Snyk Security workflow enhancements

Author: ChristianZaccaria

.github/workflows/release.yaml

@@ -88,31 +88,20 @@ jobs:
                 GITHUB_TOKEN: ${{ secrets.CODEFLARE_MACHINE_ACCOUNT_TOKEN }}
               shell: bash
 
-            - name: Append tag to Snyk monitoring list
+            - name: Install Snyk CLI and setup monitoring for new release tag
+              env:
+                SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+                SNYK_ORG: ${{ secrets.SNYK_ORG }}
               run: |
-                sed -i 's/list_of_released_tags=(/list_of_released_tags=("v${{ github.event.inputs.release-version }}", /' .github/workflows/snyk-security.yaml
+                echo "Installing Snyk CLI"
+                npm install -g snyk
 
-            - name: Commit and push changes
-              run: |
-                git config --global user.email "${{ vars.CODEFLARE_MACHINE_EMAIL }}"
-                git config --global user.name "${{ vars.CODEFLARE_MACHINE_NAME }}"
-                git checkout -b $PR_BRANCH_NAME
-                git commit -am "Update snyk-security.yaml"
-                git push --set-upstream origin "$PR_BRANCH_NAME"
+                echo "Fetching tags"
+                git fetch origin 'refs/tags/*:refs/tags/*'
 
-            - name: Create Pull Request
-              run: |
-                  gh pr create \
-                  --title "$pr_title" \
-                  --body "$pr_body" \
-                  --head ${{ env.PR_BRANCH_NAME }} \
-                  --base main \
-                  --label "lgtm" \
-                  --label "approved"
-              env:
-                GITHUB_TOKEN: ${{ secrets.GH_CLI_TOKEN }}
-                pr_title: "[CodeFlare-Machine] Append tag v${{ github.event.inputs.release-version }} to Snyk monitoring list"
-                pr_body: |
-                  :rocket: This is an automated Pull Request generated by [release.yaml](https://github.com/project-codeflare/codeflare-sdk/blob/main/.github/workflows/release.yaml) workflow.
+                echo "Authenticating with Snyk"
+                snyk auth ${SNYK_TOKEN}
 
-                  This PR appends to the list of tags that Snyk will be monitoring.
+                echo "Scanning project: codeflare-sdk/v${{ github.event.inputs.release-version }}"
+                git checkout v${{ github.event.inputs.release-version }}
+                snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="$(git describe --tags)"

.github/workflows/snyk-security.yaml

@@ -11,12 +11,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Setup Node.js to cache dependencies
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'npm'
-
       - name: Install Snyk CLI
         run: npm install -g snyk
 
@@ -33,13 +27,3 @@ jobs:
 
           echo "Scanning project: codeflare-sdk/main"
           snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="main"
-
-          # This list is based off RHOAI Supported versions: https://access.redhat.com/support/policy/updates/rhoai-sm/lifecycle
-          # Compared to the tags in the ImageStream annotations: https://github.com/red-hat-data-services/notebooks/blob/rhoai-2.8/manifests/base/jupyter-datascience-notebook-imagestream.yaml
-          # Loop through the list of released tags and scan each project
-          list_of_released_tags=("v0.22.0" "v0.21.1" "v0.19.1", "v0.16.4", "vv0.14.1")
-          for project in "${list_of_released_tags[@]}"; do
-            echo "Scanning project: codeflare-sdk/$project"
-            git checkout $project
-            snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="$(git describe --tags)"
-          done