deploy/build.yaml - vulndb - Git at Google

 steps:
   - id: Lock
     name: golang:1.23.0
     entrypoint: bash
     args:
       - -ec
       - |
         if [[ "$COMMIT_SHA" = '' ]]; then
           echo "no COMMIT_SHA, not locking"
           exit 0
         fi
         go run golang.org/x/website/cmd/locktrigger@latest \
           -project $PROJECT_ID -build $BUILD_ID -repo https://go.googlesource.com/vulndb

   - id: Unshallow
     name: gcr.io/cloud-builders/git
     entrypoint: bash
     args:
       - -c
       - |
         if ! git fetch --unshallow; then
           echo "git fetch --unshallow failed, no worries mate"
         fi

   - id: Test
     name: golang:1.23.0
     entrypoint: bash
     args:
       - -ec
       - go test ./...

   - id: CopyExisting
     name: gcr.io/cloud-builders/gsutil
     entrypoint: bash
     args:
       - -ec
       - gsutil -q -m cp -r gs://go-vulndb /workspace

   - id: Generate
     name: golang:1.23.0
     entrypoint: bash
     args: ["-ec", "go run ./cmd/gendb -out /workspace/db -zip /workspace/db/vulndb.zip"]

   - id: PreValidate
     name: golang:1.23.0
     entrypoint: bash
     args:
       - -ec
       - go run ./cmd/checkdeploy -new /workspace/db -existing /workspace/go-vulndb

   - id: Deploy
     name: gcr.io/cloud-builders/gsutil
     entrypoint: bash
     args: ["./deploy/gcp-deploy.sh"]

   - id: CopyDeployed
     name: gcr.io/cloud-builders/gsutil
     entrypoint: bash
     args:
       - -ec
       - mkdir /workspace/deployed && gsutil -q -m cp -r gs://go-vulndb /workspace/deployed

   - id: PostValidate
     name: golang:1.23.0
     entrypoint: bash
     args: ["-ec", "go run ./cmd/checkdb /workspace/deployed/go-vulndb"]
     env:
       - 'GOPROXY=https://proxy.golang.org'

   - id: PublishCVEs
     name: golang:1.23.0
     entrypoint: bash
     args:
      - -ec
      - |
        # Ensure we have valid credentials before attempting publish.
        go run ./cmd/cve -key $$CVE_API_KEY -user $$CVE_API_USER quota
        # Publish or update any CVE records that have changed.
        go run ./cmd/cve -key $$CVE_API_KEY -user $$CVE_API_USER publish-all
     secretEnv: ['CVE_API_USER', 'CVE_API_KEY']

 availableSecrets:
   secretManager:
   - versionName: ${_CVE_API_KEY}
     env: 'CVE_API_KEY'
   - versionName: ${_CVE_API_USER}
     env: 'CVE_API_USER'

 options:
   logging: CLOUD_LOGGING_ONLY
	steps:
	- id: Lock
	name: golang:1.23.0
	entrypoint: bash
	args:
	- -ec
	- \|
	if [[ "$COMMIT_SHA" = '' ]]; then
	echo "no COMMIT_SHA, not locking"
	exit 0
	fi
	go run golang.org/x/website/cmd/locktrigger@latest \
	-project $PROJECT_ID -build $BUILD_ID -repo https://go.googlesource.com/vulndb

	- id: Unshallow
	name: gcr.io/cloud-builders/git
	entrypoint: bash
	args:
	- -c
	- \|
	if ! git fetch --unshallow; then
	echo "git fetch --unshallow failed, no worries mate"
	fi

	- id: Test
	name: golang:1.23.0
	entrypoint: bash
	args:
	- -ec
	- go test ./...

	- id: CopyExisting
	name: gcr.io/cloud-builders/gsutil
	entrypoint: bash
	args:
	- -ec
	- gsutil -q -m cp -r gs://go-vulndb /workspace

	- id: Generate
	name: golang:1.23.0
	entrypoint: bash
	args: ["-ec", "go run ./cmd/gendb -out /workspace/db -zip /workspace/db/vulndb.zip"]

	- id: PreValidate
	name: golang:1.23.0
	entrypoint: bash
	args:
	- -ec
	- go run ./cmd/checkdeploy -new /workspace/db -existing /workspace/go-vulndb

	- id: Deploy
	name: gcr.io/cloud-builders/gsutil
	entrypoint: bash
	args: ["./deploy/gcp-deploy.sh"]

	- id: CopyDeployed
	name: gcr.io/cloud-builders/gsutil
	entrypoint: bash
	args:
	- -ec
	- mkdir /workspace/deployed && gsutil -q -m cp -r gs://go-vulndb /workspace/deployed

	- id: PostValidate
	name: golang:1.23.0
	entrypoint: bash
	args: ["-ec", "go run ./cmd/checkdb /workspace/deployed/go-vulndb"]
	env:
	- 'GOPROXY=https://proxy.golang.org'

	- id: PublishCVEs
	name: golang:1.23.0
	entrypoint: bash
	args:
	- -ec
	- \|
	# Ensure we have valid credentials before attempting publish.
	go run ./cmd/cve -key $$CVE_API_KEY -user $$CVE_API_USER quota
	# Publish or update any CVE records that have changed.
	go run ./cmd/cve -key $$CVE_API_KEY -user $$CVE_API_USER publish-all
	secretEnv: ['CVE_API_USER', 'CVE_API_KEY']

	availableSecrets:
	secretManager:
	- versionName: ${_CVE_API_KEY}
	env: 'CVE_API_KEY'
	- versionName: ${_CVE_API_USER}
	env: 'CVE_API_USER'

	options:
	logging: CLOUD_LOGGING_ONLY