Tag PR image build as latest before scanning

This is less effort than passing the tag across steps 🤷‍♂️ Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
brandond · Sep 5, 2024 · 378edb9 · 378edb9
1 parent 662799f
commit 378edb9
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -27,11 +27,12 @@ jobs:
       run: |
         make local
         make package-image
+        make tag-image-latest
 
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@0.24.0
       with:
-        image-ref: 'rancher/k3s'
+        image-ref: 'rancher/k3s:latest'
         format: 'table'
         severity: "HIGH,CRITICAL"
         output: "trivy-report.txt"

diff --git a/scripts/tag-image-latest b/scripts/tag-image-latest
@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+cd $(dirname $0)/..
+
+. ./scripts/version.sh
+
+TAG=${TAG:-${VERSION_TAG}${SUFFIX}}
+REPO=${REPO:-rancher}
+IMAGE_NAME=${IMAGE_NAME:-k3s}
+
+IMAGE=${REPO}/${IMAGE_NAME}:${TAG}
+LATEST=${REPO}/${IMAGE_NAME}:latest
+docker image tag ${IMAGE} ${LATEST}
+echo Tagged ${IMAGE} as ${LATEST}