build: add snyk scan and ghcr cleanup

Author: joshiste

.github/workflows/ci.yml

@@ -173,6 +173,28 @@ jobs:
           https://api.github.com/repos/steadybit/extension-deployer/actions/workflows/extension-restart.yml/dispatches \
           -d '{"ref":"main","inputs":{"extension":"${{ github.repository }}","version":"${{ steps.meta.outputs.version }}","revision":"${{ github.sha }}"}}'
 
+  snyk-test:
+    name: "Snyk Test ${{ startsWith(github.ref, 'refs/tags/') && '- If this breaks for CVEs, you need to revoke the published image (and move latest tag)!' || '' }}"
+    uses: steadybit/extension-kit/.github/workflows/reusable-snyk-scan.yml@main
+    needs: [build-images]
+    with:
+      command: test
+      container_image: ghcr.io/${{ github.repository }}:latest
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  snyk-monitor:
+    name: "[Release] Snyk Monitor latest"
+    uses: steadybit/extension-kit/.github/workflows/reusable-snyk-scan.yml@main
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
+    needs: [build-images]
+    with:
+      command: monitor
+      container_image: ghcr.io/${{ github.repository }}:latest
+      target_ref: latest
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
   build-packages:
     name: Build Linux Packages
     needs:

.github/workflows/ghcr-cleanup.yml

@@ -6,7 +6,7 @@ on:
     - cron: "0 8 * * 1"
 
 jobs:
-  extension-ci:
+  ghcr-cleanup:
     uses: steadybit/extension-kit/.github/workflows/reusable-ghcr-cleanup.yml@main
     secrets:
       token: ${{ secrets.GHCR_CLEANUP_PAT }}