Fix Trivy caching in CI

Update Trivy SBOM generation to invalidate the Trivy cache when package-lock.json or composer.lock are modified.
artefactual · Apr 16, 2024 · 11ee01f · 11ee01f
1 parent 4984252
commit 11ee01f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/.github/workflows/generate-sbom.yml b/.github/workflows/generate-sbom.yml
@@ -20,12 +20,12 @@ jobs:
         uses: actions/cache@v4
         with:
           path: .trivycache/
-          key: ${{ runner.os }}-trivy-${{ hashFiles('**/lockfiles') }}
+          key: ${{ runner.os }}-trivy-${{ hashFiles('package-lock.json', 'composer.lock') }}
           restore-keys: |
             ${{ runner.os }}-trivy-
 
       - name: Generate SBOM
-        run: trivy fs --format cyclonedx --include-dev-deps --output sbom.xml .
+        run: trivy fs --cache-dir .trivycache --format cyclonedx --include-dev-deps --output sbom.xml .
         env:
           TRIVY_NO_PROGRESS: "true"