feat: Try not cleaning docker images

DataDog · Aug 21, 2024 · ba20a82 · ba20a82
1 parent bc1c3ad
commit ba20a82
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 15 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,15 +13,13 @@ on:
   workflow_dispatch:
 
 jobs:
-  build_push:
-    name: Build and publish docker images
+  build_push_check:
+    name: Build docker image, publish it and run vuln scanner against it
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       packages: write # for image publication to GitHub Packages
     runs-on: ubuntu-latest
-    outputs:
-      LATEST_IMAGE_TAG: ${{ steps.build.outputs.LATEST_IMAGE_TAG }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
@@ -36,6 +34,8 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Free Disk Space (Ubuntu) # Reclaim disk space for build
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          docker-images: false # Do not remove locally built images (including trivy scanner)
       - name: Build images
         id: build
         run: ./build
@@ -45,18 +45,10 @@ jobs:
         run: ./build --describe >> $GITHUB_STEP_SUMMARY
       - name: Push images
         run: ./build --push
-
-  check:
-    name: Check published docker image
-    needs: build_push
-    permissions:
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-    runs-on: ubuntu-latest
-    steps:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
-          image-ref: '${{ needs.build_push.outputs.LATEST_IMAGE_TAG }}'
+          image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}'
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
@@ -69,7 +61,7 @@ jobs:
   keepalive-job:
     name: Keep repository alive to prevent workflows to be disabled
     if: ${{ always() }}
-    needs: build_push
+    needs: build_push_check
     permissions:
       actions: write # for gautamkrishnar/keepalive-workflow to keep the workflow alive
     runs-on: ubuntu-latest

diff --git a/.github/workflows/vuln-check.yml b/.github/workflows/vuln-check.yml
@@ -24,8 +24,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Free Disk Space (Ubuntu) # Reclaim disk space for build
+      - name: Free Disk Space (Ubuntu) # Reclaim disk space for scan
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          docker-images: false # Do not remove locally built images (including trivy scanner)
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0