Merge pull request #205 from canonical/KU-2031/tivy-for-relase-branches

Add Trivy scan for release branches

.github/workflows/trivy.yaml

@@ -1,23 +1,45 @@
 name: Trivy
 
 on:
-  pull_request:
   schedule:
     - cron: '0 10 * * *'
 
 jobs:
+  list-branches-to-scan:
+    runs-on: ubuntu-latest
+    outputs:
+      branches: ${{ steps.branches.outputs.branches }}
+    steps:
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: List branches to scan
+        id: branches
+        run: |
+          # regex matches branches like
+          #  origin/1.28
+          #  origin/v1.1
+          #  origin/release-1.30
+          #  origin/master
+          #  origin/main
+          BRANCHES=$(git branch -r | grep  -E '^  origin\/(((v|release-)?[0-9]+.[0-9]+)|(master|main))$' | \
+            sed -e 's#^  origin/##'  | jq -R -s -c 'split("\n")[:-1]')
+          echo "branches=$(echo $BRANCHES)" >> $GITHUB_OUTPUT
   scan:
     runs-on: ubuntu-latest
+    needs: list-branches-to-scan
     strategy:
       matrix:
-        branch: [master]
+        branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }}
     permissions:
       security-events: write
     steps:
       - name: Checking out repo
         uses: actions/checkout@v4
         with:
           ref: ${{ matrix.branch }}
+          fetch-depth: 0
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@0.28.0
         with:
@@ -26,6 +48,8 @@ jobs:
           format: "sarif"
           output: "output.sarif"
           severity: "MEDIUM,HIGH,CRITICAL"
+        env:
+          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
       - name: Get commit sha
         run: |
           SHA="$(git rev-parse HEAD)"