updates.yaml

name: updates

on:
  schedule:
    - cron: "*/60 * * * *" # Every 60 minutes
  push:
    branches: [main]
    paths:
      - '.github/workflows/updates.yaml'
      - '.github/chainguard/updates.sts.yaml'
      - 'helm/redis/values.yaml'
  workflow_dispatch: # Allows manual triggering

env:
  REDIS_IMAGE: "cgr.dev/cgr-demo.com/redis-server-bitnami"
  
jobs:
  check-for-fixes:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: main

      - name: Setup Go environment
        uses: actions/setup-go@v5.1.0
      
      - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
        id: octo-sts
        with:
          scope: chainguard-dev/chainguard-migration-demo
          identity: updates
          
      - name: Install Crane
        run: go install github.com/google/go-containerregistry/cmd/crane@latest

      - name: Install Grype
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
        
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.7.0
      
      - uses: chainguard-dev/setup-chainctl@v0.2.4
        with:
          identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/360614f2fd18f22d"
        
      - name: 'Auth to Registry'
        run: |
          chainctl auth configure-docker
  
      - name: Extract unique image.tag value
        id: extract_unique_tag
        run: |
          CURRENT_UNIQUE_IMAGE=$(yq '.image.tag' helm/redis/values.yaml)
          echo "Extracted Unique Tags: $CURRENT_UNIQUE_IMAGE"
          echo "CURRENT_UNIQUE_TAG=$CURRENT_UNIQUE_IMAGE" >> $GITHUB_ENV

      - name: Get latest unique tag
        id: get_current_unique_tag
        run: |
          LATEST_UNIQUE_TAG=$(crane ls ${{ env.REDIS_IMAGE }} | grep -E '^[^ ]+-[0-9]{12}$' | grep -v '^latest' | grep -v '\-dev' | sort -Vr | head -n 1)
          echo "LATEST_UNIQUE_TAG=${LATEST_UNIQUE_TAG}" >> $GITHUB_ENV

      - name: Compare unique tags
        id: compare_unique_tags
        run: |
          echo "CURRENT_UNIQUE_TAG=${{ env.CURRENT_UNIQUE_TAG }}"
          echo "LATEST_UNIQUE_TAG=${{ env.LATEST_UNIQUE_TAG }}"
          if [ "${{ env.CURRENT_UNIQUE_TAG }}" != "${{ env.LATEST_UNIQUE_TAG }}" ]; then
            echo "UNIQUE_TAGS_CHANGED=true" >> $GITHUB_ENV
          else
            echo "UNIQUE_TAGS_CHANGED=false" >> $GITHUB_ENV
          fi

      - name: Run chainctl images diff
        if: env.UNIQUE_TAGS_CHANGED == 'true'
        id: diff_vulnerabilities
        run: |
          OLD_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.CURRENT_UNIQUE_TAG }}"
          NEW_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.LATEST_UNIQUE_TAG }}"

          CVE_LIST_JSON=$(chainctl images diff $OLD_IMAGE $NEW_IMAGE 2>/dev/null | jq -c '[.vulnerabilities.removed[] | select(.severity == "Critical" or .severity == "High") | .id]')
          echo "CVE_LIST=$CVE_LIST_JSON" >> $GITHUB_ENV

          if [ -n "$CVE_LIST_JSON" ]; then
            echo "Found CVE fixes for the following CVES: $CVE_LIST_JSON"
            echo "FIX_CVE=true" >> $GITHUB_ENV
          else
            echo "No CVE fixes available"
            echo "FIX_CVE=false" >> $GITHUB_ENV
          fi
    
      - env:
          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
        run: |
          gh repo list
          
      - name: Update Helm Values
        shell: bash
        run: yq -i ".image.tag = \"${{ env.LATEST_UNIQUE_TAG }}\"" helm/redis/values.yaml
      
      - name: Run git diff
        id: create_pr_update
        shell: bash
        run: |
          git diff --stat
          echo "create_pr_update=false" >> $GITHUB_OUTPUT
          if [[ $(git diff --stat) != '' ]]; then
            echo "create_pr_update=true" >> $GITHUB_OUTPUT
            echo "diff<<EOF" >> "${GITHUB_OUTPUT}"
            git diff >> "${GITHUB_OUTPUT}"
            echo "EOF" >> "${GITHUB_OUTPUT}"
          fi
      
      - uses: chainguard-dev/actions/setup-gitsign@57cb0b7560d9b9b081c15ac5ef689f73f4dda03e # main branch as of 2024-08-02
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        id: pull_request
        with:
          token: ${{ steps.octo-sts.outputs.token }}
          commit-message: 'Update images digests'
          title: 'Apply CVE Fix'
          body: |
            "Update Helm Redis Image Tag to ${{ env.LATEST_UNIQUE_TAG }}"
      
            ## Changes
            <details>
      
            ```diff
            ${{ steps.create_pr_update.outputs.diff }}
            ```
      
            </details>
          labels: automated pr, cve, patch
          branch: 'apply-cve-fix'
          committer: 'github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>'
          author: '${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>'
          delete-branch: true