internal: add CVE check to release job as blocking (#171)

obs-gh-alexlew · web-flow · commit 8fffce9fc2be · 2025-03-05T14:08:08.000-08:00
### Description

internal: add CVE check to release job as blocking

### Checklist
- [ ] Created tests which fail without the change (if possible)
- [ ] Extended the README / documentation, if necessary
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -14,7 +14,13 @@ permissions:
   contents: write
 
 jobs:
+  vuln-check:
+    name: Docker Image Vulnerability Check
+    uses: ./.github/workflows/vuln-check.yaml
+    secrets: inherit
+
   goreleaser:
+    needs: vuln-check
     runs-on: ubuntu-observe-agent-8cpu
     steps:
       - name: Checkout
diff --git a/.github/workflows/vuln-check.yaml b/.github/workflows/vuln-check.yaml
@@ -2,6 +2,7 @@ name: Docker Image Vulnerability Check
 
 on:
   workflow_dispatch:
+  workflow_call:
 
 permissions:
   contents: read
@@ -10,33 +11,45 @@ env:
   TEST_TAG: observeinc/observe-agent:test
 
 jobs:
-  build:
-    runs-on: ubuntu-latest
+  vuln-check:
+    runs-on: ubuntu-observe-agent-8cpu
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.branch }}
+
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Install qemu
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-
-      - name: Build and export
-        uses: docker/build-push-action@v6
+      
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          tags: ${{ env.TEST_TAG }}
-          outputs: type=docker,dest=${{ runner.temp }}/myimage.tar
+          go-version: 1.22.12
 
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
         with:
-          name: myimage
-          path: ${{ runner.temp }}/myimage.tar
-  
+          distribution: goreleaser-pro
+          version: 2.4.4
+          args: build --snapshot --id=default --skip=validate --single-target
+        env:
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+
+      - name: Copy Binary
+        run: |
+          cp dist/linux_amd64_v1/default_linux_amd64_v1/observe-agent .
+      
+      - name: Build an image from Dockerfile
+        run: docker build -f packaging/docker/Dockerfile -t docker.io/${{ env.TEST_TAG}} .
+
       - name: Docker Scout
         id: docker-scout
         uses: docker/scout-action@v1
@@ -46,4 +59,5 @@ jobs:
           to-latest: true
           ignore-base: true
           ignore-unchanged: true
-          only-fixed: true
+          only-fixed: false
+          exit-code: true
