feat: add token input and pin github-server-url
#12
Conversation
|
@BAiler-ai confirmed that these changes work for GHES - aquasecurity/trivy-action#418 (comment) |
action.yaml
Outdated
| if [ -z "${{ inputs.token }}" ]; then | ||
| echo "token=${{ github.token }}" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "token=${{ inputs.token }}" >> $GITHUB_OUTPUT | ||
| fi |
There was a problem hiding this comment.
Do we still need this step if we set the default value of token like actions/checkout? inputs.token points to the default GitHub token if token is not specified.
There was a problem hiding this comment.
initially, I used ${{ github.token }} as default value for inputs.token.
But actions/checkout doesn't work if token is empty (but works if token is specified) - https://github.com/DmitriyLewen/test-trivy-action/actions/runs/11476162864/job/31935565983
So, there are 2 ways to avoid errors in trivy-action:
- use
${{ github.token }}as default value fortoken-setup-trivyintrivy-action. - add step in
setup-trivy(my way).
I thought it's better to add step in setup-trivy to avoid questions in trivy-action about using ${{ github.token }}.
But if you want, I can use the 1st method.
Example:
setup-trivy (${{ github.token }} is default value for inputs.token) - https://github.com/DmitriyLewen/setup-trivy/blob/0faeae687c92b01123d6eaafbe78091bc8b610eb/action.yaml
trivy-action (`` is default value for inputs.token-setup-trivy)- https://github.com/DmitriyLewen/trivy-action/blob/e78daca2a1cb92de6fd1ba645bd146b851efc10c/action.yaml
test run - https://github.com/DmitriyLewen/test-trivy-action/actions/runs/11476162864/job/31935565983
There was a problem hiding this comment.
initially, I used ${{ github.token }} as default value for inputs.token.
What changed your mind to go for the second approach (additional step)? Is there any benefit?
But actions/checkout doesn't work if token is empty (but works if token is specified) - https://github.com/DmitriyLewen/test-trivy-action/actions/runs/11476162864/job/31935565983
I'm probably missing something, but my suggestion will not fall into this case, right?
There was a problem hiding this comment.
What changed your mind to go for the second approach (additional step)? Is there any benefit?
I didn't think actions/checkout uses token for public repos.
But IIUC actions/checkout uses same logic as ghcr (you need to use a valid token even if you pull a public image).
That's why I thought trivy-action users would have questions about github.token, how we use it, etc.
So the only benefit would be fewer questions (if any)
I'm probably missing something, but my suggestion will not fall into this case, right?
Since we are using a chain of actions (trivy-action -> setup-trivy -> actions/checkout), we need to set a default value (github.token) for trivy-action and setup-trivy.
If we use an empty default value for trivy-action - setup-trivy will get `` instead of nil and we will get an error.
PS I tried removing default line (I was hoping that would give me nil), but I got the same behavior.
There was a problem hiding this comment.
I now realized that another plus is that we don't have to set the default value twice.
If there is a need to change it, we will do it in one place
There was a problem hiding this comment.
Since we are using a chain of actions (trivy-action -> setup-trivy -> actions/checkout), we need to set a default value (github.token) for trivy-action and setup-trivy.
Yes, I suggested adding default: ${{ github.token }}. It wouldn't be empty, right? What's wrong?
There was a problem hiding this comment.
Since we are using a chain of actions (trivy-action -> setup-trivy -> actions/checkout), we need to set a default value (github.token) for trivy-action and setup-trivy.
Yes, I suggested adding
default: ${{ github.token }}. It wouldn't be empty, right? What's wrong?
Is it because the default: ${{ github.token }} doesn't propagate down the chain of actions? If it does, I don't see why we shouldn't use it as the default.
There was a problem hiding this comment.
You are right. It seems I have confused myself.
There was a problem hiding this comment.
I updated this PR.
cc. @knqyf263 @simar7
UPD:
added github.token as default value in trivy-action - https://github.com/aquasecurity/trivy-action/blob/e9e31edcb0a6bd9a9e1c562428ef30e97a3e3464/action.yaml#L118
DmitriyLewen
force-pushed
the
fix-ghes
branch
from
2df9f60 to
0faeae6
Compare
Description
GHES overwrites
github.token. Also default github server for GHES is nothttp://github.saobby.my.eu.org.This PR:
http://github.saobby.my.eu.orgasgithub-server-urlforactions/checkout. Required so thatactions/checkoutcorrectly finds Trivy repository.tokeninput. Default value isgithub.token(as in actions/checkout).tokenis required so that users can overwrite invalid (forhttp://github.saobby.my.eu.orgserver) GHES token. Despite the fact that Trivy is public repository,checkoutgives an error when the token is invalid.Test runs:
public_repoonly - https://github.com/DmitriyLewen/test-trivy-action/actions/runs/11492666014Related issues: