diff mbox series

[isar-cip-core,v2,3/3] .gitlab-ci.yml: Run cve-checks job only when it is manually triggered in the pipeline

Message ID 20240118175942.1052089-4-Sai.Sathujoda@toshiba-tsip.com (mailing list archive)
State Accepted
Headers show
Series Generate CVE-reports only with manual trigger | expand

Commit Message

Sai.Sathujoda@toshiba-tsip.com Jan. 18, 2024, 5:59 p.m. UTC 
From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>

The cve-checks job generates CVE reports from latest copy of dpkg status files
using cve_checker.py script in debian-cve-checker. This job can only be triggered
manually with no dependency on build jobs running in build stage. This dependency
is removed so that one does not have to wait until all the jobs running in build
stage are passed or is unable to run the cve-checks at all because some job has
failed in the build stage.

Signed-off-by: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
---
 .gitlab-ci.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
diff mbox series

Patch

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1de6570..2527427 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -29,6 +29,7 @@  variables:
 stages:
   - build
   - test
+  - cve-check
 
 default:
   before_script:
@@ -341,4 +342,17 @@  build:qemu-riscv64:
     deploy: disable
   allow_failure: true
 
+cve-checks:
+  stage: cve-check
+  needs: []
+  image: registry.gitlab.com/cip-playground/debian-cve-checker:latest
+  script:
+    - scripts/run-cve-checks.sh
+  when: manual
+  allow_failure: true
+  artifacts:
+    expire_in: 1 day
+    paths:
+      - cve-reports
+
 include: '.reproducible-check-ci.yml'