Merge pull request #31 from OmegaSquad82/cleanup-docs-try-trivy-again

Cleanup-docs-try-trivy-again

.github/workflows/build.yml

@@ -7,15 +7,18 @@ on:
   push:
     paths-ignore:
       - "**.md"
+      - "build-isos"
       - "**/trivy.yml"
   pull_request:
   workflow_dispatch:
+env:
+  REPO_OWNER: ${{ github.repository_owner }}
 jobs:
   bluebuild:
     name: Build Custom Image
     runs-on: ubuntu-24.04
     permissions:
-      contents: read
+      contents: write
       packages: write
       id-token: write
     strategy:
@@ -27,7 +30,6 @@ jobs:
           - buttgenbachit
           - carbonatcyanotrichit
           - flaviramea
-        # - template
     steps:
       - name: Build Custom Image
         uses: blue-build/github-action@v1.6
@@ -37,3 +39,27 @@ jobs:
           registry_token: ${{ github.token }}
           pr_event_number: ${{ github.event.number }}
           maximize_build_space: yes
+
+      - name: Force repository owner to lowercase
+        run: echo "IMAGE_REF=ghcr.io/${REPO_OWNER@L}/${{ matrix.package }}" >> ${GITHUB_ENV}
+
+      - name: Generate SBOM for Custom Image with Trivy
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: "${{ env.IMAGE_REF }}"
+          scan-type: image
+          format: "github"
+          output: "${{ matrix.package }}-dependency-results.sbom.json"
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+          severity: "MEDIUM,HIGH,CRITICAL"
+          scanners: "vuln"
+        env:
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ github.token }}
+
+      - name: Upload trivy report as a Github artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.package }}-trivy-sbom-report
+          path: "${{ github.workspace }}/${{ matrix.package }}-dependency-results.sbom.json"
+          retention-days: 21

.github/workflows/trivy.yml

@@ -4,18 +4,17 @@ on:
     - cron:
         "55 06 * * *" # build at 06:55 UTC every day
         # (50 minutes after custom image build was triggered)
-  registry_package:
+  pull_request:
   workflow_dispatch:
 env:
-  REGISTRY: ghcr.io
-  OWNER: ${{ github.repository_owner }}
+  REPO_OWNER: ${{ github.repository_owner }}
 jobs:
   trivy:
     name: Scan Custom Image
     runs-on: ubuntu-24.04
     permissions:
       contents: write
-      packages: write
+      packages: read
       id-token: write
     strategy:
       fail-fast: false
@@ -26,27 +25,31 @@ jobs:
           - buttgenbachit
           - carbonatcyanotrichit
           - flaviramea
-        # - template
     steps:
+      - name: Maximize build space
+        uses: jlumbroso/free-disk-space@v1.3.1
+
       - name: Checkout code
         uses: actions/checkout@v3
-      - uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-      - run: echo "IMAGE_REF=${REGISTRY}/${OWNER@L}/${{ matrix.package }}" >> ${GITHUB_ENV}
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+
+      - name: Force repository owner to lowercase
+        run: echo "IMAGE_REF=ghcr.io/${REPO_OWNER@L}/${{ matrix.package }}" >> ${GITHUB_ENV}
+
+      - name: Generate SARIF for Custom Image with Trivy
+        uses: aquasecurity/trivy-action@0.24.0
         with:
+          output: ${{ matrix.package }}-trivy-results.sarif
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
           image-ref: "${{ env.IMAGE_REF }}"
+          severity: MEDIUM,HIGH,CRITICAL
+          scan-type: image
+          scanners: vuln
           format: sarif
-          output: trivy-results.sarif
-          severity: CRITICAL,HIGH,MEDIUM
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ github.token }}
+
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: "${{ matrix.package }}-trivy-results.sarif"

README.md

@@ -1,28 +1,32 @@
-# OmegaSquad82/BlueBuilds   [![bluebuild](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/build.yml/badge.svg)](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/build.yml) [![Dependabot Updates](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/dependabot/dependabot-updates)
+# OmegaSquad82/BlueBuilds  
+
+[![bluebuild](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/build.yml/badge.svg)](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/build.yml)
+[![bluevuln](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/trivy.yml/badge.svg)](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/trivy.yml)
+[![Dependabot Updates](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/OmegaSquad82/bluebuilds/actions/workflows/dependabot/dependabot-updates)
 
 See the [BlueBuild docs](https://blue-build.org/how-to/setup/) for quick setup instructions for setting up your own repository based on this template.
 
 ## Images
 
 All images are built with a selection of common packages and flatpaks. ZRAM is pre-configured to use system default compression (likely LZ4) and from 2xRAM up to 32 GiB as Swap space and Virtual Memory settings have been configured for both increased amount of and low latency swapping. The latency improvements come at a price of a higher likelyhood of page faults because readahead has been deactivated.
 
-### Aubertit
+### [Aubertit](https://www.mineralienatlas.de/lexikon/index.php/MineralData?lang=en&language=english&mineral=Aubertit)
 
 It is a flavor of Bazzite for ASUS Laptops with some NVIDIA GPU.
 
-### Borealis
+### [Borealis](https://en.wikipedia.org/wiki/Aurora_Borealis)
 
 An opinionated descendant of Aurora for my usual desktop and tinkering workflows.
 
-### Buttgenbachit
+### [Buttgenbachit](https://www.mineralienatlas.de/lexikon/index.php/MineralData?lang=en&language=english&mineral=Buttgenbachit)
 
 Bazzite Stable NVIDIA for desktop gaming.
 
-### Carbonatcyanotrichit
+### [Carbonatcyanotrichit](https://www.mineralienatlas.de/lexikon/index.php/MineralData?lang=en&language=english&mineral=Carbonatcyanotrichit)
 
 Bazzite Deck Stable for my Steam Deck clone.
 
-### Flaviramea
+### [Flaviramea](https://www.ecosia.org/search?tt=mzl&q=Cornus%20sericea%20Flaviramea)
 
 My netbook still exists and is dear to me and so it is running Sway, now.
 
@@ -64,6 +68,8 @@ The `podman.service` is enabled on Borealis, Buttgenbachit and Flaviramea.
 
 ### Packages
 
+#### All images
+
 - byobu
 - kitty
 - neovim
@@ -72,7 +78,9 @@ The `podman.service` is enabled on Borealis, Buttgenbachit and Flaviramea.
 
 ### swap on zram
 
-Let's have a look into some articles I've read over time. I did not do any measurements on my own, just rough observations while using my systems, especially the low memory (4 GiB) netbook I'm using for roughly seven years, and generally fare well with these settings, now. By default Fedora is using the [systemd-zram-generator](https://github.com/systemd/zram-generator).
+Let's have a look into some articles I've read over time. I did not do many measurements on my own, just rough observations while using my systems, especially the low memory (4 GiB) netbook I'm using for roughly seven years, and generally fare well with these settings. I'm choosing `lz4` over `zstd` as higher IOPS are - for my use cases - seemingly more important than the compression gain over either lz4 or `lzo-rle`.
+
+By default Fedora is using the [systemd-zram-generator](https://github.com/systemd/zram-generator).
 
 #### Blogs
 

recipes/recipe-aubertit.yml

@@ -1,4 +1,3 @@
-# https://www.mineralienatlas.de/lexikon/index.php/MineralData?lang=en&language=english&mineral=Aubertit
 name: aubertit
 description: My personal flavor of Bazzite Stable for ASUS Laptops with NVIDIA cards.
 base-image: ghcr.io/ublue-os/bazzite-asus-nvidia

recipes/recipe-borealis.yml

@@ -1,8 +1,7 @@
-# https://en.wikipedia.org/wiki/Aurora_Borealis
 name: borealis
 description: My personal flavor of Aurora for Developers.
 base-image: ghcr.io/ublue-os/aurora-dx
-image-version: 40
+image-version: latest
 
 modules:
   - from-file: common-modules.yml

recipes/recipe-buttgenbachit.yml

@@ -1,4 +1,3 @@
-# https://www.mineralienatlas.de/lexikon/index.php/MineralData?lang=en&language=english&mineral=Buttgenbachit
 name: buttgenbachit
 description: My personal flavor of Bazzite NVIDIA Stable.
 base-image: ghcr.io/ublue-os/bazzite-nvidia

recipes/recipe-carbonatcyanotrichit.yml

@@ -1,4 +1,3 @@
-# https://www.mineralienatlas.de/lexikon/index.php/MineralData?lang=en&language=english&mineral=Carbonatcyanotrichit
 name: carbonatcyanotrichit
 description: My personal flavor of Bazzite Deck Stable.
 base-image: ghcr.io/ublue-os/bazzite-deck

recipes/recipe-flaviramea.yml

@@ -1,8 +1,7 @@
-# https://www.ecosia.org/search?tt=mzl&q=Cornus%20sericea%20Flaviramea
 name: flaviramea
 description: My personal flavor of Fedora Sway Atomic.
 base-image: ghcr.io/ublue-os/sericea-main
-image-version: 40
+image-version: latest
 
 modules:
   - from-file: common-modules.yml