chore: comment on deployment steps

* ci: replace peter-evans/create-pull-request with gh CLI

* chore: use ID+USERNAME pattern for GH actions bot

* chore: add specific files to git index

* chore: merge check outputs into create PR step

.github/workflows/bump-trivy.yaml

@@ -12,9 +12,9 @@ run-name: Bump trivy to v${{ inputs.trivy_version }}
 
 jobs:
   bump:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-2404-2core
     permissions:
-      contents: read
+      contents: read # for actions/checkout
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
@@ -30,11 +30,7 @@ jobs:
         uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
 
       - name: Install Trivy
-        env:
-          TRIVY_VERSION: ${{ inputs.trivy_version }}
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "v${TRIVY_VERSION}"
-          trivy --version
+        run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
 
       - name: Update golden files
         env:
@@ -46,23 +42,26 @@ jobs:
           BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
         run: make test
 
-      - name: Create PR
-        id: create-pr
-        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5
-        with:
-          token: ${{ secrets.ORG_REPO_TOKEN }}
-          title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
-          commit-message: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
-          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
-          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
-          branch-suffix: timestamp
-          branch: bump-trivy
-          delete-branch: true
-
-      - name: Check outputs
-        env:
-          PR_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }}
-          PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
-        run: |
-          echo "Pull Request Number - ${PR_NUMBER}"
-          echo "Pull Request URL - ${PR_URL}"
+      # - name: Create PR
+      #   env:
+      #     GH_TOKEN: ${{ secrets.TRIVY_ACTION_DEPLOY_TOKEN }}
+      #     TRIVY_VERSION: ${{ inputs.trivy_version }}
+      #     REPO: ${{ github.repository }}
+      #     BASE_BRANCH: ${{ github.event.repository.default_branch }}
+      #   run: |
+      #     gh auth setup-git
+      #     git config user.name "github-actions[bot]"
+      #     git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      #     BRANCH="bump-trivy-${TRIVY_VERSION}"
+      #     git checkout -b "${BRANCH}"
+      #     git add action.yaml README.md test/
+      #     git commit -m "chore(deps): Update trivy to v${TRIVY_VERSION}"
+      #     git push origin "${BRANCH}"
+      #     PR_RESPONSE=$(gh api repos/${REPO}/pulls \
+      #       --method POST \
+      #       --field title="chore(deps): Update trivy to v${TRIVY_VERSION}" \
+      #       --field body="This PR was automatically generated by the bump-trivy workflow." \
+      #       --field base="${BASE_BRANCH}" \
+      #       --field head="${BRANCH}")
+      #     echo "Pull Request Number - $(echo "${PR_RESPONSE}" | jq -r '.number')"
+      #     echo "Pull Request URL - $(echo "${PR_RESPONSE}" | jq -r '.html_url')"

.github/workflows/test.yaml

@@ -6,7 +6,6 @@ on:
   workflow_dispatch:
 
 env:
-  TRIVY_VERSION: 0.69.3
   BATS_LIB_PATH: '/usr/lib/'
 
 jobs:
@@ -38,9 +37,7 @@ jobs:
         uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
 
       - name: Install Trivy
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
-          trivy --version
+        run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
 
       - name: Test
         env:

Makefile

@@ -9,7 +9,8 @@ else
 endif
 
 LOCAL_BIN := $(CURDIR)/.bin
-LOCAL_TRIVY := $(LOCAL_BIN)/trivy
+TRIVY_INSTALL_DIR ?= $(LOCAL_BIN)
+LOCAL_TRIVY := $(TRIVY_INSTALL_DIR)/trivy
 
 ifeq ($(shell [ -f $(LOCAL_TRIVY) ] && [ -z "$(CI)" ] && echo yes),yes)
 TRIVY_CMD := $(LOCAL_TRIVY)
@@ -19,8 +20,9 @@ endif
 
 CACHE_DIR := '.cache'
 
-TRIVY_VERSION_FILE := .github/workflows/test.yaml
-CURRENT_TRIVY_VERSION := $(shell awk '/TRIVY_VERSION:/ {print $$2}' $(TRIVY_VERSION_FILE))
+ACTION_FILE := action.yaml
+
+CURRENT_TRIVY_VERSION := $(shell yq '.inputs.version.default' $(ACTION_FILE) 2>/dev/null | tr -d 'v')
 
 BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
 	GITHUB_REPOSITORY_OWNER=aquasecurity \
@@ -41,17 +43,21 @@ update-golden:
 clean-cache:
 	$(TRIVY_CMD) clean --scan-cache --cache-dir $(CACHE_DIR)
 
-bump-trivy:
+.PHONY: check-yq
+check-yq:
+	@command -v yq >/dev/null 2>&1 || (echo "yq is required but not installed. Install it from https://github.com/mikefarah/yq"; exit 1)
+
+bump-trivy: check-yq
 	@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
 	@echo Current version: $(CURRENT_TRIVY_VERSION) ;\
 	echo New version: $$NEW_VERSION ;\
 	$(SED) -i -e "s/$(CURRENT_TRIVY_VERSION)/$$NEW_VERSION/g" \
-		README.md action.yaml $(TRIVY_VERSION_FILE)
+		README.md $(ACTION_FILE)
 
 .PHONY: ensure-trivy
-ensure-trivy:
+ensure-trivy: check-yq
 	@set -e; \
-	mkdir -p $(LOCAL_BIN); \
+	mkdir -p $(TRIVY_INSTALL_DIR); \
 	if [ -x $(LOCAL_TRIVY) ]; then \
 		CURRENT_VERSION="$$( $(LOCAL_TRIVY) version -f json | jq -r '.Version' )"; \
 	else \
@@ -62,7 +68,7 @@ ensure-trivy:
 	if [ "$$CURRENT_VERSION" != "$(CURRENT_TRIVY_VERSION)" ]; then \
 		echo "Installing Trivy $(CURRENT_TRIVY_VERSION) locally..."; \
 		curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | \
-		sh -s -- -b $(LOCAL_BIN) v$(CURRENT_TRIVY_VERSION); \
+		sh -s -- -b $(TRIVY_INSTALL_DIR) v$(CURRENT_TRIVY_VERSION); \
 	else \
 		echo "Trivy $(CURRENT_TRIVY_VERSION) already present."; \
-	fi
+	fi