From 11ee01f45c79591b388895e9d22bff5cfc3de39d Mon Sep 17 00:00:00 2001
From: Steve Breker <sbreker@artefactual.com>
Date: Tue, 16 Apr 2024 13:09:04 -0700
Subject: [PATCH] Fix Trivy caching in CI

Update Trivy SBOM generation to invalidate the Trivy cache when
package-lock.json or composer.lock are modified.
---
 .github/workflows/generate-sbom.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/generate-sbom.yml b/.github/workflows/generate-sbom.yml
index 3a71725bdb..9b13c829c3 100644
--- a/.github/workflows/generate-sbom.yml
+++ b/.github/workflows/generate-sbom.yml
@@ -20,12 +20,12 @@ jobs:
         uses: actions/cache@v4
         with:
           path: .trivycache/
-          key: ${{ runner.os }}-trivy-${{ hashFiles('**/lockfiles') }}
+          key: ${{ runner.os }}-trivy-${{ hashFiles('package-lock.json', 'composer.lock') }}
           restore-keys: |
             ${{ runner.os }}-trivy-
 
       - name: Generate SBOM
-        run: trivy fs --format cyclonedx --include-dev-deps --output sbom.xml .
+        run: trivy fs --cache-dir .trivycache --format cyclonedx --include-dev-deps --output sbom.xml .
         env:
           TRIVY_NO_PROGRESS: "true"