taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 11:30:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: move trivy image scan to separate ubuntu-latest job to avoid self-hosted timeout

Browse Source
This commit is contained in:
devitway
2026-02-23 16:15:03 +00:00
parent 196c313f20
commit 1813546bee
1 changed files with 31 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
.github/workflows/release.yml vendored
View File

@@ -41,7 +41,6 @@ jobs:
permissions: permissions:
contents: read contents: read
packages: write packages: write
security-events: write # for uploading SARIF to GitHub Security tab
strategy: strategy:
fail-fast: false fail-fast: false
@@ -103,19 +102,44 @@ jobs:
cache-from: type=gha,scope=${{ matrix.name }} cache-from: type=gha,scope=${{ matrix.name }}
cache-to: type=gha,mode=max,scope=${{ matrix.name }} cache-to: type=gha,mode=max,scope=${{ matrix.name }}
scan:
name: Scan (${{ matrix.name }})
runs-on: ubuntu-latest
needs: build-docker
permissions:
contents: read
packages: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- name: alpine
suffix: ""
- name: astra
suffix: "-astra"
- name: redos
suffix: "-redos"
steps:
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# ── CVE scan of the pushed image ──────────────────────────────────────── # ── CVE scan of the pushed image ────────────────────────────────────────
- name: Trivy — image scan - name: Trivy — image scan (${{ matrix.name }})
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
scan-type: image scan-type: image
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}${{ matrix.suffix }} image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}${{ matrix.suffix }}
format: sarif format: sarif
output: trivy-image-${{ matrix.name }}.sarif output: trivy-image-${{ matrix.name }}.sarif
severity: HIGH,CRITICAL severity: HIGH,CRITICAL
exit-code: 0 # warn only; change to 1 to block on vulnerabilities exit-code: 0 # warn only; change to 1 to block on vulnerabilities
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy image results to GitHub Security tab - name: Upload Trivy image results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v3
@@ -127,7 +151,7 @@ jobs:
release: release:
name: GitHub Release name: GitHub Release
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build-docker needs: [build-docker, scan]
permissions: permissions:
contents: write contents: write
packages: read # to pull image for SBOM generation packages: read # to pull image for SBOM generation