feat: in the ci switch to matrix build and docker scout

Signed-off-by: Robert Waffen <[email protected]>

.github/workflows/ci.yaml

@@ -2,55 +2,89 @@
 name: CI🚦
 
 on:
-  pull_request: {}
-  push:
+  pull_request:
     branches:
       - main
-
+  workflow_dispatch:
 
 jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v4
+
+      - id: set-matrix
+        run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT
+
   general_ci:
     uses: voxpupuli/crafty/.github/workflows/general_ci.yaml@main
     with:
       shellcheck_scan_dir: './puppetdb'
 
-  build_docker_image:
-    name: 'Built test Docker image'
+  build_test_container:
+    name: 'Build test container'
     runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: 'puppetdb'
     permissions:
       actions: read
       contents: read
       security-events: write
+      pull-requests: write
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Build Docker image
+      - name: Build image
         uses: docker/build-push-action@v6
         with:
+          tags: 'ci/puppetdb:${{ matrix.version }}'
           context: puppetdb
-          tags: 'ci/puppetdb:${{ github.sha }}'
           push: false
+          build-args: |
+            PUPPET_RELEASE=${{ matrix.release }}
+            PUPPETDB_VERSION=${{ matrix.version }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: voxpupulibot
+          password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }}
+
+      - name: Analyze container image for CVEs
+        id: analyze-image-cves
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: 'local://ci/puppetdb:${{ matrix.version }}'
+          sarif-file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json
+          write-comment: false
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+      - name: Compare container image to latest from Registry
+        id: compare-image
+        uses: docker/scout-action@v1
         with:
-          image-ref: 'ci/puppetdb:${{ github.sha }}'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+          command: compare
+          image: 'local://ci/puppetdb:${{ matrix.version }}'
+          to: 'ghcr.io/voxpupuli/puppetdb:${{ matrix.version }}-latest'
+          sarif-file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json
+          summary: true
+          keep-previous-comments: true
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload SARIF result
+        id: upload-sarif
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json
 
   tests:
     needs:
       - general_ci
-      - build_docker_image
+      - build_test_container
     runs-on: ubuntu-latest
     name: Test suite
     steps: