fix(docker/foldseek): keep .git in source stage for version embed #80
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Build, Push, Scan | |
| # Build, push, and Trivy-scan any docker/<image>/ that changed in this push/PR. | |
| # - Default branch push: optional auto-bump VERSION -> commit [skip ci] -> build -> push -> scan | |
| # - Any other branch: build only (PR: build + scan only, no push) | |
| # - Schedule / dispatch: rescan :latest of every image for new CVEs | |
| # | |
| # See scripts/ci-detect-changed-images.sh and scripts/ci-bump-image-versions.sh | |
| # for the change-detection and version-bump logic. | |
| on: | |
| push: | |
| # Tag pushes are intentionally NOT a trigger. The CD workflow (cd.yml) | |
| # pushes release tags after this workflow completes; reacting to those | |
| # tags would cause a redundant rebuild of every image. | |
| branches: | |
| - '**' | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly Monday rescan for new CVEs | |
| workflow_dispatch: | |
| concurrency: | |
| group: docker-${{ github.ref }} | |
| cancel-in-progress: false | |
| env: | |
| GHCR_REGISTRY: ghcr.io | |
| # GCR project (without registry host); change via repo variable GCR_PROJECT. | |
| GCR_PROJECT: ${{ vars.GCR_PROJECT || 'broadinstitute' }} | |
| GCR_REGISTRY: us.gcr.io | |
| # Opt every JS-based action into Node.js 24 ahead of the June 2nd, 2026 | |
| # default flip. Silences the Node 20 deprecation warnings on actions | |
| # (checkout, login-action, metadata-action, etc.) that haven't bumped yet. | |
| # Remove this once Node 24 is the runner default. | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| # Image size (uncompressed, as reported by `docker image inspect .Size`) | |
| # above which Trivy drops the secret scanner and uses an extended timeout. | |
| # Big scientific images full of model weights and reference databases trip | |
| # the secret scanner's per-file size guard; the secret scanner is meant for | |
| # source repos with API keys anyway. Smaller images get the full default | |
| # scan (vuln + secret). Override via repo variable TRIVY_LARGE_IMAGE_BYTES. | |
| TRIVY_LARGE_IMAGE_BYTES: ${{ vars.TRIVY_LARGE_IMAGE_BYTES || '2147483648' }} | |
| jobs: | |
| # --------------------------------------------------------------------------- | |
| # 1) Detect which docker/<image>/ dirs changed in this event. | |
| # --------------------------------------------------------------------------- | |
| detect-changes: | |
| if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }} | |
| runs-on: ubuntu-latest | |
| outputs: | |
| images: ${{ steps.detect.outputs.images }} | |
| any: ${{ steps.detect.outputs.any }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Detect changed image directories | |
| id: detect | |
| env: | |
| GITHUB_EVENT_NAME: ${{ github.event_name }} | |
| BASE_REF: ${{ github.base_ref }} | |
| BEFORE_SHA: ${{ github.event.before }} | |
| run: bash scripts/ci-detect-changed-images.sh | |
| # --------------------------------------------------------------------------- | |
| # 2) On default-branch push with image changes, auto-bump VERSION and push | |
| # a [skip ci] commit so the build job uses the new version. | |
| # --------------------------------------------------------------------------- | |
| bump-versions: | |
| needs: detect-changes | |
| if: >- | |
| needs.detect-changes.outputs.any == 'true' | |
| && github.event_name == 'push' | |
| && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) | |
| && !contains(github.event.head_commit.message, '[skip ci]') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| outputs: | |
| committed: ${{ steps.bump.outputs.committed }} | |
| versions: ${{ steps.bump.outputs.versions }} | |
| bumped: ${{ steps.bump.outputs.bumped }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Bump VERSION for changed images | |
| id: bump | |
| env: | |
| BEFORE_SHA: ${{ github.event.before }} | |
| run: bash scripts/ci-bump-image-versions.sh '${{ needs.detect-changes.outputs.images }}' | |
| - name: Commit and push bump | |
| if: steps.bump.outputs.committed == 'true' | |
| run: | | |
| git config user.name 'github-actions[bot]' | |
| git config user.email '41898282+github-actions[bot]@users.noreply.github.com' | |
| git add docker/*/Makefile | |
| git commit -m "chore(docker): bump versions for ${{ steps.bump.outputs.bumped }} [skip ci]" | |
| git push | |
| # --------------------------------------------------------------------------- | |
| # 3a) Build each image per-arch on a native runner and push an intermediate | |
| # per-arch tag to GHCR. amd64 runs on ubuntu-latest; arm64 runs on | |
| # ubuntu-24.04-arm (native arm runner — no QEMU emulation, ~5-10x faster | |
| # than cross-building arm64 under QEMU on an amd64 runner). | |
| # Skipped on PRs (PR path uses pr-build-scan below — single arch, no push). | |
| # --------------------------------------------------------------------------- | |
| build-per-arch: | |
| needs: [detect-changes, bump-versions] | |
| if: >- | |
| always() | |
| && needs.detect-changes.outputs.any == 'true' | |
| && needs.bump-versions.result != 'failure' | |
| && github.event_name != 'schedule' | |
| && github.event_name != 'workflow_dispatch' | |
| && github.event_name != 'pull_request' | |
| runs-on: ${{ matrix.arch.runner }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: ${{ fromJSON(needs.detect-changes.outputs.images) }} | |
| arch: | |
| - { name: amd64, runner: ubuntu-latest, platform: linux/amd64 } | |
| - { name: arm64, runner: ubuntu-24.04-arm, platform: linux/arm64 } | |
| steps: | |
| - name: Checkout (pick up auto-bump if any) | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ needs.bump-versions.outputs.committed == 'true' && github.ref || github.sha }} | |
| # Runners ship with ~14 GB free on /. Multi-env conda + DeepVirFinder | |
| # model weights overflow that. Drop preinstalled toolchains we don't | |
| # use — frees ~25 GB. (Same paths apply on both amd64 and arm64 runner | |
| # images; missing paths are a no-op thanks to `|| true`.) | |
| - name: Free disk space on runner | |
| run: | | |
| sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc \ | |
| /usr/local/share/boost /opt/hostedtoolcache/CodeQL \ | |
| /usr/local/lib/heroku /usr/local/share/powershell \ | |
| /usr/local/share/chromium /usr/local/share/swift || true | |
| sudo docker image prune -af || true | |
| df -h / | |
| - name: Stage LICENSE into image build context | |
| run: cp LICENSE docker/${{ matrix.image }}/LICENSE | |
| - name: Read VERSION from Makefile | |
| id: ver | |
| run: | | |
| v=$(awk -F'=' '/^[[:space:]]*VERSION[[:space:]]*=/ {gsub(/[[:space:]]/,"",$2); print $2; exit}' \ | |
| docker/${{ matrix.image }}/Makefile) | |
| if [ -z "$v" ]; then | |
| echo "::error::No VERSION in docker/${{ matrix.image }}/Makefile" | |
| exit 1 | |
| fi | |
| echo "version=$v" >> "$GITHUB_OUTPUT" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.GHCR_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Compute intermediate ref | |
| id: refs | |
| run: | | |
| owner_repo_lc="$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" | |
| echo "intermediate=${{ env.GHCR_REGISTRY }}/${owner_repo_lc}/${{ matrix.image }}:${{ steps.ver.outputs.version }}-${{ matrix.arch.name }}" >> "$GITHUB_OUTPUT" | |
| - name: Build and push intermediate per-arch tag | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: docker/${{ matrix.image }} | |
| platforms: ${{ matrix.arch.platform }} | |
| tags: ${{ steps.refs.outputs.intermediate }} | |
| # Cache scoped per image AND arch so amd64 and arm64 don't clobber | |
| # each other in the GHA cache backend. | |
| cache-from: type=gha,scope=${{ matrix.image }}-${{ matrix.arch.name }} | |
| cache-to: type=gha,mode=max,scope=${{ matrix.image }}-${{ matrix.arch.name }} | |
| # Force Docker v2.2 mediatypes on the per-arch manifests so the merge | |
| # step in 3b produces a Docker manifest list (not an OCI index). | |
| provenance: false | |
| sbom: false | |
| outputs: type=image,oci-mediatypes=false,push=true | |
| # --------------------------------------------------------------------------- | |
| # 3b) Merge per-arch intermediates into multi-arch final tags via | |
| # `docker buildx imagetools create`, push to GHCR (and GCR mirror if | |
| # configured), then Trivy-scan the merged image. | |
| # --------------------------------------------------------------------------- | |
| merge-and-scan: | |
| needs: [detect-changes, bump-versions, build-per-arch] | |
| if: >- | |
| always() | |
| && needs.build-per-arch.result == 'success' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: ${{ fromJSON(needs.detect-changes.outputs.images) }} | |
| steps: | |
| - name: Checkout (for Trivy configs) | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ needs.bump-versions.outputs.committed == 'true' && github.ref || github.sha }} | |
| - name: Read VERSION from Makefile | |
| id: ver | |
| run: | | |
| v=$(awk -F'=' '/^[[:space:]]*VERSION[[:space:]]*=/ {gsub(/[[:space:]]/,"",$2); print $2; exit}' \ | |
| docker/${{ matrix.image }}/Makefile) | |
| if [ -z "$v" ]; then | |
| echo "::error::No VERSION in docker/${{ matrix.image }}/Makefile" | |
| exit 1 | |
| fi | |
| echo "version=$v" >> "$GITHUB_OUTPUT" | |
| - name: Detect GCR mirror availability | |
| id: gcr | |
| env: | |
| GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }} | |
| run: | | |
| if [ -n "${GCP_SA_KEY:-}" ]; then | |
| echo "have=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "have=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.GHCR_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Authenticate to GCP | |
| if: steps.gcr.outputs.have == 'true' | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{ secrets.GCP_SA_KEY }} | |
| - name: Log in to GCR | |
| if: steps.gcr.outputs.have == 'true' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.GCR_REGISTRY }} | |
| username: _json_key | |
| password: ${{ secrets.GCP_SA_KEY }} | |
| - name: Compute image refs | |
| id: refs | |
| run: | | |
| owner_repo_lc="$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" | |
| echo "ghcr_image=${{ env.GHCR_REGISTRY }}/${owner_repo_lc}/${{ matrix.image }}" >> "$GITHUB_OUTPUT" | |
| echo "gcr_image=${{ env.GCR_REGISTRY }}/${{ env.GCR_PROJECT }}/${{ matrix.image }}" >> "$GITHUB_OUTPUT" | |
| - name: Metadata (GHCR tags) | |
| id: meta_ghcr | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ steps.refs.outputs.ghcr_image }} | |
| # Tag rules (same as the legacy single-job build-scan): | |
| # - Immutable VERSION tag from the Makefile | |
| # - Default branch push: bare branch name (e.g. `main`) | |
| # - Non-default branch push: `branch-<name>` prefix | |
| # - Default branch only: also `latest` | |
| # (PR rule omitted — PR runs go through pr-build-scan which never | |
| # reaches this job.) | |
| tags: | | |
| type=raw,value=${{ steps.ver.outputs.version }} | |
| type=ref,event=branch,enable=${{ github.ref_name == github.event.repository.default_branch }} | |
| type=ref,event=branch,prefix=branch-,enable=${{ github.ref_name != github.event.repository.default_branch }} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Metadata (GCR tags) | |
| id: meta_gcr | |
| if: steps.gcr.outputs.have == 'true' | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ steps.refs.outputs.gcr_image }} | |
| tags: | | |
| type=raw,value=${{ steps.ver.outputs.version }} | |
| type=ref,event=branch,enable=${{ github.ref_name == github.event.repository.default_branch }} | |
| type=ref,event=branch,prefix=branch-,enable=${{ github.ref_name != github.event.repository.default_branch }} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Merge per-arch intermediates into multi-arch manifest list | |
| env: | |
| GHCR_TAGS: ${{ steps.meta_ghcr.outputs.tags }} | |
| GCR_TAGS: ${{ steps.meta_gcr.outputs.tags }} | |
| GHCR_IMAGE: ${{ steps.refs.outputs.ghcr_image }} | |
| VERSION: ${{ steps.ver.outputs.version }} | |
| run: | | |
| set -euo pipefail | |
| tag_args=() | |
| while IFS= read -r t; do | |
| [ -n "$t" ] && tag_args+=("-t" "$t") | |
| done <<< "$GHCR_TAGS" | |
| if [ -n "${GCR_TAGS:-}" ]; then | |
| while IFS= read -r t; do | |
| [ -n "$t" ] && tag_args+=("-t" "$t") | |
| done <<< "$GCR_TAGS" | |
| fi | |
| # `imagetools create` preserves the source mediatype: since both | |
| # per-arch sources were pushed with oci-mediatypes=false (Docker v2), | |
| # the resulting manifest list is also Docker v2.2 — as required by | |
| # downstream consumers that reject OCI mediatypes. | |
| docker buildx imagetools create \ | |
| "${tag_args[@]}" \ | |
| "${GHCR_IMAGE}:${VERSION}-amd64" \ | |
| "${GHCR_IMAGE}:${VERSION}-arm64" | |
| - name: Pull merged image for Trivy scan | |
| run: docker pull ${{ steps.refs.outputs.ghcr_image }}:${{ steps.ver.outputs.version }} | |
| - name: Pick Trivy scan profile by image size | |
| id: trivy_cfg | |
| env: | |
| IMAGE_REF: ${{ steps.refs.outputs.ghcr_image }}:${{ steps.ver.outputs.version }} | |
| run: bash scripts/ci-trivy-profile.sh | |
| - name: Trivy scan (table; fails build on HIGH/CRITICAL) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ steps.refs.outputs.ghcr_image }}:${{ steps.ver.outputs.version }} | |
| format: table | |
| severity: CRITICAL,HIGH | |
| scanners: ${{ steps.trivy_cfg.outputs.scanners }} | |
| timeout: ${{ steps.trivy_cfg.outputs.timeout }} | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego | |
| trivyignores: docker/${{ matrix.image }}/.trivyignore | |
| - name: Trivy scan (SARIF for Security tab) | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ steps.refs.outputs.ghcr_image }}:${{ steps.ver.outputs.version }} | |
| format: sarif | |
| output: trivy-${{ matrix.image }}.sarif | |
| severity: CRITICAL,HIGH | |
| scanners: ${{ steps.trivy_cfg.outputs.scanners }} | |
| timeout: ${{ steps.trivy_cfg.outputs.timeout }} | |
| limit-severities-for-sarif: true | |
| ignore-unfixed: true | |
| ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego | |
| trivyignores: docker/${{ matrix.image }}/.trivyignore | |
| - name: Upload Trivy SARIF | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-${{ matrix.image }}.sarif | |
| category: trivy-${{ matrix.image }} | |
| # --------------------------------------------------------------------------- | |
| # 3c) PR builds: amd64-only, no push, Trivy-scan locally loaded image. | |
| # arm64 is intentionally skipped on PRs (multi-arch publish only happens | |
| # on push to main). Keeps PR feedback fast. | |
| # --------------------------------------------------------------------------- | |
| pr-build-scan: | |
| needs: detect-changes | |
| if: >- | |
| needs.detect-changes.outputs.any == 'true' | |
| && github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: ${{ fromJSON(needs.detect-changes.outputs.images) }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Free disk space on runner | |
| run: | | |
| sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc \ | |
| /usr/local/share/boost /opt/hostedtoolcache/CodeQL \ | |
| /usr/local/lib/heroku /usr/local/share/powershell \ | |
| /usr/local/share/chromium /usr/local/share/swift || true | |
| sudo docker image prune -af || true | |
| df -h / | |
| - name: Stage LICENSE into image build context | |
| run: cp LICENSE docker/${{ matrix.image }}/LICENSE | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build single-arch local image for PR scan | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: docker/${{ matrix.image }} | |
| platforms: linux/amd64 | |
| push: false | |
| load: true | |
| tags: ${{ matrix.image }}:scan | |
| # Share cache with the amd64 leg of the on-push build for free | |
| # warm-cache hits when the PR merges. | |
| cache-from: type=gha,scope=${{ matrix.image }}-amd64 | |
| - name: Pick Trivy scan profile by image size | |
| id: trivy_cfg | |
| env: | |
| IMAGE_REF: ${{ matrix.image }}:scan | |
| run: bash scripts/ci-trivy-profile.sh | |
| - name: Trivy scan (table; fails build on HIGH/CRITICAL) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ matrix.image }}:scan | |
| format: table | |
| severity: CRITICAL,HIGH | |
| scanners: ${{ steps.trivy_cfg.outputs.scanners }} | |
| timeout: ${{ steps.trivy_cfg.outputs.timeout }} | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego | |
| trivyignores: docker/${{ matrix.image }}/.trivyignore | |
| - name: Trivy scan (SARIF for Security tab) | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ matrix.image }}:scan | |
| format: sarif | |
| output: trivy-${{ matrix.image }}.sarif | |
| severity: CRITICAL,HIGH | |
| scanners: ${{ steps.trivy_cfg.outputs.scanners }} | |
| timeout: ${{ steps.trivy_cfg.outputs.timeout }} | |
| limit-severities-for-sarif: true | |
| ignore-unfixed: true | |
| ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego | |
| trivyignores: docker/${{ matrix.image }}/.trivyignore | |
| - name: Upload Trivy SARIF | |
| if: always() && github.event.pull_request.head.repo.full_name == github.repository | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-${{ matrix.image }}.sarif | |
| category: trivy-${{ matrix.image }} | |
| # --------------------------------------------------------------------------- | |
| # 4) Scheduled / manual rescan of :latest for every image. | |
| # --------------------------------------------------------------------------- | |
| rescan-latest: | |
| needs: detect-changes | |
| if: >- | |
| needs.detect-changes.outputs.any == 'true' | |
| && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: read | |
| security-events: write | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: ${{ fromJSON(needs.detect-changes.outputs.images) }} | |
| steps: | |
| - name: Checkout (for trivy configs) | |
| uses: actions/checkout@v4 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.GHCR_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Compute image ref | |
| id: refs | |
| run: | | |
| owner_repo_lc="$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" | |
| echo "ref=${{ env.GHCR_REGISTRY }}/${owner_repo_lc}/${{ matrix.image }}:latest" >> "$GITHUB_OUTPUT" | |
| - name: Pull latest | |
| run: docker pull ${{ steps.refs.outputs.ref }} | |
| - name: Pick Trivy scan profile by image size | |
| id: trivy_cfg | |
| env: | |
| IMAGE_REF: ${{ steps.refs.outputs.ref }} | |
| run: bash scripts/ci-trivy-profile.sh | |
| - name: Trivy scan (table) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ steps.refs.outputs.ref }} | |
| format: table | |
| severity: CRITICAL,HIGH | |
| scanners: ${{ steps.trivy_cfg.outputs.scanners }} | |
| timeout: ${{ steps.trivy_cfg.outputs.timeout }} | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego | |
| trivyignores: docker/${{ matrix.image }}/.trivyignore | |
| - name: Trivy scan (SARIF) | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ steps.refs.outputs.ref }} | |
| format: sarif | |
| output: trivy-${{ matrix.image }}.sarif | |
| severity: CRITICAL,HIGH | |
| scanners: ${{ steps.trivy_cfg.outputs.scanners }} | |
| timeout: ${{ steps.trivy_cfg.outputs.timeout }} | |
| limit-severities-for-sarif: true | |
| ignore-unfixed: true | |
| ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego | |
| trivyignores: docker/${{ matrix.image }}/.trivyignore | |
| - name: Upload Trivy SARIF | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-${{ matrix.image }}.sarif | |
| category: trivy-${{ matrix.image }} |