Update to vulndb v3.666 #15

Summary
Jobs
- publish
- retag
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/release.yml at 860f761

	name: Release

	on:
	push:
	tags:
	- 'v*'

	jobs:

	publish:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	# write is needed for:
	# - OIDC for cosign's use in ecm-distro-tools/publish-image.
	# - Read vault secrets in rancher-eio/read-vault-secrets.
	id-token: write

	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Load Secrets from Vault
	uses: rancher-eio/read-vault-secrets@main
	with:
	secrets: \|
	secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username \| RANCHER_DOCKER_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password \| RANCHER_DOCKER_PASSWORD ;
	secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username \| DOCKER_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password \| DOCKER_PASSWORD ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry \| PRIME_REGISTRY ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username \| PRIME_REGISTRY_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password \| PRIME_REGISTRY_PASSWORD
	- name: Parse target tag
	run: \|
	TARGET=${{ github.ref_name }}
	echo "TAG=${TARGET#v}" >> $GITHUB_ENV
	- name: Download vulnerability database
	run: \|
	wget https://${{ secrets.VULNDB_SERVER }}/${TAG}/cvedb.regular -O data/cvedb.regular
	- name: Publish neuvector manifest
	uses: rancher/ecm-distro-tools/actions/publish-image@master
	with:
	push-to-public: true
	push-to-prime: false
	image: scanner
	tag: ${{ env.TAG }}
	platforms: linux/amd64,linux/arm64

	public-registry: docker.io
	public-repo: neuvector
	public-username: ${{ env.DOCKER_USERNAME }}
	public-password: ${{ env.DOCKER_PASSWORD }}
	- name: Publish rancher manifest
	uses: rancher/ecm-distro-tools/actions/publish-image@master
	env:
	IMAGE_PREFIX: neuvector-
	with:
	image: neuvector-scanner
	tag: ${{ env.TAG }}
	platforms: linux/amd64,linux/arm64

	public-registry: docker.io
	public-repo: rancher
	public-username: ${{ env.RANCHER_DOCKER_USERNAME }}
	public-password: ${{ env.RANCHER_DOCKER_PASSWORD }}

	prime-registry: ${{ env.PRIME_REGISTRY }}
	prime-repo: rancher
	prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
	prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
	retag:
	runs-on: ubuntu-latest
	needs: [publish]
	permissions:
	contents: read
	# write is needed for:
	# - OIDC for cosign's use in ecm-distro-tools/publish-image.
	# - Read vault secrets in rancher-eio/read-vault-secrets.
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Load Secrets from Vault
	uses: rancher-eio/read-vault-secrets@main
	with:
	secrets: \|
	secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username \| RANCHER_DOCKER_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password \| RANCHER_DOCKER_PASSWORD ;
	secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials username \| DOCKER_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/dockerhub/neuvector/credentials password \| DOCKER_PASSWORD ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry \| PRIME_REGISTRY ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username \| PRIME_REGISTRY_USERNAME ;
	secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password \| PRIME_REGISTRY_PASSWORD
	- name: Parse target tag
	run: \|
	TARGET=${{ github.ref_name }}
	echo "TAG=${TARGET#v}" >> $GITHUB_ENV
	- name: Check if we should tag v6 scanner
	run: \|
	if [[ ${{ github.ref_name }} =~ ^v[0-9]+\.[0-9]+$ ]];then
	echo "We should update v6 scanner"
	echo "UPDATE_MUTABLE_TAG=True" >> $GITHUB_ENV
	fi
	- name: Login to registry
	if: env.UPDATE_MUTABLE_TAG == 'True'
	uses: docker/login-action@v3
	with:
	registry: docker.io
	username: ${{ env.DOCKER_USERNAME }}
	password: ${{ env.DOCKER_PASSWORD }}
	- name: Tag v6 scanner to neuvector
	if: env.UPDATE_MUTABLE_TAG == 'True'
	run: \|
	docker buildx imagetools create --tag docker.io/${{ github.repository_owner }}/scanner:6 docker.io/${{ github.repository_owner }}/scanner:${TAG}
	- name: Login to registry
	if: env.UPDATE_MUTABLE_TAG == 'True'
	uses: docker/login-action@v3
	with:
	registry: ${{ env.PRIME_REGISTRY }}
	username: ${{ env.PRIME_REGISTRY_USERNAME }}
	password: ${{ env.PRIME_REGISTRY_PASSWORD }}
	- name: Tag v6 scanner to prime
	if: env.UPDATE_MUTABLE_TAG == 'True'
	run: \|
	docker buildx imagetools create --tag ${PRIME_REGISTRY}/rancher/neuvector-scanner:6 ${PRIME_REGISTRY}/rancher/neuvector-scanner:${TAG}
	- name: Login to registry
	if: env.UPDATE_MUTABLE_TAG == 'True'
	uses: docker/login-action@v3
	with:
	registry: docker.io
	username: ${{ env.RANCHER_DOCKER_USERNAME }}
	password: ${{ env.RANCHER_DOCKER_PASSWORD }}
	- name: Tag v6 scanner to rancher
	if: env.UPDATE_MUTABLE_TAG == 'True'
	run: \|
	docker buildx imagetools create --tag docker.io/rancher/neuvector-scanner:6 docker.io/rancher/neuvector-scanner:${TAG}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update to vulndb v3.666 #15

Workflow file

Update to vulndb v3.666 #15

Jobs

Run details

Workflow file for this run