From e2beec2587f9fa5345d911bbaf5307b87f9aea91 Mon Sep 17 00:00:00 2001 From: Vitalii Popov Date: Fri, 6 Feb 2026 18:10:14 +0100 Subject: [PATCH 1/3] Add explicit Trivy DB update with status logging Print DB version before and after update to diagnose stale DB issues causing missed CVEs. Co-Authored-By: Claude Opus 4.6 --- actions/docker/scan-docker-repo/scan-images.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/actions/docker/scan-docker-repo/scan-images.sh b/actions/docker/scan-docker-repo/scan-images.sh index 5f3de9f0..0b0a5e1c 100755 --- a/actions/docker/scan-docker-repo/scan-images.sh +++ b/actions/docker/scan-docker-repo/scan-images.sh @@ -93,6 +93,15 @@ scan_image() { # # Script body # +log "Trivy DB status before update:" +"${TRIVY_BIN}" db status >&2 || true + +log "Updating Trivy DB..." +"${TRIVY_BIN}" db update >&2 + +log "Trivy DB status after update:" +"${TRIVY_BIN}" db status >&2 || true + if [ -n "${REPORT_FILE}" ]; then log "Report file: ${REPORT_FILE}" printf "" > "${REPORT_FILE}" From 7e575148ef0ebea9a531b8ac738c5e0e2618b996 Mon Sep 17 00:00:00 2001 From: Vitalii Popov Date: Thu, 12 Mar 2026 18:27:03 +0100 Subject: [PATCH 2/3] Adds GitHub Action to mirror a directory to a target repo --- actions/git/mirror-directory/action.yaml | 76 ++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 actions/git/mirror-directory/action.yaml diff --git a/actions/git/mirror-directory/action.yaml b/actions/git/mirror-directory/action.yaml new file mode 100644 index 00000000..42ad4100 --- /dev/null +++ b/actions/git/mirror-directory/action.yaml @@ -0,0 +1,76 @@ +name: Mirror Directory +author: 'MiLaboratories' +description: | + Mirror a subdirectory to a target repository. + Clones the target, replaces all files with source directory contents, + commits and pushes. Syncs tags when triggered by a tag push. + +inputs: + source-directory: + description: | + Subdirectory to mirror to the target repository. + required: true + target-repository: + description: | + Target repository in org/repo format (e.g. milaboratory/platforma-helm). + required: true + github-token: + description: | + Token with push access to the target repository. + required: true + target-branch: + description: | + Branch to push to in the target repository. + required: false + default: 'main' + +runs: + using: "composite" + steps: + - name: Clone target repository + shell: bash + env: + TARGET_REPO: https://x-access-token:${{ inputs.github-token }}@github.com/${{ inputs.target-repository }}.git + TARGET_BRANCH: ${{ inputs.target-branch }} + run: | + git clone --depth=1 --branch="${TARGET_BRANCH}" "${TARGET_REPO}" /tmp/_mirror-target + + - name: Sync files + shell: bash + env: + SOURCE_DIR: ${{ inputs.source-directory }} + run: | + # Remove old files in target (except .git) + find /tmp/_mirror-target -mindepth 1 -maxdepth 1 ! -name '.git' -exec rm -rf {} + + # Copy source directory contents to target + cp -a "${SOURCE_DIR}/." /tmp/_mirror-target/ + + - name: Commit and push + shell: bash + working-directory: /tmp/_mirror-target + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add -A + if git diff --cached --quiet; then + echo "No changes to sync" + exit 0 + fi + COMMIT_MSG="sync: $(git -C "${GITHUB_WORKSPACE}" log -1 --format='%s')" + git commit -m "${COMMIT_MSG}" + git push origin "${{ inputs.target-branch }}" + + - name: Sync tag + if: startsWith(github.ref, 'refs/tags/') + shell: bash + working-directory: /tmp/_mirror-target + run: | + TAG="${GITHUB_REF#refs/tags/}" + git tag -f "${TAG}" + git push origin "${TAG}" --force + + - name: Cleanup + if: always() + shell: bash + run: | + rm -rf /tmp/_mirror-target From e7eff3c4fb055f7f15a0784804bc7112269c6ea5 Mon Sep 17 00:00:00 2001 From: Vitalii Popov Date: Thu, 12 Mar 2026 18:47:41 +0100 Subject: [PATCH 3/3] Allows mirroring to new target branches --- actions/docker/scan-docker-repo/scan-images.sh | 9 --------- actions/git/mirror-directory/action.yaml | 7 ++++++- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/actions/docker/scan-docker-repo/scan-images.sh b/actions/docker/scan-docker-repo/scan-images.sh index 0b0a5e1c..5f3de9f0 100755 --- a/actions/docker/scan-docker-repo/scan-images.sh +++ b/actions/docker/scan-docker-repo/scan-images.sh @@ -93,15 +93,6 @@ scan_image() { # # Script body # -log "Trivy DB status before update:" -"${TRIVY_BIN}" db status >&2 || true - -log "Updating Trivy DB..." -"${TRIVY_BIN}" db update >&2 - -log "Trivy DB status after update:" -"${TRIVY_BIN}" db status >&2 || true - if [ -n "${REPORT_FILE}" ]; then log "Report file: ${REPORT_FILE}" printf "" > "${REPORT_FILE}" diff --git a/actions/git/mirror-directory/action.yaml b/actions/git/mirror-directory/action.yaml index 42ad4100..fd2cbda3 100644 --- a/actions/git/mirror-directory/action.yaml +++ b/actions/git/mirror-directory/action.yaml @@ -33,7 +33,12 @@ runs: TARGET_REPO: https://x-access-token:${{ inputs.github-token }}@github.com/${{ inputs.target-repository }}.git TARGET_BRANCH: ${{ inputs.target-branch }} run: | - git clone --depth=1 --branch="${TARGET_BRANCH}" "${TARGET_REPO}" /tmp/_mirror-target + if git ls-remote --heads "${TARGET_REPO}" "${TARGET_BRANCH}" | grep -q "${TARGET_BRANCH}"; then + git clone --depth=1 --branch="${TARGET_BRANCH}" "${TARGET_REPO}" /tmp/_mirror-target + else + git clone --depth=1 "${TARGET_REPO}" /tmp/_mirror-target + git -C /tmp/_mirror-target checkout -b "${TARGET_BRANCH}" + fi - name: Sync files shell: bash