From a2ce07dc15b65c9fa27ecbbe7a9566c84542b554 Mon Sep 17 00:00:00 2001 From: "kai [they]" Date: Mon, 2 Dec 2024 10:11:18 -0800 Subject: [PATCH] [no ticket] re-order vuln scans (#3037) ### Time to review: __1 mins__ ## Changes proposed Changes the grype vuln scan that outputs to stdout to run last ## Context for reviewers Right now, Github Actions expands the last failing action within a PR: image The UX of this is poor, because second the anchor/grype scan action doesn't output anything to stdout. With this change, the action that outputs to stdout will run second, so you should get a better experience when you click into the actions run for a failing PR. --- .github/workflows/vulnerability-scans.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/vulnerability-scans.yml b/.github/workflows/vulnerability-scans.yml index 2f2321754..40f15b209 100644 --- a/.github/workflows/vulnerability-scans.yml +++ b/.github/workflows/vulnerability-scans.yml @@ -191,24 +191,25 @@ jobs: docker load < /tmp/docker-image.tar - name: Run Anchore vulnerability scan + if: always() # Runs even if there is a failure uses: anchore/scan-action@v4 + id: anchore-scan-json with: image: ${{ needs.build-and-cache.outputs.image }} - output-format: table + output-format: json fail-build: true severity-cutoff: medium - name: Run Anchore vulnerability scan if: always() # Runs even if there is a failure uses: anchore/scan-action@v4 - id: anchore-scan-json with: image: ${{ needs.build-and-cache.outputs.image }} - output-format: json + output-format: table fail-build: true severity-cutoff: medium - - name: Save output to workflow summary + - name: Print output to workflow summary if: always() # Runs even if there is a failure run: | jq '.matches | map(.artifact | { name, version, location: .locations[0].path })' ${{ steps.anchore-scan-json.outputs.json }}