ci(docker): fail push when trivy finds CRITICAL/HIGH issues

ci: pin golangci-lint to v2.11
chore: bump go directive to 1.25.9
2026-06-16 14:49:25 +08:00 · 2026-04-16 23:01:13 +08:00 · 2026-04-16 21:11:23 +08:00 · 2026-04-16 20:58:02 +08:00 · 2026-04-16 18:10:07 +08:00
3 changed files with 17 additions and 2 deletions
@@ -75,6 +75,21 @@ jobs:
          load: true
          tags: drone-ssh:scan
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@v0.35.0
        with:
          image-ref: "drone-ssh:scan"
          format: "sarif"
          output: "trivy-image-results.sarif"
          severity: "CRITICAL,HIGH"
          exit-code: '1'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: "trivy-image-results.sarif"
          category: "trivy-docker-image"
      - name: Build and push
        if: success()
        uses: docker/build-push-action@v7
@@ -20,7 +20,7 @@ jobs:
      - name: Setup golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
-          version: latest
+          version: v2.11
          args: --verbose
      - uses: hadolint/hadolint-action@v3.3.0
@@ -1,6 +1,6 @@
 module github.com/appleboy/drone-ssh
-go 1.25.0
+go 1.25.9
 require (
 	github.com/appleboy/easyssh-proxy v1.5.2
Author	SHA1	Message	Date
Bo-Yi Wu	16a892b3a7	ci(docker): fail push when trivy finds CRITICAL/HIGH issues	2026-04-16 23:01:13 +08:00
Bo-Yi Wu	8265cc3fb1	ci: pin golangci-lint to v2.11	2026-04-16 21:11:23 +08:00
Bo-Yi Wu	c0ae39b308	chore: bump go directive to 1.25.9	2026-04-16 20:58:02 +08:00
Bo-Yi Wu	ed85f7ef5e	ci(docker): add Trivy image scan before pushing Docker image - Add Trivy vulnerability scanner step before Docker image push - Upload SARIF results to GitHub Security tab	2026-04-16 18:10:07 +08:00