diff --git a/.github/workflows/docker-build-push.yaml b/.github/workflows/docker-build-push.yaml index 57a82e90c..e72c96700 100644 --- a/.github/workflows/docker-build-push.yaml +++ b/.github/workflows/docker-build-push.yaml @@ -3,7 +3,7 @@ name: Docker build & push image on: push: branches: [v4] - tags: ['v*'] + tags: ["v*"] pull_request: branches: [v4] paths: @@ -90,28 +90,28 @@ jobs: - name: Sign the released image if: ${{ github.event_name != 'pull_request' }} env: - COSIGN_EXPERIMENTAL: 'true' + COSIGN_EXPERIMENTAL: "true" run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph uses: aquasecurity/trivy-action@master if: ${{ github.event_name != 'pull_request' }} with: - image-ref: 'ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}' - format: 'github' - output: 'dependency-results.sbom.json' + image-ref: "ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}" + format: "github" + output: "dependency-results.sbom.json" github-pat: ${{ secrets.GITHUB_TOKEN }} - scanners: 'vuln' + scanners: "vuln" - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master if: ${{ github.event_name != 'pull_request' }} with: - image-ref: 'ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}' - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL' - scanners: 'vuln' + image-ref: "ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}" + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL" + scanners: "vuln" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 if: ${{ github.event_name != 'pull_request' }} with: - sarif_file: 'trivy-results.sarif' + sarif_file: "trivy-results.sarif"