scan goreleaser nightly image with trivy

authzed · Jul 13, 2023 · 15fe46c · 15fe46c
1 parent 429b01e
commit 15fe46c
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 5 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -55,18 +55,65 @@ jobs:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/codeql@main"
 
-  trivy:
-    name: "Analyze with Trivy"
+  trivy-fs:
+    name: "Analyze FS with Trivy"
     runs-on: "ubuntu-latest"
     steps:
       - uses: "actions/checkout@v3"
-      - uses: "aquasecurity/trivy-action@0.9.0"
+      - uses: "aquasecurity/trivy-action@master"
         with:
           scan-type: "fs"
           ignore-unfixed: true
           format: "sarif"
           output: "trivy-results.sarif"
-          severity: "CRITICAL"
+          severity: "CRITICAL,HIGH,MEDIUM"
+      - name: "Upload Trivy scan results to GitHub Security tab"
+        uses: "github/codeql-action/upload-sarif@v2"
+        with:
+          sarif_file: "trivy-results.sarif"
+
+  trivy-image:
+    name: "Analyze Release Image with Trivy"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v3"
+        with:
+          fetch-depth: 0
+      - uses: "authzed/actions/setup-go@main"
+        with:
+          go-version: "${{ env.GO_VERSION }}"
+      - uses: "docker/setup-qemu-action@v1"
+      - uses: "docker/setup-buildx-action@v1"
+      - name: "skip building all targets"
+        run: |
+          echo "partial:
+            by: target" >> .goreleaser.yml
+      - name: "show modified yaml"
+        run: |
+          cat .goreleaser.yml
+      - uses: "goreleaser/goreleaser-action@v4"
+        id: "goreleaser"
+        with:
+          distribution: "goreleaser-pro"
+          version: "latest"
+          args: "release --clean --split --snapshot"
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
+      - name: Dump steps context
+        env:
+          STEPS_CONTEXT: ${{ toJson(steps) }}
+          METADATA: ${{ steps.goreleaser.outputs.metadata }}"
+          VERSION_NEXT: ${{ steps.goreleaser.outputs.metadata.version }}"
+        run: echo "$STEPS_CONTEXT" && echo "$METADATA" && echo "$VERSION_NEXT"
+      - uses: "aquasecurity/trivy-action@master"
+        with:
+          scan-type: "image"
+          image-ref: "authzed/spicedb:${{ steps.goreleaser.outputs.metadata.version }}"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH,MEDIUM"
       - name: "Upload Trivy scan results to GitHub Security tab"
         uses: "github/codeql-action/upload-sarif@v2"
         with:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -33,7 +33,7 @@ furies:
     secret_name: "GEMFURY_PUSH_TOKEN"
     skip: "{{ gt (len .Prerelease) 0 }}"
 brews:
-  - tap:
+  - repository:
       owner: "authzed"
       name: "homebrew-tap"
       token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"