ci: add missing charms to the Scan images workflow (#1116)

Adding resource-dispatcher and namespace-node-affinity to the list of images to be scanned. While they do not necessarily belong to the bundle, they have to be scanned as part of the team's vulnerability response. Fixes #1084
canonical · Oct 17, 2024 · 05f3f1a · 05f3f1a
1 parent 72fe7bc
commit 05f3f1a
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/.github/workflows/get-images-and-scan.yaml b/.github/workflows/get-images-and-scan.yaml
@@ -24,7 +24,17 @@ jobs:
     - name: Run get-all-images.py
       run: |
         pip3 install -r scripts/requirements.txt
-        python3 scripts/get_all_images.py releases/${{ inputs.bundle-directory }}/bundle.yaml > /tmp/images_list.txt
+        # The get_all_images.py does not provide a way to include extra repositories to fetch images from.
+        # In order to include the resource-dispatcher and the namespace-node-affinity charms in the scans,
+        # they can be passed using the --append-images argument.
+        if [[ ${{ inputs.bundle-directory }}  == *"1.8"* ]]; then
+          echo 'charmedkubeflow/resource-dispatcher:1.0-22.04' >> /tmp/extra-images.txt
+          echo 'charmedkubeflow/namespace-node-affinity:90dde45ab265af91369d09a377a26034bc453a5d' >> /tmp/extra-images.txt
+        else
+          echo 'charmedkubeflow/resource-dispatcher:2.0-22.04' >> /tmp/extra-images.txt
+          echo 'charmedkubeflow/namespace-node-affinity:2.2.0' >> /tmp/extra-images.txt
+        fi
+        python3 scripts/get_all_images.py releases/${{ inputs.bundle-directory }}/bundle.yaml --append-images /tmp/extra-images.txt > /tmp/images_list.txt
 
     - name: Generate an array of images
       id: set-images-array