canonical · phvalguima · Jan 25, 2024
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,56 @@
+name: Build ROCK
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+on:
+  pull_request:
+  workflow_call:
+    outputs:
+      rock:
+        description: "The rock output of build process."
+        value: ${{ jobs.build.outputs.rock }}
+
+jobs:
+  build:
+    name: Build Rock
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup LXD
+        uses: canonical/setup-lxd@main
+
+      - name: Install dependencies
+        run: |
+          # docker
+          sudo snap install docker
+          sudo addgroup --system docker; sudo adduser $USER docker
+          newgrp docker
+          sudo snap disable docker; sudo snap enable docker
+
+          # skopeo
+          sudo snap install --devmode --channel edge skopeo
+
+          # rockcraft
+          sudo snap install rockcraft --classic --edge
+
+          # jq and yq
+          sudo snap install jq yq
+
+      - name: Build ROCK
+        id: build
+        run: |
+          rockcraft pack --verbose
+          VERSION=$(yq '.version' rockcraft.yaml)
+          echo "rock=charmed-opensearch_${VERSION}_amd64.rock" >> $GITHUB_OUTPUT
+
+      - name: Upload locally built ROCK artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: charmed-opensearch
+          path: ${{ steps.build.outputs.rock }}
+
+    outputs:
+      rock: ${{ steps.build.outputs.rock }}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -11,59 +11,7 @@ on:
 
 jobs:
   build:
-    name: Build Rock
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    outputs:
-      rock-file: ${{ steps.build-snap.outputs.rock }}
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Setup LXD
-        uses: canonical/setup-lxd@main
-
-      - name: Install required dependencies
-        run: |
-          # docker
-          sudo snap install docker
-          sudo addgroup --system docker; sudo adduser $USER docker
-          newgrp docker
-          sudo snap disable docker; sudo snap enable docker
-
-          # skopeo
-          sudo snap install --devmode --channel edge skopeo
-
-          # rockcraft
-          sudo snap install rockcraft --classic --edge
-
-          # jq and yq
-          sudo snap install jq yq
-
-      - name: Upgrade linux deps with security updates
-        run: |
-          sudo apt-get update
-
-          # install security updates
-          sudo apt-get -s dist-upgrade \
-            | grep "^Inst" \
-            | grep -i securi \
-            | awk -F " " {'print $2'} \
-            | xargs sudo apt-get install -y
-
-          sudo apt-get autoremove -y
-
-      - name: Build rock
-        run: |
-          rockcraft pack --verbose
-
-      - name: Upload built rock job artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: charmed_opensearch_rock_amd64
-          path: "charmed-opensearch_*.rock"
+    uses: ./.github/workflows/build.yaml
 
   test:
     name: Test Rock

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,50 @@
+name: Trivy Security Scanner
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '53 0 * * *' # Daily at 00:53 UTC
+  pull_request:
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+
+  scan:
+    name: Trivy scan
+    needs: 
+      - build
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install skopeo
+        run: |
+          sudo snap install --devmode --channel edge skopeo
+          sudo snap install yq
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: charmed-opensearch
+
+      - name: Import locally
+        run: |
+          sudo skopeo --insecure-policy copy \
+            oci-archive:${{ needs.build.outputs.rock }} \
+            docker-daemon:trivy/charmed-opensearch:test
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'trivy/charmed-opensearch:test'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/rockcraft.yaml b/rockcraft.yaml
@@ -1,7 +1,7 @@
 # Copyright 2023 Canonical Ltd.
 # See LICENSE file for licensing details.
 name: charmed-opensearch  # the name of your ROCK
-base: ubuntu:22.04  # the base environment for this ROCK
+base: ubuntu@22.04  # the base environment for this ROCK
 license: Apache-2.0
 
 version: '2.10.0' # just for humans. Semantic versioning is recommended