ci: add trivy image scanning prior to release image push

.github/workflows/deployment.yaml

@@ -132,18 +132,34 @@ jobs:
           name: env-file
           path: ${{ inputs.docker_context }}
 
-      - name: Build and push Docker image
+      - name: Build Docker image
         if: ${{ inputs.deploy_type != 'release-only' }}
         id: build
         uses: docker/build-push-action@v4
         with:
           context: ${{ inputs.docker_context }}
           file: ${{ inputs.docker_context }}/${{ inputs.dockerfile_path }}
-          push: true
+          push: false
+          load: true
           tags: ${{ secrets.GCP_REGISTRY }}/${{ secrets.GCP_PROJECT }}/${{ inputs.image_path }}:latest
           build-args: |
             GH_ACCESS_TOKEN=${{ secrets.GH_ACCESS_TOKEN }}
 
+      - name: Run Trivy vulnerability scanner on image
+        if: ${{ inputs.deploy_type != 'release-only' }}
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          scan-type: 'image'
+          image-ref: ${{ secrets.GCP_REGISTRY }}/${{ secrets.GCP_PROJECT }}/${{ inputs.image_path }}:latest
+          ignore-unfixed: true
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+
+      - name: Push Docker image
+        if: ${{ inputs.deploy_type != 'release-only' }}
+        run: docker push ${{ secrets.GCP_REGISTRY }}/${{ secrets.GCP_PROJECT }}/${{ inputs.image_path }}:latest
+
       # --- GKE deploy ---
       - name: Get GKE Credentials
         if: ${{ inputs.deploy_type == 'gke' }}

.github/workflows/trivy-go-tests.yaml

@@ -30,7 +30,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   trivy-scan-and-test:
@@ -70,41 +69,7 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
           exit-code: '1'  
 
-      - name: Comment Trivy Results on the Pull Request
-        if: always()
-        run: |
-          echo '### Trivy Scan Results' > comment_trivy.md
-          if [ -s trivy-results.txt ]; then
-            echo '#### Vulnerabilities Found' >> comment_trivy.md
-            echo '```' >> comment_trivy.md
-            cat trivy-results.txt >> comment_trivy.md
-            echo '```' >> comment_trivy.md
-          else
-            echo '#### No vulnerabilities found :white_check_mark:' >> comment_trivy.md
-          fi
-
-          gh pr comment ${{ github.event.pull_request.number }} --body-file comment_trivy.md
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run Go Unit Tests and Comment Results
+      - name: Run Go Unit Tests
         if: ${{ inputs.run_go_tests }}
         working-directory: ${{ inputs.working_directory }}
-        run: |
-          echo '### Go Unit Test Results' > comment_go_tests.md
-          echo '| Test Name | Status |' >> comment_go_tests.md
-          echo '| --------- | ------ |' >> comment_go_tests.md
-
-          # Run Go tests and check for failures in real-time
-          go test -v ${{ inputs.test_path }} | grep -E '^(--- PASS|--- FAIL)' | sed -E 's/^(--- PASS: )(.*)/\|\2\|Pass\|/; s/^(--- FAIL: )(.*)/\|\2\|Fail\|/' >> comment_go_tests.md
-
-          # Post test results to PR
-          gh pr comment ${{ github.event.pull_request.number }} --body-file comment_go_tests.md
-
-          # Check for failed tests and exit if any test fails
-          if go test -v ${{ inputs.test_path }} | grep -q '^--- FAIL'; then
-            echo "There are failed tests. Failing the job."
-            exit 1
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: go test -v ${{ inputs.test_path }}