fix(ci): use registry tokens for image scanning

teutonet · Nov 26, 2024 · fa2ef87 · fa2ef87
1 parent c0ca8ca
commit fa2ef87
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/.github/scripts/scan-for-licenses.sh b/.github/scripts/scan-for-licenses.sh
@@ -6,6 +6,10 @@
 set -eu
 set -o pipefail
 
+declare -A IMAGE_PULL_TOKENS=(
+  ["registry-gitlab.teuto.net"]="${TEUTO_PORTAL_WORKER_PULL_TOKEN}"
+)
+
 WHITELIST=(
   "AGPL-3.0" # We're not writing software 🤷
   "AGPL-3.0-only"
@@ -85,6 +89,12 @@ function scanLicenses() {
   fi
 }
 
+trivy image --download-db-only
+
+for registry in "${!IMAGE_PULL_TOKENS[@]}"; do
+  TRIVY_PASSWORD="${IMAGE_PULL_TOKENS["$registry"]}" trivy registry login --username github-cve-scanning "$registry"
+done
+
 if [[ "$#" == 1 && -d "$1" ]]; then
   scanLicenses "$1"
 else

diff --git a/.github/workflows/check-licenses.yaml b/.github/workflows/check-licenses.yaml
@@ -23,7 +23,9 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - run: pip install yq
       - run: /home/linuxbrew/.linuxbrew/bin/brew install trivy
-      - run: |
+      - env:
+          TEUTO_PORTAL_WORKER_PULL_TOKEN: ${{ secrets.TEUTO_PORTAL_WORKER_PULL_TOKEN }}
+        run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           ./.github/scripts/scan-for-licenses.sh ${{ needs.getChangedChart.outputs.chart }}
   check-licenses-list: