scapegoat/Docs2.git

			@@ -3,7 +3,7 @@
			on:
			push:
			branches: [v4]
			tags: ["v*"]
			tags: ["v*"]
			pull_request:
			branches: [v4]
			paths:
			@@ -78,7 +78,7 @@
			id: build-and-push
			uses: docker/build-push-action@v6
			with:
			push: true
			push: ${{ github.event_name != 'pull_request' }}
			build-args: \|
			GIT_SHA=${{ env.GITHUB_SHA }}
			DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
			@@ -86,32 +86,3 @@
			labels: ${{ steps.meta.outputs.labels \|\| steps.meta-pr.outputs.labels }}
			cache-from: type=gha
			cache-to: type=gha

			- name: Sign the released image
			if: ${{ github.event_name != 'pull_request' }}
			env:
			COSIGN_EXPERIMENTAL: "true"
			run: echo "${{ steps.meta.outputs.tags }}" \| xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
			- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
			uses: aquasecurity/trivy-action@master
			if: ${{ github.event_name != 'pull_request' }}
			with:
			image-ref: "ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}"
			format: "github"
			output: "dependency-results.sbom.json"
			github-pat: ${{ secrets.GITHUB_TOKEN }}
			scanners: "vuln"
			- name: Run Trivy vulnerability scanner
			uses: aquasecurity/trivy-action@master
			if: ${{ github.event_name != 'pull_request' }}
			with:
			image-ref: "ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}"
			format: "sarif"
			output: "trivy-results.sarif"
			severity: "CRITICAL"
			scanners: "vuln"
			- name: Upload Trivy scan results to GitHub Security tab
			uses: github/codeql-action/upload-sarif@v2
			if: ${{ github.event_name != 'pull_request' }}
			with:
			sarif_file: "trivy-results.sarif"