mirror of
https://github.com/aquasecurity/trivy-action.git
synced 2026-05-14 03:02:40 +00:00
DmitriyLewen
e368e32897
* ci: add zizmor security linter for GitHub Actions * ci: disable advanced-security for zizmor * ci: pin all actions to commit hashes * ci: fix zizmor linter errors in workflows - Add explicit permissions blocks to all workflows - Set persist-credentials: false for checkout actions - Fix template injection by using env variables in run blocks * fix: address zizmor template injection warnings in action.yaml - Move inputs to env block to prevent template injection - Add ignore comment for github-env false positive * ci: fix remaining zizmor linter errors - Add permissions and persist-credentials to test.yaml - Fix ignore comment placement for github-env in action.yaml
69 lines
2.2 KiB
YAML
69 lines
2.2 KiB
YAML
name: Bump trivy
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
trivy_version:
|
|
required: true
|
|
type: string
|
|
description: 'The Trivy version in x.x.x format'
|
|
|
|
run-name: Bump trivy to v${{ inputs.trivy_version }}
|
|
|
|
jobs:
|
|
bump:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Update Trivy versions
|
|
env:
|
|
NEW_VERSION: ${{ inputs.trivy_version }}
|
|
run: make bump-trivy
|
|
|
|
- name: Setup Bats and bats libs
|
|
id: setup-bats
|
|
uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
|
|
|
|
- name: Install Trivy
|
|
env:
|
|
TRIVY_VERSION: ${{ inputs.trivy_version }}
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "v${TRIVY_VERSION}"
|
|
trivy --version
|
|
|
|
- name: Update golden files
|
|
env:
|
|
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
|
|
run: make update-golden
|
|
|
|
- name: Run tests
|
|
env:
|
|
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
|
|
run: make test
|
|
|
|
- name: Create PR
|
|
id: create-pr
|
|
uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5
|
|
with:
|
|
token: ${{ secrets.ORG_REPO_TOKEN }}
|
|
title: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
|
|
commit-message: "chore(deps): Update trivy to v${{ inputs.trivy_version }}"
|
|
committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
|
|
author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
|
|
branch-suffix: timestamp
|
|
branch: bump-trivy
|
|
delete-branch: true
|
|
|
|
- name: Check outputs
|
|
env:
|
|
PR_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }}
|
|
PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
|
|
run: |
|
|
echo "Pull Request Number - ${PR_NUMBER}"
|
|
echo "Pull Request URL - ${PR_URL}"
|