Skip to content

airflow GHSA-q34m-jh98-gwm2/GHSA-f9vj-2wh5-fj8j advisories (#9040) #4832

airflow GHSA-q34m-jh98-gwm2/GHSA-f9vj-2wh5-fj8j advisories (#9040)

airflow GHSA-q34m-jh98-gwm2/GHSA-f9vj-2wh5-fj8j advisories (#9040) #4832

name: Build and publish secdb
on:
push:
branches:
- main
workflow_dispatch:
permissions:
contents: read
jobs:
build-publish:
name: Build and publish security database
runs-on: ubuntu-latest
if: github.repository == 'wolfi-dev/advisories'
permissions:
id-token: write
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/build-and-publish-secdb@main # main
with:
workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
service_account: "[email protected]"
gcp_project_id: prod-images-c6e5
wolfictl_args: "advisory secdb --advisories-repo-dir . --arch x86_64 --arch aarch64 -o security.json"
gcs_apk_bucket_name: wolfi-production-registry-destination
gcs_apk_directory_name: os
- name: Post failure notice to Slack
uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # ratchet:rtCamp/[email protected]
if: ${{ failure() }}
env:
SLACK_ICON: http://github.com/chainguard-dev.png?size=48
SLACK_USERNAME: guardian
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_CHANNEL: 'eng-squad-lifecycle-alerts'
SLACK_COLOR: '#8E1600'
MSG_MINIMAL: 'true'
SLACK_TITLE: Build/Publish SecDB for ${{ github.repository }} failed!
SLACK_MESSAGE: |
For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}