ci: refactor scan workflow and update README badges

- Rename the job `scan-python` to `scan` in the scan workflow - Change the output file name and the artifact name from `trivy-results-python` to `trivy-results` - Remove the `scan-ubi` job from the scan workflow - Add a new separate workflow `scan_ubi` which includes the job removed from the scan workflow - Add the badge for the UBI image scan in the README file - Fix the alt text for the docker build and image scan badges in the README file Signed-off-by: 陳鈞 <[email protected]>
jim60105 · May 12, 2024 · 761a88c · 761a88c
1 parent a37e667
commit 761a88c
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 55 deletions.
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -9,7 +9,7 @@ on:
   workflow_dispatch:
 
 jobs:
-  scan-python:
+  scan:
     name: Scan Python official base image
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
@@ -32,62 +32,12 @@ jobs:
           template: "@.github/workflows/scan/html.tpl"
           exit-code: '1'
           ignore-unfixed: true
-          output: "trivy-results-python.html"
+          output: "trivy-results.html"
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: trivy-results-python
-          path: trivy-results-python.html
+          name: trivy-results
+          path: trivy-results.html
           retention-days: 90
-
-  scan-ubi:
-    name: Scan Red Hat UBI base image
-    runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          sparse-checkout: |
-            .github/workflows/scan/html.tpl
-          sparse-checkout-cone-mode: false
-
-      - name: Run Trivy vulnerability scanner for UBI image
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: "ghcr.io/jim60105/whisperx:ubi-no_model"
-          vuln-type: "os,library"
-          scanners: vuln
-          severity: "CRITICAL,HIGH"
-          format: "template"
-          template: "@.github/workflows/scan/html.tpl"
-          ignore-unfixed: true
-          output: "trivy-results-ubi.html"
-
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: trivy-results-ubi
-          path: trivy-results-ubi.html
-          retention-days: 90
-
-      - name: Run Trivy vulnerability scanner for UBI image (SARIF)
-        uses: aquasecurity/trivy-action@master
-        if: always()
-        with:
-          image-ref: "ghcr.io/jim60105/whisperx:ubi-no_model"
-          vuln-type: "os,library"
-          scanners: vuln
-          severity: "CRITICAL,HIGH"
-          format: 'sarif'
-          exit-code: '1'
-          ignore-unfixed: true
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/scan_ubi.yml b/.github/workflows/scan_ubi.yml
@@ -0,0 +1,60 @@
+name: scan
+
+on:
+  workflow_run:
+    workflows: [docker_publish]
+    types: [completed]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  scan-ubi:
+    name: Scan Red Hat UBI base image
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            .github/workflows/scan/html.tpl
+          sparse-checkout-cone-mode: false
+
+      - name: Run Trivy vulnerability scanner for UBI image
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "ghcr.io/jim60105/whisperx:ubi-no_model"
+          vuln-type: "os,library"
+          scanners: vuln
+          severity: "CRITICAL,HIGH"
+          format: "template"
+          template: "@.github/workflows/scan/html.tpl"
+          ignore-unfixed: true
+          output: "trivy-results-ubi.html"
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-results-ubi
+          path: trivy-results-ubi.html
+          retention-days: 90
+
+      - name: Run Trivy vulnerability scanner for UBI image (SARIF)
+        uses: aquasecurity/trivy-action@master
+        if: always()
+        with:
+          image-ref: "ghcr.io/jim60105/whisperx:ubi-no_model"
+          vuln-type: "os,library"
+          scanners: vuln
+          severity: "CRITICAL,HIGH"
+          format: 'sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # docker-whisperX
 
-[![CodeFactor](https://www.codefactor.io/repository/github/jim60105/docker-whisperx/badge)](https://www.codefactor.io/repository/github/jim60105/docker-whisperx) ![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/docker_publish.yml?label=DOCKER%20BUILD) [![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/scan.yml?label=IMAGE%20SCAN)](https://github.com/jim60105/docker-whisperX/actions/workflows/scan.yml)
+[![CodeFactor](https://www.codefactor.io/repository/github/jim60105/docker-whisperx/badge)](https://www.codefactor.io/repository/github/jim60105/docker-whisperx) ![Docker Build](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/docker_publish.yml?label=Docker%20Build) [![Image Scan](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/scan.yml?label=Image%20Scan)](https://github.com/jim60105/docker-whisperX/actions/workflows/scan.yml) [![Image Scan UBI](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/scan_ubi.yml?label=Image%20Scan%20UBI)](https://github.com/jim60105/docker-whisperX/actions/workflows/scan_ubi.yml)
 
 This is the docker image for [WhisperX: Automatic Speech Recognition with Word-Level Timestamps (and Speaker Diarization)](https://github.com/m-bain/whisperX) from the community.
 
@@ -114,6 +114,8 @@ docker run --gpus all -it -v ".:/app" whisperx:large-v3-ja -- --output_format sr
 
 ## ⛑️ Red Hat UBI based Image
 
+[![Image Scan UBI](https://img.shields.io/github/actions/workflow/status/jim60105/docker-whisperX/scan_ubi.yml?label=Image%20Scan%20UBI)](https://github.com/jim60105/docker-whisperX/actions/workflows/scan_ubi.yml)
+
 I have created an alternative [ubi.Dockerfile](ubi.Dockerfile) that is based on the **Red Hat Universal Base Image (UBI)** image, unlike the default one which used the **Python official image** as the base image. If you are a Red Hat subscriber, I believe you will find its benefits.
 
 > [!TIP]