ci: scheduled check postgres needs rebuild [skip ci]#887
Merged
Conversation
umswmayj
requested review from
PhilippMatthes,
SoWieMarkus,
auhlig,
juliusclausnitzer and
mblos
as code owners
📝 WalkthroughWalkthroughThis PR introduces automated Postgres image remediation: a GitHub Actions workflow that periodically scans the published Postgres container for vulnerabilities using Trivy, rebuilds the image, compares CVE counts, and automatically creates pull requests to update a rebuild trigger marker when vulnerabilities are reduced. ChangesAutomated Postgres CVE Remediation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
umswmayj
force-pushed
the
add_cve_workflow
branch
3 times, most recently
from
e3d2274 to
6641eae
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (1)
.github/workflows/rebuild-postgres.yaml (1)
73-73: 💤 Low valueConsider simplifying the dry run condition.
The condition
!(inputs.dry_run || false)is correct but slightly verbose. GitHub Actions treats undefined inputs as falsy in boolean context, so you can simplify to!inputs.dry_run.However, the current form is defensively explicit and may be clearer to readers unfamiliar with GitHub Actions' null-handling semantics.
♻️ Alternative (optional)
- if: needs.check.outputs.rebuild_fixes_cves == 'true' && !(inputs.dry_run || false) + if: needs.check.outputs.rebuild_fixes_cves == 'true' && !inputs.dry_run🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/rebuild-postgres.yaml at line 73, The workflow IF condition is overly verbose: replace the expression "!(inputs.dry_run || false)" with the simpler "!inputs.dry_run" in the conditional that currently reads "if: needs.check.outputs.rebuild_fixes_cves == 'true' && !(inputs.dry_run || false)"; update that line so the condition uses needs.check.outputs.rebuild_fixes_cves == 'true' && !inputs.dry_run to be clearer while preserving the same boolean behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/rebuild-postgres.yaml:
- Line 29: Add the missing persist-credentials: false setting to both
actions/checkout@v6 steps so the GITHUB_TOKEN is not persisted into .git/config;
locate the two steps that use "uses: actions/checkout@v6" in the workflow and
add persist-credentials: false under each checkout step (keeping any existing
with: or other keys intact) to prevent token leakage via artifacts or caches.
- Around line 58-69: The current Compare CVE counts step only totals
vulnerability counts (variables published_cves and rebuilt_cves) and can
mislabel regressions; update the logic to be severity-aware by parsing
published-scan.json and rebuilt-scan.json to compute either a weighted severity
score (e.g., weight CRITICAL>HIGH>MEDIUM) or compare counts per severity
(CRITICAL, HIGH, MEDIUM) instead of a single sum, then set the GITHUB_OUTPUT
rebuild_fixes_cves based on the severity-aware comparison; look for the Compare
CVE counts step and replace the jq expressions that calculate published_cves and
rebuilt_cves with jq that aggregates by .Severity (or computes a weighted total)
and adjust the conditional to prefer fewer/milder high-severity findings.
- Around line 31-56: The workflow allows Trivy failures because both "Scan
published image" and "Scan rebuilt image" steps use continue-on-error: true, and
the comparison logic reads published-scan.json and rebuilt-scan.json (using jq
fallbacks) which lets a failed scan be treated as zero CVEs; fix this by
explicitly detecting scan failures or missing/invalid JSON before doing the
comparison: remove or conditionally override continue-on-error for those Trivy
steps (or add a subsequent validation step that checks that published-scan.json
and rebuilt-scan.json exist and are valid JSON and contain the expected fields),
and if either scan failed, fail the job or skip PR creation with a clear message
rather than proceeding with the jq fallback comparison that assumes 0 CVEs.
Ensure the check references the step names "Scan published image" and "Scan
rebuilt image" and the output files published-scan.json and rebuilt-scan.json so
the comparison only runs when both scans succeeded and produced valid results.
- Around line 6-8: Remove the push trigger targeting the feature branch so the
workflow no longer runs on pushes to add_cve_workflow: delete the push:
branches: - add_cve_workflow block from the
.github/workflows/rebuild-postgres.yaml file so only the scheduled/manual
triggers remain.
- Around line 24-25: The check job is missing an explicit permissions block;
update the job definition named "check" to include a minimal permissions section
by adding permissions: contents: read so the job only has read access to
repository contents and no broader default permissions.
---
Nitpick comments:
In @.github/workflows/rebuild-postgres.yaml:
- Line 73: The workflow IF condition is overly verbose: replace the expression
"!(inputs.dry_run || false)" with the simpler "!inputs.dry_run" in the
conditional that currently reads "if: needs.check.outputs.rebuild_fixes_cves ==
'true' && !(inputs.dry_run || false)"; update that line so the condition uses
needs.check.outputs.rebuild_fixes_cves == 'true' && !inputs.dry_run to be
clearer while preserving the same boolean behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: a717a313-955c-440a-9586-1b8c2e570eb4
📒 Files selected for processing (2)
.github/workflows/rebuild-postgres.yamlpostgres/rebuild-trigger
Adds a daily GitHub Actions workflow that: 1. Scans the published cortex-postgres image for fixable CVEs 2. Builds a fresh image to verify the rebuild reduces CVEs 3. Opens a PR to trigger a rebuild only if confirmed Also adds postgres/rebuild-trigger as the bump file.
umswmayj
force-pushed
the
add_cve_workflow
branch
from
6641eae to
2ef2caf
Compare
umswmayj
changed the title
Contributor
Test Coverage ReportTest Coverage 📊: 69.7% |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a daily GitHub Actions workflow that: