From c66799afb9fb94e39b554f29c4632c93a3b1d36c Mon Sep 17 00:00:00 2001
From: Chris Bandy <chris.bandy@crunchydata.com>
Date: Tue, 24 Sep 2024 19:20:00 -0500
Subject: [PATCH 1/2] Add CodeQL analysis to pull request checks

The action has worked reliably for a long time.
---
 .github/workflows/codeql-analysis.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index a310f3eeed..4697a8b0aa 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -1,6 +1,9 @@
 name: CodeQL
 
 on:
+  pull_request:
+    branches:
+      - master
   push:
     branches:
       - master
@@ -9,7 +12,6 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
     runs-on: ubuntu-latest
     permissions:
       actions: read

From ce7056ebd96e36e2a64df802fd2ebc014e291e66 Mon Sep 17 00:00:00 2001
From: Chris Bandy <chris.bandy@crunchydata.com>
Date: Tue, 24 Sep 2024 19:32:36 -0500
Subject: [PATCH 2/2] Avoid rate limiting on Trivy actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Git Hub Packages registry has been responding with errors:

    TOOMANYREQUESTS: retry-after: 172.466µs, allowed: 44000/minute
---
 .github/workflows/trivy.yaml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index 9d165022ed..e10eed3aae 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -19,13 +19,27 @@ jobs:
         with: { go-version: stable }
       - run: go mod download
 
+      # Login to the GitHub Packages registry to avoid rate limiting.
+      # - https://aquasecurity.github.io/trivy/v0.55/docs/references/troubleshooting/#github-rate-limiting
+      # - https://github.com/aquasecurity/trivy/issues/7580
+      # - https://github.com/aquasecurity/trivy-action/issues/389
+      # - https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
+      # - https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions
+      - name: Login to GitHub Packages
+        run: >
+          docker login ghcr.io
+          --username '${{ github.actor }}'
+          --password-stdin <<< '${{ secrets.GITHUB_TOKEN }}'
+
       # Report success only when detected licenses are listed in [/trivy.yaml].
       # The "aquasecurity/trivy-action" action cannot access the Go module cache,
       # so run Trivy from an image with the cache and local configuration mounted.
       # - https://github.com/aquasecurity/trivy-action/issues/219
       # - https://github.com/aquasecurity/trivy/pkgs/container/trivy
-      - run: >
+      - name: Scan licenses
+        run: >
           docker run
+          --env 'DOCKER_CONFIG=/docker' --volume "${HOME}/.docker:/docker"
           --env 'GOPATH=/go' --volume "$(go env GOPATH):/go"
           --workdir '/mnt' --volume "$(pwd):/mnt"
           'ghcr.io/aquasecurity/trivy:latest'