From ba20a82f66985882f9fcd22ee5347fd5c66d3dd9 Mon Sep 17 00:00:00 2001
From: Bruce Bujon <bruce.bujon@datadoghq.com>
Date: Wed, 21 Aug 2024 10:07:47 +0200
Subject: [PATCH] feat: Try not cleaning docker images

---
 .github/workflows/ci.yml         | 20 ++++++--------------
 .github/workflows/vuln-check.yml |  4 +++-
 2 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ed6d07a..8a227f2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,15 +13,13 @@ on:
   workflow_dispatch:
 
 jobs:
-  build_push:
-    name: Build and publish docker images
+  build_push_check:
+    name: Build docker image, publish it and run vuln scanner against it
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       packages: write # for image publication to GitHub Packages
     runs-on: ubuntu-latest
-    outputs:
-      LATEST_IMAGE_TAG: ${{ steps.build.outputs.LATEST_IMAGE_TAG }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
@@ -36,6 +34,8 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Free Disk Space (Ubuntu) # Reclaim disk space for build
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          docker-images: false # Do not remove locally built images (including trivy scanner)
       - name: Build images
         id: build
         run: ./build
@@ -45,18 +45,10 @@ jobs:
         run: ./build --describe >> $GITHUB_STEP_SUMMARY
       - name: Push images
         run: ./build --push
-  
-  check:
-    name: Check published docker image
-    needs: build_push
-    permissions:
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-    runs-on: ubuntu-latest
-    steps:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
         with:
-          image-ref: '${{ needs.build_push.outputs.LATEST_IMAGE_TAG }}'
+          image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}'
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
@@ -69,7 +61,7 @@ jobs:
   keepalive-job:
     name: Keep repository alive to prevent workflows to be disabled
     if: ${{ always() }}
-    needs: build_push
+    needs: build_push_check
     permissions:
       actions: write # for gautamkrishnar/keepalive-workflow to keep the workflow alive
     runs-on: ubuntu-latest
diff --git a/.github/workflows/vuln-check.yml b/.github/workflows/vuln-check.yml
index c374985..b6488db 100644
--- a/.github/workflows/vuln-check.yml
+++ b/.github/workflows/vuln-check.yml
@@ -24,8 +24,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Free Disk Space (Ubuntu) # Reclaim disk space for build
+      - name: Free Disk Space (Ubuntu) # Reclaim disk space for scan
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          docker-images: false # Do not remove locally built images (including trivy scanner)
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0