From fa2ef873ab565510c611295b2b9abfbf2f1321f4 Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Tue, 26 Nov 2024 09:52:33 +0100
Subject: [PATCH] fix(ci): use registry tokens for image scanning

---
 .github/scripts/scan-for-licenses.sh  | 10 ++++++++++
 .github/workflows/check-licenses.yaml |  4 +++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/scripts/scan-for-licenses.sh b/.github/scripts/scan-for-licenses.sh
index bad78f2e4..67e4b554b 100755
--- a/.github/scripts/scan-for-licenses.sh
+++ b/.github/scripts/scan-for-licenses.sh
@@ -6,6 +6,10 @@
 set -eu
 set -o pipefail
 
+declare -A IMAGE_PULL_TOKENS=(
+  ["registry-gitlab.teuto.net"]="${TEUTO_PORTAL_WORKER_PULL_TOKEN}"
+)
+
 WHITELIST=(
   "AGPL-3.0" # We're not writing software 🤷
   "AGPL-3.0-only"
@@ -85,6 +89,12 @@ function scanLicenses() {
   fi
 }
 
+trivy image --download-db-only
+
+for registry in "${!IMAGE_PULL_TOKENS[@]}"; do
+  TRIVY_PASSWORD="${IMAGE_PULL_TOKENS["$registry"]}" trivy registry login --username github-cve-scanning "$registry"
+done
+
 if [[ "$#" == 1 && -d "$1" ]]; then
   scanLicenses "$1"
 else
diff --git a/.github/workflows/check-licenses.yaml b/.github/workflows/check-licenses.yaml
index 6e51a8606..0c41e172c 100644
--- a/.github/workflows/check-licenses.yaml
+++ b/.github/workflows/check-licenses.yaml
@@ -23,7 +23,9 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - run: pip install yq
       - run: /home/linuxbrew/.linuxbrew/bin/brew install trivy
-      - run: |
+      - env:
+          TEUTO_PORTAL_WORKER_PULL_TOKEN: ${{ secrets.TEUTO_PORTAL_WORKER_PULL_TOKEN }}
+        run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           ./.github/scripts/scan-for-licenses.sh ${{ needs.getChangedChart.outputs.chart }}
   check-licenses-list: