Tag PR image build as latest before scanning

This is less effort than passing the tag across steps 🤷‍♂️ Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit 378edb939d) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
3 months ago · c0877f34b6
2 changed files with 17 additions and 1 deletions
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@ -27,11 +27,12 @@ jobs:
      run: |
        make local
        make package-image
+        make tag-image-latest

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@0.24.0
      with:
-        image-ref: 'rancher/k3s'
+        image-ref: 'rancher/k3s:latest'
        format: 'table'
        severity: "HIGH,CRITICAL"
        output: "trivy-report.txt"
--- a/scripts/tag-image-latest
+++ b/scripts/tag-image-latest
@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+cd $(dirname $0)/..
+
+. ./scripts/version.sh
+
+TAG=${TAG:-${VERSION_TAG}${SUFFIX}}
+REPO=${REPO:-rancher}
+IMAGE_NAME=${IMAGE_NAME:-k3s}
+
+IMAGE=${REPO}/${IMAGE_NAME}:${TAG}
+LATEST=${REPO}/${IMAGE_NAME}:latest
+docker image tag ${IMAGE} ${LATEST}
+echo Tagged ${IMAGE} as ${LATEST}