Continue the Trivy workflow when its data download fails

cbandy · cbandy · commit 0121f86efce0 · 2024-11-16T22:57:33.000-06:00
Later steps will use data from the action cache and ignore its age.
The workflow fails when the download fails and the cache is empty.

Issue: PGO-1893
diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml
@@ -13,6 +13,11 @@ inputs:
     description: >-
       What Trivy data to cache; one or more of restore, save, success, or use.
 
+  database:
+    default: update
+    description: >-
+      How Trivy should handle its data; one of update, only, or skip.
+
   setup:
     default: v0.57.0,cache
     description: >-
@@ -67,6 +72,11 @@ runs:
       env:
         TRIVY_CACHE_DIR: >-
           ${{ contains(fromJSON(steps.parsed.outputs.cache), 'use') && inputs.cache-directory || '' }}
+        TRIVY_DB_DOWNLOAD_ONLY: ${{ inputs.database == 'only' }}
+        TRIVY_DB_SKIP_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_DB_DOWNLOAD_JAVA_ONLY: ${{ inputs.database == 'only' }}
+        TRIVY_DB_JAVA_SKIP_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_REGO_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }}
       run: |
         # Run Trivy
         trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -16,18 +16,25 @@ jobs:
   cache:
     # Run only one of these jobs at a time across the entire project.
     concurrency: { group: trivy-cache }
+    # Do not fail this workflow when this job fails.
+    continue-on-error: true
 
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/trivy
         env:
-          TRIVY_DB_DOWNLOAD_ONLY: true
           TRIVY_DB_NO_PROGRESS: true
           TRIVY_SCANNERS: license,secret,vuln
+        with:
+          database: only
 
   licenses:
+    # Run this job after the cache job regardless of its success or failure.
     needs: [cache]
+    if: >-
+      ${{ !cancelled() }}
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -46,13 +53,16 @@ jobs:
           TRIVY_SCANNERS: license
         with:
           cache: restore,use
+          database: skip
 
   vulnerabilities:
-    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+    # Run this job after the cache job regardless of its success or failure.
+    needs: [cache]
+    if: >-
+      ${{ github.repository == 'CrunchyData/postgres-operator' && !cancelled() }}
     permissions:
       security-events: write
 
-    needs: [cache]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -66,6 +76,7 @@ jobs:
           TRIVY_SCANNERS: secret,vuln
         with:
           cache: restore,use
+          database: skip
 
       # Produce a SARIF report of actionable results. This step fails only when
       # Trivy is unable to scan.
@@ -78,6 +89,7 @@ jobs:
           TRIVY_SCANNERS: secret,vuln
         with:
           cache: use
+          database: skip
           setup: none
 
       # Submit the SARIF report to GitHub code scanning. Pull requests checks
