From ffa1bd9af7dcf96908ffbd0401460d776194d767 Mon Sep 17 00:00:00 2001
From: Wikid82 <jhatfield82@gmail.com>
Date: Tue, 18 Nov 2025 17:57:52 -0500
Subject: [PATCH] CI: Fix Trivy scan refs and guard SARIF upload; use metadata
 tags for docker-build scan; add outcome gating

---
 .github/workflows/docker-build.yml   | 8 +++++---
 .github/workflows/docker-publish.yml | 6 +++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 32485dd8..130359ed 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -84,24 +84,26 @@ jobs:
 
       # Step 8: Run Trivy security scan
       - name: 🔍 Run Trivy vulnerability scanner
+        id: trivy
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref == 'refs/heads/main' && 'latest' || 'dev' }}
+          image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           format: 'sarif'
           output: 'trivy-results.sarif'
 
       # Step 9: Upload Trivy results to GitHub Security tab
       - name: 📤 Upload Trivy results to GitHub Security
         uses: github/codeql-action/upload-sarif@v3
-        if: always()
+        if: steps.trivy.outcome == 'success'
         with:
           sarif_file: 'trivy-results.sarif'
 
       # Step 10: Run Trivy with table output for workflow logs
       - name: 📋 Run Trivy scan (table output)
+        if: steps.trivy.outcome == 'success'
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref == 'refs/heads/main' && 'latest' || 'dev' }}
+          image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
           format: 'table'
           severity: 'CRITICAL,HIGH'
 
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index f26a810f..5cc4bcc1 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -76,6 +76,7 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         if: github.event_name != 'pull_request'
+        id: trivy
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
@@ -83,16 +84,15 @@ jobs:
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy results to GitHub Security
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
 
       - name: Run Trivy scan (table output)
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
           format: 'table'
           severity: 'CRITICAL,HIGH'
-