks bundle in the cache by default by using
actions/cache
to mitigate429 TOOMANYREQUESTS
.actions/cache
to store DBs and checks bundle in cachecache-dir
version
artifact-type