|
21 | 21 | artifact: [cloud, operator, vizier] |
22 | 22 | runs-on: oracle-8cpu-32gb-x86-64 |
23 | 23 | needs: get-dev-image |
24 | | - outputs: |
25 | | - matrix: ${{ steps.list-sarifs.outputs.matrix }} |
26 | | - has-sarifs: ${{ steps.list-sarifs.outputs.has-sarifs }} |
27 | 24 | container: |
28 | 25 | image: ${{ needs.get-dev-image.outputs.image-with-tag }} |
29 | 26 | permissions: |
@@ -78,37 +75,59 @@ jobs: |
78 | 75 | name: sarif-${{ matrix.artifact }} |
79 | 76 | path: sarif/ |
80 | 77 | retention-days: 1 |
81 | | - - id: list-sarifs |
| 78 | + |
| 79 | + collect-sarifs: |
| 80 | + # GitHub Actions matrix job outputs cannot be directly used as job outputs |
| 81 | + # because matrix jobs create multiple output values (one per matrix combination). |
| 82 | + # We need a separate job to collect all SARIF files from all artifacts |
| 83 | + # and create a single unified matrix for the upload job. |
| 84 | + needs: generate-sarif |
| 85 | + runs-on: oracle-8cpu-32gb-x86-64 |
| 86 | + outputs: |
| 87 | + matrix: ${{ steps.combine-sarifs.outputs.matrix }} |
| 88 | + has-sarifs: ${{ steps.combine-sarifs.outputs.has-sarifs }} |
| 89 | + steps: |
| 90 | + - name: Download all artifacts |
| 91 | + uses: actions/download-artifact@v4 |
| 92 | + with: |
| 93 | + pattern: sarif-* |
| 94 | + merge-multiple: true |
| 95 | + - id: combine-sarifs |
82 | 96 | run: | |
83 | | - # Use jq to build the matrix JSON dynamically |
84 | | - # --jsonargs passes each SARIF file as a separate input to jq |
85 | | - # For each input file, create an object with file, category, and artifact fields |
86 | | - sarif_files=$(find sarif/${{ matrix.artifact }}/ -name "*.sarif" -type f 2>/dev/null || true) |
| 97 | + # Combine all SARIF files from all artifacts into a single matrix |
| 98 | + all_files=() |
| 99 | + for artifact in cloud operator vizier; do |
| 100 | + if [ -d "sarif/$artifact" ]; then |
| 101 | + for f in sarif/$artifact/*.sarif; do |
| 102 | + if [ -f "$f" ]; then |
| 103 | + all_files+=("$f") |
| 104 | + fi |
| 105 | + done |
| 106 | + fi |
| 107 | + done |
87 | 108 |
|
88 | | - if [ -z "$sarif_files" ]; then |
| 109 | + if [ ${#all_files[@]} -eq 0 ]; then |
89 | 110 | echo "matrix={\"include\":[]}" >> $GITHUB_OUTPUT |
90 | 111 | echo "has-sarifs=false" >> $GITHUB_OUTPUT |
91 | 112 | else |
92 | | - matrix_json=$(jq -n --arg artifact "${{ matrix.artifact }}" ' |
93 | | - { |
94 | | - include: [ |
95 | | - inputs as $f | { |
96 | | - file: $f, |
97 | | - category: ("trivy-images-" + $artifact + "-" + ($f | split("/")[-1] | split(".")[0])), |
98 | | - artifact: ("sarif-" + $artifact) |
99 | | - } |
100 | | - ] |
101 | | - }' --jsonargs $sarif_files | jq -c '.') |
| 113 | + matrix_json=$(printf '%s\n' "${all_files[@]}" | jq -R -s ' |
| 114 | + split("\n") | map(select(length > 0)) | { |
| 115 | + include: map({ |
| 116 | + file: ., |
| 117 | + category: ("trivy-images-" + (split("/")[1]) + "-" + (split("/")[-1] | split(".")[0])), |
| 118 | + artifact: ("sarif-" + (split("/")[1])) |
| 119 | + }) |
| 120 | + }' | jq -c '.') |
102 | 121 |
|
103 | 122 | echo "matrix=$matrix_json" >> $GITHUB_OUTPUT |
104 | 123 | echo "has-sarifs=true" >> $GITHUB_OUTPUT |
105 | 124 | fi |
106 | 125 |
|
107 | 126 | upload-sarif: |
108 | | - needs: generate-sarif |
109 | | - if: needs.generate-sarif.outputs.has-sarifs == 'true' |
| 127 | + needs: collect-sarifs |
| 128 | + if: needs.collect-sarifs.outputs.has-sarifs == 'true' |
110 | 129 | strategy: |
111 | | - matrix: ${{ fromJson(needs.generate-sarif.outputs.matrix) }} |
| 130 | + matrix: ${{ fromJson(needs.collect-sarifs.outputs.matrix) }} |
112 | 131 | runs-on: oracle-8cpu-32gb-x86-64 |
113 | 132 | permissions: |
114 | 133 | actions: read |
|
0 commit comments