fix tagging for dev builds

Signed-off-by: David van der Spek <[email protected]>
pluralsh · Apr 6, 2023 · 39a7d21 · 39a7d21
1 parent e1d29fa
commit 39a7d21
Showing 1 changed file with 32 additions and 2 deletions.
diff --git a/.github/workflows/build-container.yaml b/.github/workflows/build-container.yaml
@@ -78,7 +78,12 @@ jobs:
           # dkr.plural.sh/${{ steps.tag.outputs.app }}/${{ steps.tag.outputs.app_image }}
           # generate Docker tags based on the following events/attributes
           tags: |
-            type=match,prefix=${{ steps.tag.outputs.app_version }}-plural,pattern=.*-v(.*),group=1
+            if [ ${{ github.event_name }} == 'pull_request' ] || [ ${{ github.event_name }} == 'merge_group' ];
+            then
+              type=raw,value=${{ steps.tag.outputs.app_version }}-plural-${{ steps.tag.outputs.version }}
+            else
+              type=match,prefix=${{ steps.tag.outputs.app_version }}-plural,pattern=.*-v(.*),group=1
+            fi
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
@@ -89,7 +94,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build ${{ steps.tag.outputs.app }} image
+      - name: Build ${{ steps.tag.outputs.app }} image for security scanning
         uses: docker/build-push-action@v4
         with:
           context: ${{ steps.tag.outputs.app }}
@@ -127,3 +132,28 @@ jobs:
           platforms: linux/amd64,linux/arm64
           # cache-from: type=gha
           # cache-to: type=gha,mode=max
+  trivy-scan:
+    name: Trivy IaC scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          hide-progress: false
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          security-checks: 'vuln,secret,config'
+          ignore-unfixed: true
+          #severity: 'CRITICAL,HIGH'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'