name: 'Aqua Security Trivy installer'
description: 'Install Trivy binary from release page'
author: 'Aqua Security'

inputs:
  version:
    description: 'Trivy version to install'
    required: false
    default: 'latest'
  path:
    description: 'Path in runner to install Trivy. Trivy will be installed in "<path>/trivy-bin" dir ("$HOME/.local/bin/trivy-bin" by default)'
    required: false
    default: '$HOME/.local/bin'
  cache:
    description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
    required: false
    default: 'false'
  token:
    description: >
      Access token used to check out the Trivy repository.
      The token is required when using GitHub Enterprise Server (GHES).
      https://github.com/actions/create-github-app-token can be used to obtain such a token.
      The token should be limited to read access only for public repositories.
      See more details in https://github.com/aquasecurity/setup-trivy/issues/10
    required: false
    ## ${{ github.token }} is default value for actions/checkout
    ## cf. https://github.com/actions/checkout/blob/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871/action.yml#L24
    default: ${{ github.token }}

runs:
  using: 'composite'
  steps:
    - name: Binary dir
      id: binary-dir
      shell: bash
      run: echo "dir=${{ inputs.path }}/trivy-bin" >> $GITHUB_OUTPUT

    ## Don't cache `latest` version
    - name: Check the version for caching
      if: ${{ inputs.cache == 'true' && inputs.version == 'latest' }}
      shell: bash
      run: |
        echo "'setup-trivy' doesn't currently support caching the 'latest' version"
        echo "read https://github.com/aquasecurity/setup-trivy?tab=readme-ov-file#caching for more details"

    - name: Restore Trivy binary from cache
      if: ${{ inputs.cache == 'true' && inputs.version != 'latest' }}
      id: cache
      uses: actions/cache@v4
      with:
        path: ${{ steps.binary-dir.outputs.dir }}
        key: trivy-binary-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}

    - name: Checkout install script
      if: steps.cache.outputs.cache-hit != 'true'
      uses: actions/checkout@v4
      with:
        repository: aquasecurity/trivy
        sparse-checkout: |
          contrib
        path: trivy
        fetch-depth: 1
        ## We have to explicitly set GitHub server to avoid it being overwritten for GHES
        ## cf. https://github.com/aquasecurity/setup-trivy/issues/10
        github-server-url: 'https://github.com'
        token: ${{ inputs.token }}


      ## Install Trivy using install script,
      ## Copy the `contrib` directory to the directory with the binary
      ## Remove the `trivy` directory produced by the checkout step, as it may cause errors in linters/checks in the calling code.
    - name: Install Trivy
      if: steps.cache.outputs.cache-hit != 'true'
      shell: bash
      run: |
        echo "installing Trivy binary"
        bash ./trivy/contrib/install.sh -b ${{ steps.binary-dir.outputs.dir }} ${{ inputs.version }}
        cp -r ./trivy/contrib ${{ steps.binary-dir.outputs.dir }}/contrib
        rm -rf ./trivy

    ## Add the Trivy binary, retrieved from cache or installed by a script, to $GITHUB_PATH
    - name: Add Trivy binary to $GITHUB_PATH
      shell: bash
      run: echo ${{ steps.binary-dir.outputs.dir }} >> $GITHUB_PATH