sec: enforce Binary Auth, move scanning to PRs

.github/workflows/deploy.yml

@@ -82,55 +82,3 @@ jobs:
             --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
             --certificate-identity-regexp="github.com/Pyronewbic/casecomp" \
             "${{ env.IMAGE }}@${{ steps.digest.outputs.digest }}" || true
-
-  scan:
-    needs: deploy
-    runs-on: ubuntu-latest
-    steps:
-      - uses: google-github-actions/auth@v3
-        with:
-          workload_identity_provider: projects/129850122606/locations/global/workloadIdentityPools/github-pool/providers/github-provider
-          service_account: casecomp-deploy@casecomp-495718.iam.gserviceaccount.com
-
-      - uses: google-github-actions/setup-gcloud@v3
-
-      - name: Pull image
-        run: |
-          gcloud auth configure-docker --quiet
-          docker pull "${{ env.IMAGE }}@${{ needs.deploy.outputs.digest }}"
-
-      - name: Generate SBOM (Syft)
-        uses: anchore/sbom-action@v0
-        with:
-          image: "${{ env.IMAGE }}@${{ needs.deploy.outputs.digest }}"
-          format: spdx-json
-          output-file: sbom.spdx.json
-
-      - name: Vulnerability scan (Grype)
-        uses: anchore/scan-action@v6
-        id: grype
-        with:
-          sbom: sbom.spdx.json
-          fail-build: false
-          severity-cutoff: critical
-
-      - name: Upload SBOM
-        uses: actions/upload-artifact@v4
-        with:
-          name: sbom-${{ github.sha }}
-          path: sbom.spdx.json
-          retention-days: 90
-
-      - name: Upload Grype report
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: grype-report-${{ github.sha }}
-          path: ${{ steps.grype.outputs.sarif }}
-          retention-days: 90
-
-      - name: Upload SARIF to GitHub Security
-        if: always() && steps.grype.outputs.sarif != ''
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: ${{ steps.grype.outputs.sarif }}

.github/workflows/test.yml

@@ -5,6 +5,10 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   unit:
     runs-on: ubuntu-latest
@@ -41,3 +45,37 @@ jobs:
         run: npx playwright install-deps chromium
       - run: node test/smoke-test.js
 
+  scan:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Generate SBOM (Syft)
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Vulnerability scan (Grype)
+        uses: anchore/scan-action@v6
+        id: grype
+        with:
+          sbom: sbom.spdx.json
+          fail-build: false
+          severity-cutoff: critical
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ github.sha }}
+          path: sbom.spdx.json
+          retention-days: 90
+
+      - name: Upload SARIF to GitHub Security
+        if: always() && steps.grype.outputs.sarif != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
+          category: grype

terraform/main.tf

@@ -56,7 +56,7 @@ resource "google_binary_authorization_policy" "default" {
 
   default_admission_rule {
     evaluation_mode  = "ALWAYS_ALLOW"
-    enforcement_mode = "DRYRUN_AUDIT_LOG_ONLY"
+    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
   }
 
   depends_on = [google_project_service.binaryauthorization]
@@ -164,6 +164,10 @@ resource "google_cloud_run_v2_service" "api" {
     use_default = true
   }
 
+  lifecycle {
+    ignore_changes = [template[0].containers[0].image, client, client_version]
+  }
+
   depends_on = [
     google_project_service.run,
     google_secret_manager_secret_iam_member.cloud_run_access,
@@ -254,6 +258,10 @@ resource "google_cloud_run_v2_service" "site" {
     use_default = true
   }
 
+  lifecycle {
+    ignore_changes = [template[0].containers[0].image, client, client_version]
+  }
+
   depends_on = [
     google_project_service.run,
     google_binary_authorization_policy.default,