Adjusted security scanning logic

serversideup · Dec 11, 2024 · 8b725d0 · 8b725d0
1 parent 28b8cc1
commit 8b725d0
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 15 deletions.
diff --git a/.github/workflows/action_publish-images-security-updates.yml b/.github/workflows/action_publish-images-security-updates.yml
@@ -15,30 +15,16 @@ on:
     - cron: '0 0 * * *'  # Daily at midnight UTC
 
 jobs:
-  get-latest-release:
-    runs-on: ubuntu-24.04
-    outputs:
-      release_version: ${{ steps.get-version.outputs.release_version }}
-    steps:
-      - name: Get Latest Release
-        id: get-version
-        run: |
-          LATEST_RELEASE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
-          echo "release_version=${LATEST_RELEASE}" >> "$GITHUB_OUTPUT"
-
   scan-vulnerabilities:
     runs-on: ubuntu-24.04
-    needs: get-latest-release
     outputs:
       has_vulnerabilities: ${{ steps.scan.outputs.has_vulnerabilities || inputs.force_build }}
     steps:
       - id: scan
         if: inputs.skip_scan != true
         uses: aquasecurity/trivy-action@0.29.0
-        env:
-          LATEST_RELEASE: ${{ needs.get-latest-release.outputs.version }}
         with:
-          image-ref: ghcr.io/serversideup/docker-ssh:${{ env.LATEST_RELEASE }}
+          image-ref: 'ghcr.io/serversideup/docker-ssh'
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -50,6 +36,17 @@ jobs:
       - if: inputs.skip_scan
         run: echo "has_vulnerabilities=true" >> $GITHUB_OUTPUT
 
+  get-latest-release:
+    runs-on: ubuntu-24.04
+    outputs:
+      release_version: ${{ steps.get-version.outputs.release_version }}
+    steps:
+      - name: Get Latest Release
+        id: get-version
+        run: |
+          LATEST_RELEASE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
+          echo "release_version=${LATEST_RELEASE}" >> "$GITHUB_OUTPUT"
+
   build-security-updates:
     needs: [scan-vulnerabilities, get-latest-release]
     if: needs.scan-vulnerabilities.outputs.has_vulnerabilities == 'true'

diff --git a/.github/workflows/service_docker-build-and-publish.yml b/.github/workflows/service_docker-build-and-publish.yml
@@ -30,6 +30,8 @@ jobs:
     steps:
       - name: Check out code.
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
 
       - name: Login to DockerHub
         uses: docker/login-action@v3