From 484c7673ec418e484d86b21324348fbecc605cdd Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Tue, 26 Nov 2024 09:52:33 +0100
Subject: [PATCH 1/2] fix(ci): use registry tokens for image scanning

---
 .github/scripts/scan-for-licenses.sh  | 10 ++++++++++
 .github/workflows/check-licenses.yaml |  4 +++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/scripts/scan-for-licenses.sh b/.github/scripts/scan-for-licenses.sh
index 2d80233c4..87d00e05c 100755
--- a/.github/scripts/scan-for-licenses.sh
+++ b/.github/scripts/scan-for-licenses.sh
@@ -6,6 +6,10 @@
 set -eu
 set -o pipefail
 
+declare -A IMAGE_PULL_TOKENS=(
+  ["registry-gitlab.teuto.net"]="${TEUTO_PORTAL_WORKER_PULL_TOKEN}"
+)
+
 WHITELIST=(
   "AGPL-3.0" # We're not writing software 🤷
   "CC-BY-SA-3.0"
@@ -53,6 +57,12 @@ function scanLicenses() {
   fi
 }
 
+trivy image --download-db-only
+
+for registry in "${!IMAGE_PULL_TOKENS[@]}"; do
+  TRIVY_PASSWORD="${IMAGE_PULL_TOKENS["$registry"]}" trivy registry login --username github-cve-scanning "$registry"
+done
+
 if [[ "$#" == 1 && -d "$1" ]]; then
   scanLicenses "$1"
 else
diff --git a/.github/workflows/check-licenses.yaml b/.github/workflows/check-licenses.yaml
index 6e51a8606..0c41e172c 100644
--- a/.github/workflows/check-licenses.yaml
+++ b/.github/workflows/check-licenses.yaml
@@ -23,7 +23,9 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - run: pip install yq
       - run: /home/linuxbrew/.linuxbrew/bin/brew install trivy
-      - run: |
+      - env:
+          TEUTO_PORTAL_WORKER_PULL_TOKEN: ${{ secrets.TEUTO_PORTAL_WORKER_PULL_TOKEN }}
+        run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           ./.github/scripts/scan-for-licenses.sh ${{ needs.getChangedChart.outputs.chart }}
   check-licenses-list:

From 75d47a1255344c96b631e248562c0de9503c034d Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Tue, 26 Nov 2024 09:58:50 +0100
Subject: [PATCH 2/2] fix(ci): deduplicate trivy login script

also login for license scanning
---
 .github/scripts/generate-sarif-reports.sh    | 10 +---------
 .github/scripts/scan-for-licenses.sh         | 10 +---------
 .github/scripts/trivy-login-to-registries.sh | 16 ++++++++++++++++
 3 files changed, 18 insertions(+), 18 deletions(-)
 create mode 100644 .github/scripts/trivy-login-to-registries.sh

diff --git a/.github/scripts/generate-sarif-reports.sh b/.github/scripts/generate-sarif-reports.sh
index 579a6e165..7d7b24e91 100755
--- a/.github/scripts/generate-sarif-reports.sh
+++ b/.github/scripts/generate-sarif-reports.sh
@@ -6,9 +6,7 @@
 set -eu
 set -o pipefail
 
-declare -A IMAGE_PULL_TOKENS=(
-  ["registry-gitlab.teuto.net"]="${TEUTO_PORTAL_WORKER_PULL_TOKEN}"
-)
+source "$(dirname "$0")/trivy-login-to-registries.sh"
 
 function createSarifReports() {
   local chart="${1?}"
@@ -47,12 +45,6 @@ function generateSarifReport() {
 }
 export -f generateSarifReport
 
-trivy image --download-db-only
-
-for registry in "${!IMAGE_PULL_TOKENS[@]}"; do
-  TRIVY_PASSWORD="${IMAGE_PULL_TOKENS["$registry"]}" trivy registry login --username github-cve-scanning "$registry"
-done
-
 if [[ "$#" == 1 && -d "$1" ]]; then
   createSarifReports "$1"
 else
diff --git a/.github/scripts/scan-for-licenses.sh b/.github/scripts/scan-for-licenses.sh
index 87d00e05c..ffd566b85 100755
--- a/.github/scripts/scan-for-licenses.sh
+++ b/.github/scripts/scan-for-licenses.sh
@@ -6,9 +6,7 @@
 set -eu
 set -o pipefail
 
-declare -A IMAGE_PULL_TOKENS=(
-  ["registry-gitlab.teuto.net"]="${TEUTO_PORTAL_WORKER_PULL_TOKEN}"
-)
+source "$(dirname "$0")/trivy-login-to-registries.sh"
 
 WHITELIST=(
   "AGPL-3.0" # We're not writing software 🤷
@@ -57,12 +55,6 @@ function scanLicenses() {
   fi
 }
 
-trivy image --download-db-only
-
-for registry in "${!IMAGE_PULL_TOKENS[@]}"; do
-  TRIVY_PASSWORD="${IMAGE_PULL_TOKENS["$registry"]}" trivy registry login --username github-cve-scanning "$registry"
-done
-
 if [[ "$#" == 1 && -d "$1" ]]; then
   scanLicenses "$1"
 else
diff --git a/.github/scripts/trivy-login-to-registries.sh b/.github/scripts/trivy-login-to-registries.sh
new file mode 100644
index 000000000..9dc166558
--- /dev/null
+++ b/.github/scripts/trivy-login-to-registries.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+if ! (return 0 2>/dev/null); then
+  echo This must be sourced, not executed. >&2
+  exit 1
+fi
+
+declare -A IMAGE_PULL_TOKENS=(
+  ["registry-gitlab.teuto.net"]="${TEUTO_PORTAL_WORKER_PULL_TOKEN?}"
+)
+
+trivy image --download-db-only
+
+for registry in "${!IMAGE_PULL_TOKENS[@]}"; do
+  TRIVY_PASSWORD="${IMAGE_PULL_TOKENS["$registry"]}" trivy registry login --username github-cve-scanning "$registry"
+done