ci: Fix Trivy workflow (#31)

tprasadtp · Mar 26, 2021 · 91e23cd · 91e23cd
1 parent 1c25946
commit 91e23cd
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 20 deletions.
diff --git a/.chglog/config.yml b/.chglog/config.yml
@@ -67,6 +67,3 @@ options:
     pattern: "^Revert \"([\\s\\S]*)\"$"
     pattern_maps:
       - Header
-
-# diana:{diana_version}:{remote}:{source}:{version}:{remote_path}:{type}
-# diana:0.2.7:github:tprasadtp/templates::chglog/config.yml:static
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -64,24 +64,24 @@ jobs:
           make changelog
           cat CHANGELOG.md
 
-      - name: Build snapshot 
+      - name: Build snapshot
         run: make snapshot
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.0.12
+        id: trivy
+        uses: aquasecurity/trivy-action@0.0.13
         with:
           scan-type: 'image'
           vuln-type: os
           severity: HIGH,CRITICAL
-          exit-code: 1
           ignore-unfixed: true
           image-ref: 'ghcr.io/tprasadtp/protonvpn:${{ github.sha }}-amd64'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
+        if: github.ref == 'refs/heads/master'
         uses: github/codeql-action/upload-sarif@v1
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -73,8 +73,8 @@ jobs:
         uses: docker/login-action@v1
         with:
           registry: ghcr.io
-          username: valarie-ci-bot
-          password: ${{ secrets.GH_TOKEN }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run GoReleaser
         run: make release-prod

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,5 +1,6 @@
 name: security
 on:
+  workflow_dispatch:
   schedule:
     # Every Friday at 2100
     - cron:  "0 21 * * FRI"
@@ -8,20 +9,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.0.12
+        id: trivy
+        uses: aquasecurity/trivy-action@0.0.13
         with:
           scan-type: 'image'
           vuln-type: os
           severity: HIGH,CRITICAL
-          exit-code: 1
           ignore-unfixed: true
-          image-ref: 'ghcr.io/tprasadtp/protonvpn:latest-amd64'
+          image-ref: 'ghcr.io/tprasadtp/protonvpn:latest'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
+        if: github.ref == 'refs/heads/master' && always()
         uses: github/codeql-action/upload-sarif@v1
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,8 +3,20 @@
 ## Changelog
 
 
+<a name="4.1.2"></a>
+## [4.1.2] - 2021-03-26
+
+### 🤖 Continuous Integration & Automation
+- Fix Trivy workflow ([d7d9fcb](https://github.com/tprasadtp/protonvpn-docker/commit/d7d9fcb5c8abdee6699b40ff3fda534c3fb5c656))
+- **deps:** bump aquasecurity/trivy-action from 0.0.11 to 0.0.12 ([#28](https://github.com/tprasadtp/protonvpn-docker/issues/28)) ([b340412](https://github.com/tprasadtp/protonvpn-docker/commit/b340412df2f151377603e5d4e5eed1218e81ef23))
+
+### 🥺 Maintanance
+- **deps:** bump ubuntu from focal-20210217 to focal-20210325 ([#30](https://github.com/tprasadtp/protonvpn-docker/issues/30)) ([1c25946](https://github.com/tprasadtp/protonvpn-docker/commit/1c2594684f9d43f702a19983d99b9433356ec693))
+- **deps:** bump urllib3 from 1.26.3 to 1.26.4 in /root ([#26](https://github.com/tprasadtp/protonvpn-docker/issues/26)) ([4148872](https://github.com/tprasadtp/protonvpn-docker/commit/4148872439bb6499855ca1ba3488a4bb3cd8de60))
+
+
 <a name="4.1.1"></a>
-## [4.1.1] - 2021-03-13
+## [4.1.1] - 2021-03-14
 
 ### 🤖 Continuous Integration & Automation
 - (experimental) add image scanning as a cron job ([#24](https://github.com/tprasadtp/protonvpn-docker/issues/24)) ([4ad9d7c](https://github.com/tprasadtp/protonvpn-docker/commit/4ad9d7cd6573f77c3b2fa3b19a9722c727a1c029))
@@ -61,6 +73,7 @@
 
 
 <!-- tag references -->
+[4.1.2]: https://github.com/tprasadtp/protonvpn-docker/compare/4.1.1...4.1.2
 [4.1.1]: https://github.com/tprasadtp/protonvpn-docker/compare/4.1.0...4.1.1
 [4.1.0]: https://github.com/tprasadtp/protonvpn-docker/compare/4.0.0...4.1.0
 [4.0.0]: https://github.com/tprasadtp/protonvpn-docker/compare/3.1.0...4.0.0

diff --git a/Makefile b/Makefile
@@ -56,13 +56,8 @@ snapshot: ## Build snapshot
 release: ## Build release
 	goreleaser release --rm-dist --release-notes $(REPO_ROOT)/RELEASE_NOTES.md --skip-publish
 
-# DELETING MANIFESTS IS IMPORTANT!
-# GORELEASES USES --amend flag on docker manifest create command!
-# This will cause old images to be included in the manifest!
 .PHONY: release-prod
 release-prod: ## Build and release to production/QA
-	@for img in $(DOCKER_IMAGES); do docker manifest rm $${img}:4.0 || true ; done
-	@for img in $(DOCKER_IMAGES); do docker manifest rm $${img}:latest || true ; done
 	goreleaser release --rm-dist --release-notes $(REPO_ROOT)/RELEASE_NOTES.md
 
 .PHONY: clean

diff --git a/README.md b/README.md
@@ -23,6 +23,10 @@
     <img src="https://github.com/tprasadtp/protonvpn-docker/workflows/release/badge.svg"align="center" alt="action-release">
   </a>
 
+  <a href="https://github.com/tprasadtp/protonvpn-docker/actions?workflow=security" target="_blank" rel="noreferrer">
+    <img src="https://github.com/tprasadtp/protonvpn-docker/workflows/security/badge.svg"align="center" alt="action-security">
+  </a>
+
 </p>
 
 <!-- Version and Release Badges -->

diff --git a/go.mod b/go.mod
@@ -0,0 +1,3 @@
+module github.com/tprasadtp/protonvpn-docker
+
+go 1.16