fix(ci): Authenticate Trivy correctly for ephemeral build (#4227)

Flagsmith · Jun 25, 2024 · b9a6f92 · b9a6f92
1 parent fe7cc53
commit b9a6f92
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/.github/workflows/.reusable-docker-build.yml b/.github/workflows/.reusable-docker-build.yml
@@ -111,9 +111,13 @@ jobs:
           steps.build.outputs.build-id) || format('{0}/flagsmith/{1}:{2}', inputs.registry-url, inputs.image-name,
           steps.meta.outputs.version) }} >> $GITHUB_OUTPUT
 
-      - name: Login to Depot Registry
+      - name: Render Depot token
+        id: depot-token
         if: inputs.scan && inputs.ephemeral
-        run: depot pull-token | docker login -u x-token --password-stdin registry.depot.dev
+        run: |
+          export DEPOT_TOKEN=$(depot pull-token)
+          echo ::add-mask::$DEPOT_TOKEN
+          echo depot-token=$DEPOT_TOKEN >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
         id: trivy
@@ -124,8 +128,8 @@ jobs:
           format: sarif
           output: trivy-results.sarif
         env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          TRIVY_USERNAME: ${{ inputs.ephemeral && 'x-token' || github.actor }}
+          TRIVY_PASSWORD: ${{ inputs.ephemeral && steps.depot-token.outputs.depot-token || secrets.GITHUB_TOKEN }}
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2