Update release.yml

antonko · antonko · commit 4a31d49046c9 · 2025-01-12T00:06:04.000+03:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,6 +34,32 @@ jobs:
       - name: Run mypy
         run: uv run mypy .
 
+  security:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          format: "table"
+          exit-code: "1"
+          severity: "CRITICAL"
+          skip-dirs: "tests"
+
+      - name: Check dependencies for vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "config"
+          scan-ref: "."
+          format: "table"
+          exit-code: "1"
+          severity: "CRITICAL"
+          vuln-type: "library"
+
   test:
     runs-on: ubuntu-24.04
     timeout-minutes: 15
@@ -61,6 +87,7 @@ jobs:
     runs-on: ubuntu-24.04
     needs:
       - check
+      - security
       - test
     concurrency: release
 
@@ -81,7 +108,6 @@ jobs:
   docker:
     runs-on: ubuntu-24.04
     needs: release
-    # if: needs.release.outputs.released == 'true'
     steps:
       - uses: actions/checkout@v4
 
@@ -90,26 +116,3 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Build and scan image
-        uses: docker/build-push-action@v6
-        with:
-          push: false
-          load: true
-          tags: antonk0/gigachat-adapter:${{ needs.release.outputs.version }}
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: antonk0/gigachat-adapter:${{ needs.release.outputs.version }}
-          format: "table"
-          exit-code: "1"
-          severity: "CRITICAL"
-
-      # - name: Build and Push Docker image
-      #   uses: docker/build-push-action@v6
-      #   with:
-      #     push: true
-      #     tags: |
-      #       antonk0/gigachat-adapter:latest
-      #       antonk0/gigachat-adapter:${{ needs.release.outputs.version }}
