aquasecurity/trivy-action
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy-action.git synced 2026-05-14 03:02:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: use action.yaml as single source of truth for Trivy version (#552)

Browse Source 
* ci: use action.yaml as single source of truth for Trivy version

* dev: add yq check and configurable Trivy install directory
This commit is contained in:
Nikita Pivkin
2026-04-10 17:29:15 +06:00
committed by GitHub
parent 34f2b232c5
commit f685ba7215
3 changed files with 17 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/bump-trivy.yaml
+1 -5
View File
@@ -30,11 +30,7 @@ jobs:
uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1 uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
- name: Install Trivy - name: Install Trivy
env: run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
TRIVY_VERSION: ${{ inputs.trivy_version }}
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "v${TRIVY_VERSION}"
trivy --version
- name: Update golden files - name: Update golden files
env: env:
.github/workflows/test.yaml
+1 -4
View File
@@ -6,7 +6,6 @@ on:
workflow_dispatch: workflow_dispatch:
env: env:
TRIVY_VERSION: 0.69.3
BATS_LIB_PATH: '/usr/lib/' BATS_LIB_PATH: '/usr/lib/'
jobs: jobs:
@@ -38,9 +37,7 @@ jobs:
uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1 uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
- name: Install Trivy - name: Install Trivy
run: | run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
trivy --version
- name: Test - name: Test
env: env:
Makefile
+15 -9
View File
@@ -9,7 +9,8 @@ else
endif endif
LOCAL_BIN := $(CURDIR)/.bin LOCAL_BIN := $(CURDIR)/.bin
LOCAL_TRIVY := $(LOCAL_BIN)/trivy TRIVY_INSTALL_DIR ?= $(LOCAL_BIN)
LOCAL_TRIVY := $(TRIVY_INSTALL_DIR)/trivy
ifeq ($(shell [ -f $(LOCAL_TRIVY) ] && [ -z "$(CI)" ] && echo yes),yes) ifeq ($(shell [ -f $(LOCAL_TRIVY) ] && [ -z "$(CI)" ] && echo yes),yes)
TRIVY_CMD := $(LOCAL_TRIVY) TRIVY_CMD := $(LOCAL_TRIVY)
@@ -19,8 +20,9 @@ endif
CACHE_DIR := '.cache' CACHE_DIR := '.cache'
TRIVY_VERSION_FILE := .github/workflows/test.yaml ACTION_FILE := action.yaml
CURRENT_TRIVY_VERSION := $(shell awk '/TRIVY_VERSION:/ {print $$2}' $(TRIVY_VERSION_FILE))
CURRENT_TRIVY_VERSION := $(shell yq '.inputs.version.default' $(ACTION_FILE) 2>/dev/null | tr -d 'v')
BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \ BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
GITHUB_REPOSITORY_OWNER=aquasecurity \ GITHUB_REPOSITORY_OWNER=aquasecurity \
@@ -41,17 +43,21 @@ update-golden:
clean-cache: clean-cache:
$(TRIVY_CMD) clean --scan-cache --cache-dir $(CACHE_DIR) $(TRIVY_CMD) clean --scan-cache --cache-dir $(CACHE_DIR)
bump-trivy: .PHONY: check-yq
check-yq:
@command -v yq >/dev/null 2>&1 || (echo "yq is required but not installed. Install it from https://github.com/mikefarah/yq"; exit 1)
bump-trivy: check-yq
@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 ) @[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
@echo Current version: $(CURRENT_TRIVY_VERSION) ;\ @echo Current version: $(CURRENT_TRIVY_VERSION) ;\
echo New version: $$NEW_VERSION ;\ echo New version: $$NEW_VERSION ;\
$(SED) -i -e "s/$(CURRENT_TRIVY_VERSION)/$$NEW_VERSION/g" \ $(SED) -i -e "s/$(CURRENT_TRIVY_VERSION)/$$NEW_VERSION/g" \
README.md action.yaml $(TRIVY_VERSION_FILE) README.md $(ACTION_FILE)
.PHONY: ensure-trivy .PHONY: ensure-trivy
ensure-trivy: ensure-trivy: check-yq
@set -e; \ @set -e; \
mkdir -p $(LOCAL_BIN); \ mkdir -p $(TRIVY_INSTALL_DIR); \
if [ -x $(LOCAL_TRIVY) ]; then \ if [ -x $(LOCAL_TRIVY) ]; then \
CURRENT_VERSION="$$( $(LOCAL_TRIVY) version -f json | jq -r '.Version' )"; \ CURRENT_VERSION="$$( $(LOCAL_TRIVY) version -f json | jq -r '.Version' )"; \
else \ else \
@@ -62,7 +68,7 @@ ensure-trivy:
if [ "$$CURRENT_VERSION" != "$(CURRENT_TRIVY_VERSION)" ]; then \ if [ "$$CURRENT_VERSION" != "$(CURRENT_TRIVY_VERSION)" ]; then \
echo "Installing Trivy $(CURRENT_TRIVY_VERSION) locally..."; \ echo "Installing Trivy $(CURRENT_TRIVY_VERSION) locally..."; \
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \
sh -s -- -b $(LOCAL_BIN) v$(CURRENT_TRIVY_VERSION); \ sh -s -- -b $(TRIVY_INSTALL_DIR) v$(CURRENT_TRIVY_VERSION); \
else \ else \
echo "Trivy $(CURRENT_TRIVY_VERSION) already present."; \ echo "Trivy $(CURRENT_TRIVY_VERSION) already present."; \
fi fi