Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .github/workflows/reusable-trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,20 @@ jobs:
actions: read
packages: read
steps:
# image-ref is a ghcr.io reference by digest (see the usage comment at
# the top of this file). `permissions: packages: read` alone does not
# authenticate the docker/trivy pull for a private package - confirmed
# by a real failure (unauthorized pulling a same-run-pushed private
# GHCR image) before this step existed. Every caller of this reusable
# publishes to ghcr.io, so logging in here (not conditionally, not
# registry-parsed from image-ref) covers every real usage.
- name: Log in to GHCR for the image pull
uses: docker/login-action@c99871dec2022cc055c062a10cc1a1310835ceb4 # v4.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Trivy image vulnerability scan
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
Expand Down