feat: add nightly branch workflow
This commit is contained in:
GitHub Actions
@@ -13,6 +13,7 @@
|
||||
Successfully implemented workflow orchestration dependency to ensure supply chain verification runs **after** Docker image build completes, eliminating false "image not found" skips in PR workflows.
|
||||
|
||||
**Impact**:
|
||||
|
||||
- ✅ Supply chain verification now executes sequentially after docker-build
|
||||
- ✅ PR workflows receive actual verification results instead of skips
|
||||
- ✅ Zero breaking changes to existing workflows
|
||||
@@ -29,6 +30,7 @@ Successfully implemented workflow orchestration dependency to ensure supply chai
|
||||
The supply chain verification workflow (`supply-chain-verify.yml`) was running **concurrently** with the Docker build workflow (`docker-build.yml`) when triggered by pull requests. This caused verification to skip because the Docker image didn't exist yet.
|
||||
|
||||
**Observed Behavior**:
|
||||
|
||||
```
|
||||
PR Opened/Updated
|
||||
├─> docker-build.yml starts (builds & pushes image)
|
||||
@@ -42,6 +44,7 @@ Both workflows triggered independently on the same events (`pull_request`, `push
|
||||
### Evidence
|
||||
|
||||
From [GitHub Actions Run #20873681083](https://github.com/Wikid82/Charon/actions/runs/20873681083):
|
||||
|
||||
```
|
||||
⚠️ Image not found - likely not built yet
|
||||
This is normal for PR workflows before docker-build completes
|
||||
@@ -58,6 +61,7 @@ The workflow correctly detected the missing image but had no mechanism to wait f
|
||||
**Approach**: Keep workflows separate with dependency orchestration via `workflow_run` trigger.
|
||||
|
||||
**Rationale**:
|
||||
|
||||
- **Modularity**: Each workflow maintains a single, cohesive purpose
|
||||
- **Reusability**: Verification can run independently via manual trigger or schedule
|
||||
- **Maintainability**: Easier to test, debug, and understand individual workflows
|
||||
@@ -85,6 +89,7 @@ The workflow correctly detected the missing image but had no mechanism to wait f
|
||||
#### 1. Updated Workflow Triggers
|
||||
|
||||
**Before**:
|
||||
|
||||
```yaml
|
||||
on:
|
||||
release:
|
||||
@@ -97,6 +102,7 @@ on:
|
||||
```
|
||||
|
||||
**After**:
|
||||
|
||||
```yaml
|
||||
on:
|
||||
release:
|
||||
@@ -118,6 +124,7 @@ on:
|
||||
```
|
||||
|
||||
**Key Changes**:
|
||||
|
||||
- ✅ Removed `pull_request` trigger to prevent premature execution
|
||||
- ✅ Added `workflow_run` trigger targeting docker-build workflow
|
||||
- ✅ Specified branches to match docker-build's deployment branches
|
||||
@@ -139,6 +146,7 @@ jobs:
|
||||
```
|
||||
|
||||
This ensures verification only runs when:
|
||||
|
||||
- It's a scheduled scan (weekly) on main branch, OR
|
||||
- The triggering workflow completed successfully
|
||||
|
||||
@@ -177,6 +185,7 @@ Extended tag determination to handle `workflow_run` context:
|
||||
```
|
||||
|
||||
**Features**:
|
||||
|
||||
- Correctly maps branches to image tags
|
||||
- Extracts PR number from workflow_run context
|
||||
- Falls back to SHA-based tag if PR number unavailable
|
||||
@@ -297,6 +306,7 @@ User triggers workflow_dispatch
|
||||
### Post-deployment Monitoring
|
||||
|
||||
**To validate successful implementation, monitor**:
|
||||
|
||||
1. Next PR creation triggers docker-build → supply-chain-verify sequentially
|
||||
2. Supply chain verification finds and scans the image (no skip)
|
||||
3. PR receives comment with actual vulnerability scan results
|
||||
@@ -352,11 +362,13 @@ User triggers workflow_dispatch
|
||||
**No code changes needed.** The workflow orchestration happens automatically.
|
||||
|
||||
**What Changed**:
|
||||
|
||||
- Supply chain verification now runs **after** docker-build completes on PRs
|
||||
- PRs will receive actual vulnerability scan results (not skips)
|
||||
- Manual and scheduled verifications still work as before
|
||||
|
||||
**What Stayed the Same**:
|
||||
|
||||
- Docker build process unchanged
|
||||
- Image tagging strategy unchanged
|
||||
- Verification logic unchanged
|
||||
@@ -365,6 +377,7 @@ User triggers workflow_dispatch
|
||||
### For CI/CD Maintainers
|
||||
|
||||
**Workflow Chaining Depth**: Currently at level 2 of 3 maximum
|
||||
|
||||
- Level 1: `docker-build.yml` (triggered by push/PR/schedule)
|
||||
- Level 2: `supply-chain-verify.yml` (triggered by docker-build)
|
||||
- **Available capacity**: 1 more level of chaining if needed
|
||||
@@ -380,6 +393,7 @@ User triggers workflow_dispatch
|
||||
**Context**: `workflow_run` events execute with the code from the **default branch** (main), not the PR branch.
|
||||
|
||||
**Security Benefits**:
|
||||
|
||||
- ✅ Prevents malicious PRs from modifying verification logic
|
||||
- ✅ Verification runs with trusted, reviewed code
|
||||
- ✅ No privilege escalation possible from PR context
|
||||
@@ -388,6 +402,7 @@ User triggers workflow_dispatch
|
||||
### Permissions Model
|
||||
|
||||
**No changes to permissions**:
|
||||
|
||||
- `contents: read` - Read-only access to repository
|
||||
- `packages: read` - Read-only access to container registry
|
||||
- `id-token: write` - Required for OIDC keyless signing
|
||||
@@ -400,6 +415,7 @@ All permissions follow **principle of least privilege**.
|
||||
### Input Validation
|
||||
|
||||
**Safe Handling of Workflow Run Data**:
|
||||
|
||||
- Branch names validated with bash `[[ ]]` conditionals
|
||||
- JSON parsed with `jq` (prevents injection)
|
||||
- SHA truncated with `cut -c1-7` (safe string operation)
|
||||
@@ -414,30 +430,38 @@ All permissions follow **principle of least privilege**.
|
||||
### Common Issues
|
||||
|
||||
#### Issue: Verification doesn't run after PR creation
|
||||
|
||||
**Diagnosis**: Check if docker-build workflow completed successfully
|
||||
**Resolution**:
|
||||
|
||||
1. View docker-build workflow logs
|
||||
2. Ensure build completed without errors
|
||||
3. Verify image was pushed to registry
|
||||
4. Check workflow_run trigger conditions
|
||||
|
||||
#### Issue: Wrong image tag used
|
||||
|
||||
**Diagnosis**: Tag determination logic may need adjustment
|
||||
**Resolution**:
|
||||
|
||||
1. Check "Debug Workflow Run Context" step output
|
||||
2. Verify branch name matches expected pattern
|
||||
3. Update tag determination logic if needed
|
||||
|
||||
#### Issue: PR comment not posted
|
||||
|
||||
**Diagnosis**: PR number extraction may have failed
|
||||
**Resolution**:
|
||||
|
||||
1. Check workflow_run context has pull_requests array
|
||||
2. Verify PR number extraction logic
|
||||
3. Check pull-requests permission is granted
|
||||
|
||||
#### Issue: Workflow skipped even though image exists
|
||||
|
||||
**Diagnosis**: Workflow conclusion check may be failing
|
||||
**Resolution**:
|
||||
|
||||
1. Verify docker-build workflow conclusion is 'success'
|
||||
2. Check job-level conditional logic
|
||||
3. Review workflow_run event payload
|
||||
@@ -447,16 +471,19 @@ All permissions follow **principle of least privilege**.
|
||||
## References
|
||||
|
||||
### Documentation
|
||||
|
||||
- [GitHub Actions: workflow_run Event](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run)
|
||||
- [GitHub Actions: Contexts](https://docs.github.com/en/actions/learn-github-actions/contexts)
|
||||
- [GitHub Actions: Security Hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
|
||||
|
||||
### Related Documentation
|
||||
|
||||
- [Grype SBOM Remediation](./GRYPE_SBOM_REMEDIATION.md)
|
||||
- [QA Report: Workflow Orchestration](../reports/qa_report_workflow_orchestration.md)
|
||||
- [Archived Plan](../plans/archive/workflow_orchestration_fix_2026-01-11.md)
|
||||
|
||||
### Workflow Files
|
||||
|
||||
- [supply-chain-verify.yml](../../.github/workflows/supply-chain-verify.yml)
|
||||
- [docker-build.yml](../../.github/workflows/docker-build.yml)
|
||||
|
||||
@@ -476,14 +503,17 @@ All permissions follow **principle of least privilege**.
|
||||
### Key Performance Indicators
|
||||
|
||||
**Workflow Reliability**:
|
||||
|
||||
- Before: ~50% of PR verifications skipped (image not found)
|
||||
- After: Expected 100% of PR verifications complete successfully
|
||||
|
||||
**Time to Feedback**:
|
||||
|
||||
- PR workflows: Add ~5-10 minutes (docker-build time) before verification starts
|
||||
- This is acceptable as sequential execution is intentional
|
||||
|
||||
**Workflow Complexity**:
|
||||
|
||||
- Maintained: No increase in complexity
|
||||
- Improved: Clear dependency chain
|
||||
|
||||
@@ -522,6 +552,7 @@ All permissions follow **principle of least privilege**.
|
||||
### [2026-01-11] - Workflow Orchestration Fix
|
||||
|
||||
**Added**:
|
||||
|
||||
- `workflow_run` trigger for automatic chaining after docker-build
|
||||
- Workflow success filter to verify only successful builds
|
||||
- Tag determination logic for workflow_run events
|
||||
@@ -529,14 +560,17 @@ All permissions follow **principle of least privilege**.
|
||||
- Debug logging for workflow_run validation
|
||||
|
||||
**Changed**:
|
||||
|
||||
- Removed `pull_request` trigger (now uses workflow_run)
|
||||
- Updated conditional logic for job execution
|
||||
- Enhanced tag determination with workflow_run support
|
||||
|
||||
**Removed**:
|
||||
|
||||
- Direct `pull_request` trigger (replaced with workflow_run)
|
||||
|
||||
**Security**:
|
||||
|
||||
- No changes to permissions model
|
||||
- Follows GitHub security best practices for workflow chaining
|
||||
|
||||
|
||||
Reference in New Issue
Block a user