ci: add cron job to cache trivy db (#1918)

Signed-off-by: Binbin Li <[email protected]>
ratify-project · Nov 8, 2024 · 4ab047b · 4ab047b
1 parent 98f5581
commit 4ab047b
Show file tree

Hide file tree

Showing 7 changed files with 71 additions and 29 deletions.
diff --git a/.github/actions/restore_trivy_cache/action.yml b/.github/actions/restore_trivy_cache/action.yml
@@ -0,0 +1,20 @@
+name: "Steps to restore trivy cache"
+description: "Steps to restore Trivy cache under ~/.cache/trivy"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Get current date
+      id: date
+      run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+      shell: bash
+    - name: Restore trivy cache directory
+      uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      with:
+        path: ${{ github.workspace }}/.cache/trivy
+        key: cache-trivy-${{ steps.date.outputs.date }}
+    - name: Set up trivy cache directory
+      run: |
+        mkdir -p ~/.cache/trivy
+        cp -r ${{ github.workspace }}/.cache/trivy/db ~/.cache/trivy
+      shell: bash
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
@@ -52,6 +52,9 @@ jobs:
           # Container Registry:
           az account get-access-token --scope https://containerregistry.azure.net/.default --output none
 
+      - name: Restore Trivy cache
+        uses: ./.github/actions/restore_trivy_cache
+
       - name: Dependencies e2e
         run: |
           mkdir -p $GITHUB_WORKSPACE/bin

diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml
@@ -75,6 +75,8 @@ jobs:
           go-version: "1.22"
       - name: Run tidy
         run: go mod tidy
+      - name: Restore Trivy cache
+        uses: ./.github/actions/restore_trivy_cache
       - name: Build CLI
         run: make
       - name: Check build

diff --git a/.github/workflows/e2e-k8s.yml b/.github/workflows/e2e-k8s.yml
@@ -36,7 +36,8 @@ jobs:
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: "1.22"
-
+      - name: Restore Trivy cache
+        uses: ./.github/actions/restore_trivy_cache
       - name: Bootstrap e2e
         run: |
           mkdir -p $GITHUB_WORKSPACE/bin

diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
@@ -55,15 +55,8 @@ jobs:
           tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
           echo "$(pwd)" >> $GITHUB_PATH
       
-      - name: Download vulnerability database
-        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
-        with:
-          max_attempts: 3
-          retry_on: error
-          timeout_seconds: 30
-          retry_wait_seconds: 5
-          command: |
-            trivy image --download-db-only
+      - name: Restore Trivy cache
+        uses: ./.github/actions/restore_trivy_cache
 
       - name: Run trivy on git repository
         run: |

diff --git a/.github/workflows/update-trivy-cache.yml b/.github/workflows/update-trivy-cache.yml
@@ -0,0 +1,42 @@
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == github.event.repository.default_branch }}
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.2.1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Prepare DB directory
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+      
+      - name: Download vulnerability database
+        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+        with:
+          max_attempts: 60
+          retry_on: error
+          timeout_seconds: 30
+          retry_wait_seconds: 60
+          command: |
+            oras pull ghcr.io/aquasecurity/trivy-db:2
+            tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+            rm db.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/Makefile b/Makefile
@@ -467,25 +467,6 @@ e2e-trivy-setup:
 	curl -L https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz --output .staging/trivy/trivy.tar.gz
 	tar -zxf .staging/trivy/trivy.tar.gz -C .staging/trivy
 
-	# Download vulnerability database in retry mode
-	max_retries=3; \
-	attempt=1; \
-	wait_time=2; \
-	while [ $$attempt -le $$max_retries ]; do \
-		echo "Attempt $$attempt of $$max_retries..."; \
-		if .staging/trivy/trivy image --download-db-only; then \
-			break; \
-		fi; \
-		if [ $$attempt -eq $$max_retries ]; then \
-			echo "Failed after $$max_retries attempts."; \
-			exit 1; \
-		fi; \
-		echo "Failed. Retrying in $$wait_time seconds..."; \
-		sleep $$wait_time; \
-		wait_time=$$(( wait_time * 2 )); \
-		attempt=$$(( attempt + 1 )); \
-	done
-
 e2e-schemavalidator-setup:
 	rm -rf .staging/schemavalidator
 	mkdir -p .staging/schemavalidator