Continue the Trivy workflow when its data download fails

Later steps will use data from the action cache and ignore its age. The workflow fails when the download fails and the cache is empty. Issue: PGO-1893
CrunchyData · Nov 17, 2024 · 0121f86 · 0121f86
1 parent 2c3d3d0
commit 0121f86
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml
@@ -13,6 +13,11 @@ inputs:
     description: >-
       What Trivy data to cache; one or more of restore, save, success, or use.
 
+  database:
+    default: update
+    description: >-
+      How Trivy should handle its data; one of update, only, or skip.
+
   setup:
     default: v0.57.0,cache
     description: >-
@@ -67,6 +72,11 @@ runs:
       env:
         TRIVY_CACHE_DIR: >-
           ${{ contains(fromJSON(steps.parsed.outputs.cache), 'use') && inputs.cache-directory || '' }}
+        TRIVY_DB_DOWNLOAD_ONLY: ${{ inputs.database == 'only' }}
+        TRIVY_DB_SKIP_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_DB_DOWNLOAD_JAVA_ONLY: ${{ inputs.database == 'only' }}
+        TRIVY_DB_JAVA_SKIP_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_REGO_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }}
       run: |
         # Run Trivy
         trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -16,18 +16,25 @@ jobs:
   cache:
     # Run only one of these jobs at a time across the entire project.
     concurrency: { group: trivy-cache }
+    # Do not fail this workflow when this job fails.
+    continue-on-error: true
 
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/trivy
         env:
-          TRIVY_DB_DOWNLOAD_ONLY: true
           TRIVY_DB_NO_PROGRESS: true
           TRIVY_SCANNERS: license,secret,vuln
+        with:
+          database: only
 
   licenses:
+    # Run this job after the cache job regardless of its success or failure.
     needs: [cache]
+    if: >-
+      ${{ !cancelled() }}
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -46,13 +53,16 @@ jobs:
           TRIVY_SCANNERS: license
         with:
           cache: restore,use
+          database: skip
 
   vulnerabilities:
-    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+    # Run this job after the cache job regardless of its success or failure.
+    needs: [cache]
+    if: >-
+      ${{ github.repository == 'CrunchyData/postgres-operator' && !cancelled() }}
     permissions:
       security-events: write
 
-    needs: [cache]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -66,6 +76,7 @@ jobs:
           TRIVY_SCANNERS: secret,vuln
         with:
           cache: restore,use
+          database: skip
 
       # Produce a SARIF report of actionable results. This step fails only when
       # Trivy is unable to scan.
@@ -78,6 +89,7 @@ jobs:
           TRIVY_SCANNERS: secret,vuln
         with:
           cache: use
+          database: skip
           setup: none
 
       # Submit the SARIF report to GitHub code scanning. Pull requests checks