From bd4a91e5324337b2dcae09f298aeb490bdad25a1 Mon Sep 17 00:00:00 2001
From: Chris Bandy <chris.bandy@crunchydata.com>
Date: Sat, 16 Nov 2024 22:37:39 -0600
Subject: [PATCH] Continue the Trivy workflow when its data download fails

Later steps will use data from the action cache and ignore its age.
The workflow fails when the download fails and the cache is empty.

Issue: PGO-1893
---
 .github/actions/trivy/action.yaml |  8 ++++++++
 .github/workflows/trivy.yaml      | 15 +++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/.github/actions/trivy/action.yaml b/.github/actions/trivy/action.yaml
index 6b511c3bb..b69206248 100644
--- a/.github/actions/trivy/action.yaml
+++ b/.github/actions/trivy/action.yaml
@@ -13,6 +13,11 @@ inputs:
     description: >-
       What Trivy data to cache; one or more of restore, save, success, or use.
 
+  database:
+    default: update
+    description: >-
+      How Trivy should handle its data; one of update or skip.
+
   setup:
     default: v0.57.0,cache
     description: >-
@@ -67,6 +72,9 @@ runs:
       env:
         TRIVY_CACHE_DIR: >-
           ${{ contains(fromJSON(steps.parsed.outputs.cache), 'use') && inputs.cache-directory || '' }}
+        TRIVY_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_DB_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.database == 'skip' }}
       run: |
         # Run Trivy
         trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index a8447ee87..d338563b4 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -16,6 +16,8 @@ jobs:
   cache:
     # Run only one of these jobs at a time across the entire project.
     concurrency: { group: trivy-cache }
+    # Do not fail this workflow when this job fails.
+    continue-on-error: true
 
     runs-on: ubuntu-latest
     steps:
@@ -29,7 +31,11 @@ jobs:
           TRIVY_SCANNERS: license,secret,vuln
 
   licenses:
+    # Run this job after the cache job regardless of its success or failure.
     needs: [cache]
+    if: >-
+      ${{ !cancelled() }}
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -48,13 +54,16 @@ jobs:
           TRIVY_SCANNERS: license
         with:
           cache: restore,use
+          database: skip
 
   vulnerabilities:
-    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+    # Run this job after the cache job regardless of its success or failure.
+    needs: [cache]
+    if: >-
+      ${{ github.repository == 'CrunchyData/postgres-operator' && !cancelled() }}
     permissions:
       security-events: write
 
-    needs: [cache]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -68,6 +77,7 @@ jobs:
           TRIVY_SCANNERS: secret,vuln
         with:
           cache: restore,use
+          database: skip
 
       # Produce a SARIF report of actionable results. This step fails only when
       # Trivy is unable to scan.
@@ -80,6 +90,7 @@ jobs:
           TRIVY_SCANNERS: secret,vuln
         with:
           cache: use
+          database: skip
           setup: none
 
       # Submit the SARIF report to GitHub code scanning. Pull requests checks