ci: enhance security scanning workflow with build matrix and permissions adjustments

rwaffen · rwaffen · commit ba1fa187b337 · 2026-06-12T13:54:28.000+02:00
Signed-off-by: Robert Waffen &lt;rw@betadots.de&gt;
diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
@@ -9,51 +9,52 @@ on:
     branches:
       - main
 
+concurrency:
+  group: security-scanning-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
     outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
     steps:
       - name: Source checkout
         uses: actions/checkout@v6
 
       - name: 'Setup yq'
         uses: dcarbone/install-yq-action@v1.3.1
 
-      - id: set-matrix
-        run: echo "matrix=$(yq -o json build_versions.yaml | jq -c)" >> $GITHUB_OUTPUT
+      - id: set-build-matrix
+        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT
 
   scan_ci_container:
-    name: 'Scan CI container'
-    runs-on: ubuntu-latest
+    name: 'Scan ${{ matrix.platform }} CI container'
+    runs-on: ${{ matrix.runner }}
     permissions:
       actions: read
       contents: read
       security-events: write
     needs: setup-matrix
     strategy:
-      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+      fail-fast: false
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
 
-      - name: Extract version number
-        id: extract_version
-        uses: actions/github-script@v9
-        with:
-          script: |
-            const agentVersion = '${{ matrix.agent_version }}';
-            const version = agentVersion.split('-')[0];
-            core.setOutput('version', version);
-
-      - name: Build CI container
+      - name: Build ${{ matrix.platform }} CI container
         uses: docker/build-push-action@v7
         with:
-          tags: 'ci/openvoxagent:${{ steps.extract_version.outputs.version }}'
+          tags: ci/openvoxagent:${{ matrix.agent_semver }}-${{ matrix.platform }}
           context: .
           file: Containerfile
+          load: true
           push: false
+          platforms: linux/${{ matrix.platform }}
           build-args: |
             OPENVOX_RELEASE=${{ matrix.release }}
             OPENVOXAGENT_VERSION=${{ matrix.agent_version }}
@@ -62,7 +63,7 @@ jobs:
         uses: anchore/scan-action@v7
         id: scan
         with:
-          image: 'ci/openvoxagent:${{ steps.extract_version.outputs.version }}'
+          image: 'ci/openvoxagent:${{ matrix.agent_semver }}-${{ matrix.platform }}'
           fail-build: false
 
       - name: Inspect action SARIF report
@@ -72,3 +73,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+          category: grype-${{ matrix.platform }}
