From ccf7a040536c26cc3f708f97500fc2d2618d9682 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20=C3=81lvaro?= <carlos@cdalvaro.io>
Date: Sat, 13 Mar 2021 20:59:01 +0100
Subject: [PATCH] ci: Update Security analysis workflow

---
 .github/workflows/build-and-test.yml    | 46 -------------------------
 .github/workflows/publish.yml           | 28 ---------------
 .github/workflows/security-analysis.yml | 40 +++++++++++++++++++++
 3 files changed, 40 insertions(+), 74 deletions(-)

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index 408ecdf..d080d02 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -170,49 +170,3 @@ jobs:
         run: |
           docker stop saltstack_master registry
           docker image rm ${IMAGE_NAME}
-
-  security-analysis:
-    name: Security analysis
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - name: Download Docker registry data from build job
-        uses: actions/download-artifact@v2
-        with:
-          name: docker-registry-data
-          path: ${{ env.REGISTRY_PATH }}
-
-      - name: Enable Docker experimental
-        run: |
-          # Enable docker daemon experimental support.
-          echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
-          sudo systemctl restart docker
-          # Install QEMU multi-architecture support for docker buildx.
-          docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
-
-      - name: Start Docker registry
-        run: |
-          docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
-
-      - name: Import Docker images
-        run: |
-          RETRY_MAX=5
-          for i in $(seq 1 $RETRY_MAX); do
-            [ "$i" != "1" ] && echo "Retrying docker pull"
-            docker pull --platform linux/amd64 ${IMAGE_NAME} && break
-            echo "Command failed with code $?"
-          done
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ env.IMAGE_NAME }}
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'HIGH,CRITICAL'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9c17dd8..4332a20 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -91,31 +91,3 @@ jobs:
           cache-to: type=local,dest=${{ env.CACHE_PATH }}
           push: true
           tags: ${{ steps.metadata.outputs.tags }}
-
-  security-analysis:
-    name: Security analysis
-    runs-on: ubuntu-latest
-    needs: publish
-    steps:
-      - name: Prepare metadata
-        id: metadata
-        run: |
-          IMAGE_REF="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
-          echo ::set-output name=image_ref::${IMAGE_REF}
-
-      - name: Import Docker images
-        run: docker pull ${{ steps.metadata.outputs.image_ref }}
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ steps.metadata.outputs.image_ref }}
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'HIGH,CRITICAL'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml
index acd4829..789a3bd 100644
--- a/.github/workflows/security-analysis.yml
+++ b/.github/workflows/security-analysis.yml
@@ -1,6 +1,10 @@
 name: Security analysis
 
 on:
+  push:
+    branches:
+      - main
+  pull_request:
   schedule:
     - cron: '0 0 * * 1'
 
@@ -8,9 +12,45 @@ jobs:
   security-analysis:
     name: Trivy scan
     runs-on: ubuntu-latest
+    env:
+      CACHE_PATH: /tmp/.buildx-cache
 
     steps:
+      - name: Checkout repository
+        if: github.event_name != 'schedule'
+        uses: actions/checkout@v2
+
+      - name: Set up QEMU
+        if: github.event_name != 'schedule'
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        if: github.event_name != 'schedule'
+        uses: docker/setup-buildx-action@v1
+
+      - name: Cache Docker layers
+        if: github.event_name != 'schedule'
+        uses: actions/cache@v2.1.4
+        with:
+          path: ${{ env.CACHE_PATH }}
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Build docker-salt-master image
+        if: github.event_name != 'schedule'
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          cache-from: |
+            type=local,src=${{ env.CACHE_PATH }}
+            ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}
+          cache-to: type=local,dest=${{ env.CACHE_PATH }}
+          push: false
+
       - name: Download and tag latest image
+        if: github.event_name == 'schedule'
         run: |
           docker pull ghcr.io/cdalvaro/docker-salt-master:latest
           docker tag ghcr.io/cdalvaro/docker-salt-master:latest ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}