Avoid same cache key overwrite issues when saving cache on multiple i…

…nvocations Dont save grype db cache when already cache is up-to-date
Kong · Aug 22, 2024 · 20348b7 · 20348b7
1 parent 9570979
commit 20348b7
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 10 deletions.
diff --git a/.github/workflows/docker-image-scan.yml b/.github/workflows/docker-image-scan.yml
@@ -72,7 +72,6 @@ jobs:
         asset_prefix: test.kong-gateway-dev-linux-arm64
         image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
         upload-sbom-release-assets: true
-        force_grype_db_update: true ## Explicitly skip db cache when available
 
   test-download-sbom:
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}

diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml
@@ -123,7 +123,7 @@ runs:
 
     # Check for any existing cache to reuse
     - name: Grype DB Cache
-      id: grype_db
+      id: grype_db_cache
       if: ${{ inputs.force_grype_db_update != 'true' }}
       uses: actions/cache@v4
       with:
@@ -141,7 +141,7 @@ runs:
 
     ## Edgecase: Grype DB will never update if stale cache is found
     - name: Grype DB Check Updates
-      id: grype_db_check_updates
+      id: grype_db
       shell: bash
       run: |
         db_check_status=0
@@ -165,22 +165,25 @@ runs:
             exit ${FAIL_BUILD}
           elif [[ $FAIL_BUILD -eq 0 ]]; then
             echo "::warning ::${GRYPE_DB_UPDATE_MSG}"
-            echo "GRYPE_DB_UPDATE_STATUS=${db_update_status}" >> $GITHUB_OUTPUT 
           fi
          else
           echo "::notice :: Grype DB is updated succesfully"
         fi
         echo "::endgroup::"
 
+        echo "GRYPE_DB_CHECK_UPDATE_STATUS=${db_check_status}" >> $GITHUB_OUTPUT
         echo "GRYPE_DB_UPDATE_STATUS=${db_update_status}" >> $GITHUB_OUTPUT
       env:
         FAIL_BUILD: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }}
         GRYPE_DB_UPDATE_AVAILABLE_TIMEOUT: 30s # timeout to fetch listing.json to check if db download is needed
         GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT: 600s # timeout for actual db download if needed
         FORCE_GRYPE_DB_UPDATE: ${{ inputs.force_grype_db_update }}
 
+    # Save cache when db update is available (i.e drift) and update is successful
+    # Condition helps When this action is invoked more than once in the same workflow
+    # Example: first workflow saves cache if updates available and second retries to save again even when latest updated cache is available and fails
     - name: Update Cache / Save Grype DB updates
-      if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }}
+      if: ${{ steps.grype_db.outputs.GRYPE_DB_CHECK_UPDATE_STATUS != 0 && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS }}
       id: save_grype_db_cache_updates
       uses: actions/cache/save@v4
       with:

diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml
@@ -127,7 +127,7 @@ runs:
 
     # Check for any existing cache to reuse
     - name: Grype DB Cache
-      id: grype_db
+      id: grype_db_cache
       if: ${{ inputs.force_grype_db_update != 'true' }}
       uses: actions/cache@v4
       with:
@@ -146,7 +146,7 @@ runs:
     ## Edgecase: Grype DB will never update if stale cache is found
     - name: Grype DB Check Updates
       #if: ${{ steps.cache_grype_db.outputs.cache-hit != 'true' }}
-      id: grype_db_check_updates
+      id: grype_db
       shell: bash
       run: |
         db_check_status=0
@@ -170,22 +170,25 @@ runs:
             exit ${FAIL_BUILD}
           elif [[ $FAIL_BUILD -eq 0 ]]; then
             echo "::warning ::${GRYPE_DB_UPDATE_MSG}"
-            echo "GRYPE_DB_UPDATE_STATUS=${db_update_status}" >> $GITHUB_OUTPUT 
           fi
         else
           echo "::notice :: Grype DB is updated succesfully"
         fi
         echo "::endgroup::"
-
+        
+        echo "GRYPE_DB_CHECK_UPDATE_STATUS=${db_check_status}" >> $GITHUB_OUTPUT
         echo "GRYPE_DB_UPDATE_STATUS=${db_update_status}" >> $GITHUB_OUTPUT
       env:
         FAIL_BUILD: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }}
         GRYPE_DB_UPDATE_AVAILABLE_TIMEOUT: 30s # timeout to fetch listing.json to check if db download is needed
         GRYPE_DB_UPDATE_DOWNLOAD_TIMEOUT: 600s # timeout for actual db download if needed
         FORCE_GRYPE_DB_UPDATE: ${{ inputs.force_grype_db_update }} 
 
+    # Save cache when db update is available (i.e drift) and update is successful
+    # Condition helps When this action is invoked more than once in the same workflow
+    # Example: first workflow saves cache if updates available and second retries to save again even when latest updated cache is available and fails
     - name: Update Cache / Save Grype DB updates
-      if: ${{ steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }}
+      if: ${{ steps.grype_db.outputs.GRYPE_DB_CHECK_UPDATE_STATUS != 0 && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS }}
       id: save_grype_db_cache_updates
       uses: actions/cache/save@v4
       with: