Continue the Trivy workflow when its data download fails

cbandy · cbandy · commit bd4a91e53243 · 2024-11-16T23:30:49.000-06:00
Later steps will use data from the action cache and ignore its age.
The workflow fails when the download fails and the cache is empty.

Issue: PGO-1893
diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml
@@ -13,6 +13,11 @@ inputs:
     description: >-
       What Trivy data to cache; one or more of restore, save, success, or use.
 
+  database:
+    default: update
+    description: >-
+      How Trivy should handle its data; one of update or skip.
+
   setup:
     default: v0.57.0,cache
     description: >-
@@ -67,6 +72,9 @@ runs:
       env:
         TRIVY_CACHE_DIR: >-
           ${{ contains(fromJSON(steps.parsed.outputs.cache), 'use') && inputs.cache-directory || '' }}
+        TRIVY_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_DB_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.database == 'skip' }}
       run: |
         # Run Trivy
         trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -16,6 +16,8 @@ jobs:
   cache:
     # Run only one of these jobs at a time across the entire project.
     concurrency: { group: trivy-cache }
+    # Do not fail this workflow when this job fails.
+    continue-on-error: true
 
     runs-on: ubuntu-latest
     steps:
@@ -29,7 +31,11 @@ jobs:
           TRIVY_SCANNERS: license,secret,vuln
 
   licenses:
+    # Run this job after the cache job regardless of its success or failure.
     needs: [cache]
+    if: >-
+      ${{ !cancelled() }}
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -48,13 +54,16 @@ jobs:
           TRIVY_SCANNERS: license
         with:
           cache: restore,use
+          database: skip
 
   vulnerabilities:
-    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+    # Run this job after the cache job regardless of its success or failure.
+    needs: [cache]
+    if: >-
+      ${{ github.repository == 'CrunchyData/postgres-operator' && !cancelled() }}
     permissions:
       security-events: write
 
-    needs: [cache]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -68,6 +77,7 @@ jobs:
           TRIVY_SCANNERS: secret,vuln
         with:
           cache: restore,use
+          database: skip
 
       # Produce a SARIF report of actionable results. This step fails only when
       # Trivy is unable to scan.
@@ -80,6 +90,7 @@ jobs:
           TRIVY_SCANNERS: secret,vuln
         with:
           cache: use
+          database: skip
           setup: none
 
       # Submit the SARIF report to GitHub code scanning. Pull requests checks
