skip vulnerability tests if eol values are in the past

canonical · Feb 6, 2024 · 0ee89ce · 0ee89ce
1 parent f8a9357
commit 0ee89ce
Showing 1 changed file with 20 additions and 4 deletions.
diff --git a/.github/workflows/Vulnerability-Scan.yaml b/.github/workflows/Vulnerability-Scan.yaml
@@ -32,6 +32,7 @@ env:
   TEST_IMAGE_NAME: 'test-img'
   TEST_IMAGE_TAG: 'test'
   SKOPEO_IMAGE: 'quay.io/skopeo/stable:v1.13'
+  SKIP_VULN_TEST: 0
 
 jobs:
   test-vulnerabilities:
@@ -43,20 +44,33 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      - name: Validate end-of-life field values
+        run: |
+          CURRENT_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          EOL_DATES=$(grep -oP 'end-of-life: "\K[0-9-]+T[0-9:]+Z' ${{ inputs.oci-image-path }}/image.yaml)
+
+          while IFS= read -r EOL_DATE; do
+            if [[ "$EOL_DATE" < "$CURRENT_DATE" ]]; then
+              SKIP_VULN_TEST=1
+            fi
+          done <<< "$EOL_DATES""
+
       - id: vulnerability-report
+        if: ${{ env.SKIP_VULN_TEST == 0 }}
         run: |
           full_name="${{ inputs.oci-image-name }}${{ inputs.vulnerability-report-suffix }}"
           final_name="$(echo ${full_name} | sed 's/ghcr.io\/canonical\/oci-factory\///g' | tr ':' '_')"
           echo "name=$final_name" >> "$GITHUB_OUTPUT" 
 
       - uses: actions/cache/restore@v3
-        if: ${{ inputs.cache-key != '' }}
+        if: ${{ inputs.cache-key != '' && env.SKIP_VULN_TEST == 0 }}
         with:
           path: ${{ env.TEST_IMAGE_NAME}}
           key: ${{ inputs.cache-key }}
           fail-on-cache-miss: true
 
       - name: Copy image to Docker daemon
+        if: ${{ env.SKIP_VULN_TEST == 0 }}
         id: to-docker-daemon
         run: |
           d_img_name="${{ env.TEST_IMAGE_NAME}}:${{ env.TEST_IMAGE_TAG }}"
@@ -74,6 +88,7 @@ jobs:
             docker-daemon:$d_img_name
 
       - name: Check for .trivyignore
+        if: ${{ env.SKIP_VULN_TEST == 0 }}
         id: trivyignore
         run: |
           if [ -f ${{ inputs.oci-image-path }}/.trivyignore ]
@@ -87,6 +102,7 @@ jobs:
           echo "file=$file" >> "$GITHUB_OUTPUT"
 
       - name: Scan for vulnerabilities
+        if: ${{ env.SKIP_VULN_TEST == 0 }}
         uses: aquasecurity/trivy-action@0.9.2
         with:
           # NOTE: we're allowing images with vulnerabilities to be published
@@ -103,7 +119,7 @@ jobs:
           image-ref: '${{ steps.to-docker-daemon.outputs.name }}'
 
       - name: Process report
-        if: ${{ always() }}
+        if: ${{ env.SKIP_VULN_TEST == 0 }}
         id: check-report
         run: |
           report="${{ steps.vulnerability-report.outputs.name }}"
@@ -127,13 +143,13 @@ jobs:
           done
 
       - uses: actions/cache/save@v3
-        if: ${{ always() }}
+        if: ${{ env.SKIP_VULN_TEST == 0 }}
         with:
           path: ${{ steps.vulnerability-report.outputs.name }}
           key: ${{ github.run_id }}-${{ steps.vulnerability-report.outputs.name }}
 
       - uses: actions/upload-artifact@v3
-        if: ${{ always() }}
+        if: ${{ env.SKIP_VULN_TEST == 0 }}
         with:
           name: ${{ steps.vulnerability-report.outputs.name }}
           path: ${{ steps.vulnerability-report.outputs.name }}