fixup! feat(cve-scan-patch): patch image in dedicated GH Action job

sighupio · Oct 4, 2024 · 1d6758a · 1d6758a
1 parent ffbdb09
commit 1d6758a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/.github/workflows/cve-scan-and-patching.yml b/.github/workflows/cve-scan-and-patching.yml
@@ -29,7 +29,9 @@ jobs:
   scan_pre_patch:
     runs-on: ubuntu-latest
     needs: fetch_kfd_versions
+    continue-on-error: true
     strategy:
+      fail-fast: false
       matrix:
         kfd_version: ${{ fromJson(needs.fetch_kfd_versions.outputs.kfd_versions_json) }}
     steps:
@@ -87,7 +89,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - fetch_kfd_images_to_patch
+    continue-on-error: true
     strategy:
+      fail-fast: false
       matrix:
         image_to_patch: ${{ fromJson(needs.fetch_kfd_images_to_patch.outputs.images_to_patch_json) }}
     steps:
@@ -143,6 +147,7 @@ jobs:
     needs:
       - fetch_kfd_versions
       - patch
+    continue-on-error: true
     strategy:
       matrix:
         kfd_version: ${{ fromJson(needs.fetch_kfd_versions.outputs.kfd_versions_json) }}
@@ -176,8 +181,7 @@ jobs:
       - name: publish CVE scan post patch output files for KFD ${{ matrix.kfd_version }}
         uses: actions/upload-artifact@v4
         with:
-          overwrite: true
-          name: ${{ matrix.kfd_version }}
+          name: cve-reports-${{ matrix.kfd_version }}
           path: |
             CVEs/${{ matrix.kfd_version }}/images.txt
             CVEs/${{ matrix.kfd_version }}/images-patched.txt
@@ -202,5 +206,7 @@ jobs:
             reports/*.patched.md
       - uses: geekyeggo/delete-artifact@v5
         with:
-          name: patch-report-*.md
+          name: |
+            patch-report-*.md
+            v*
           failOnError: false
diff --git a/scripts/patch_images_with_copacetic.sh b/scripts/patch_images_with_copacetic.sh
@@ -113,6 +113,7 @@ function patch_image() {
       -t "$secured_image" \
       -f - "$DOCKERFILE_OUTPUT_DIR" &> /dev/null
     secured_labeled_image_hash=$(docker inspect "$secured_image" --format '{{.Id}}')
+    sed -i'.unsecured' s#"$image_to_patch-patched"#"$secured_image"# "$PATCH_REPORT_OUTPUT_FILE"
     sed -i'.unsecured' s#"$image_patched_hash"#"$secured_labeled_image_hash"# "$PATCH_REPORT_OUTPUT_FILE"
     rm "$PATCH_REPORT_OUTPUT_FILE.unsecured"
     echo ">>>>>>>>>>>>>>>>>>> Push secure image: $secured_image <<<<<<<<<<<<<<<<<<<<<"