diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index ccf566b..9859840 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -69,13 +69,18 @@ jobs: - name: Extract branch meta shell: bash id: extract_branch_meta + env: + PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + BRANCH_REF_NAME: ${{ github.ref_name}} + BRANCH_SHA: ${{ github.sha }} run: | if [ "${{ github.event_name }}" == 'pull_request' ]; then - echo "branch=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT - echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT + echo "branch=$PR_HEAD_REF" >> $GITHUB_OUTPUT + echo "sha=$PR_HEAD_SHA" >> $GITHUB_OUTPUT else - echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT - echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT + echo "branch=$BRANCH_REF_NAME" >> $GITHUB_OUTPUT + echo "sha=$BRANCH_SHA" >> $GITHUB_OUTPUT fi deploy: @@ -113,7 +118,7 @@ jobs: security-events: write steps: - name: run trivy vulnerability scanner - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 + uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9 with: image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}' format: 'sarif' @@ -123,6 +128,6 @@ jobs: ignore-unfixed: true - name: upload trivy results if: ${{ always() }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif'