feat: Update CI workflow and dashboard Dockerfile

- Modify GitHub Actions CI to separate image build and push steps
- Add security-events write permission to CI job
- Remove standalone security-scan job; integrate Trivy scan into build pipeline
- Add image push steps after scanning in CI workflow
- Update Makefile with new security-scan target using Trivy for Docker images
- Upgrade dashboard Dockerfile base image from node 20 to 22 alpine
- Patch picomatch package in dashboard image to fix potential vulnerabilities during build

Author: haesookimDev

.github/workflows/ci.yml

@@ -122,6 +122,7 @@ jobs:
     if: github.repository == 'haesookimDev/xgen-sandbox' && github.event_name == 'push' && github.ref == 'refs/heads/main'
     permissions:
       packages: write
+      security-events: write
     env:
       REGISTRY_IMAGE: ghcr.io/${{ github.repository }}
     steps:
@@ -137,54 +138,33 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push agent image
+      - name: Build agent image
         uses: docker/build-push-action@v6
         with:
           context: ./agent
-          push: true
-          tags: |
-            ${{ env.REGISTRY_IMAGE }}/agent:latest
-            ${{ env.REGISTRY_IMAGE }}/agent:${{ github.sha }}
+          load: true
+          tags: ${{ env.REGISTRY_IMAGE }}/agent:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - name: Build and push sidecar image
+      - name: Build sidecar image
         uses: docker/build-push-action@v6
         with:
           context: ./sidecar
-          push: true
-          tags: |
-            ${{ env.REGISTRY_IMAGE }}/sidecar:latest
-            ${{ env.REGISTRY_IMAGE }}/sidecar:${{ github.sha }}
+          load: true
+          tags: ${{ env.REGISTRY_IMAGE }}/sidecar:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - name: Build and push dashboard image
+      - name: Build dashboard image
         uses: docker/build-push-action@v6
         with:
           context: ./dashboard
-          push: true
-          tags: |
-            ${{ env.REGISTRY_IMAGE }}/dashboard:latest
-            ${{ env.REGISTRY_IMAGE }}/dashboard:${{ github.sha }}
+          load: true
+          tags: ${{ env.REGISTRY_IMAGE }}/dashboard:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-  security-scan:
-    runs-on: ubuntu-latest
-    needs: [docker]
-    if: github.repository == 'haesookimDev/xgen-sandbox' && github.event_name == 'push' && github.ref == 'refs/heads/main'
-    permissions:
-      packages: read
-      security-events: write
-    env:
-      REGISTRY_IMAGE: ghcr.io/${{ github.repository }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Lowercase registry image name
-        run: echo "REGISTRY_IMAGE=${REGISTRY_IMAGE,,}" >> "$GITHUB_ENV"
-
       - name: Scan agent image
         uses: aquasecurity/trivy-action@v0.35.0
         with:
@@ -208,3 +188,33 @@ jobs:
           format: table
           exit-code: '1'
           severity: CRITICAL,HIGH
+
+      - name: Push agent image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./agent
+          push: true
+          tags: |
+            ${{ env.REGISTRY_IMAGE }}/agent:latest
+            ${{ env.REGISTRY_IMAGE }}/agent:${{ github.sha }}
+          cache-from: type=gha
+
+      - name: Push sidecar image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./sidecar
+          push: true
+          tags: |
+            ${{ env.REGISTRY_IMAGE }}/sidecar:latest
+            ${{ env.REGISTRY_IMAGE }}/sidecar:${{ github.sha }}
+          cache-from: type=gha
+
+      - name: Push dashboard image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./dashboard
+          push: true
+          tags: |
+            ${{ env.REGISTRY_IMAGE }}/dashboard:latest
+            ${{ env.REGISTRY_IMAGE }}/dashboard:${{ github.sha }}
+          cache-from: type=gha

Makefile

@@ -1,7 +1,7 @@
 -include .env
 export
 
-.PHONY: all build build-agent build-sidecar build-dashboard build-images dev-cluster dev-deploy dev-dashboard dev-teardown test lint help
+.PHONY: all build build-agent build-sidecar build-dashboard build-images dev-cluster dev-deploy dev-dashboard dev-teardown test lint security-scan help
 
 # --- Help ---
 
@@ -92,6 +92,13 @@ tidy: ## Run go mod tidy for agent and sidecar
 	cd agent && go mod tidy
 	cd sidecar && go mod tidy
 
+# --- Security ---
+
+security-scan: build-images ## Run Trivy security scan on Docker images (requires: brew install trivy)
+	trivy image --severity CRITICAL,HIGH --exit-code 1 ghcr.io/xgen-sandbox/agent:latest
+	trivy image --severity CRITICAL,HIGH --exit-code 1 ghcr.io/xgen-sandbox/sidecar:latest
+	trivy image --severity CRITICAL,HIGH --exit-code 1 ghcr.io/xgen-sandbox/dashboard:latest
+
 # --- Hot Reload Development ---
 
 dev-agent: ## Run agent with hot reload (requires: go install github.com/air-verse/air@latest)

dashboard/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-alpine AS builder
+FROM node:22-alpine AS builder
 WORKDIR /app
 
 COPY package.json package-lock.json* ./
@@ -7,11 +7,16 @@ RUN npm install --frozen-lockfile 2>/dev/null || npm install
 COPY . .
 RUN npm run build
 
-FROM node:20-alpine AS runner
+FROM node:22-alpine AS runner
 WORKDIR /app
 ENV NODE_ENV=production
 
-RUN apk upgrade --no-cache
+RUN apk upgrade --no-cache && \
+    PICO_DIR=$(find /usr/local/lib/node_modules/npm -type d -name picomatch | head -1) && \
+    wget -qO /tmp/p.tgz https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz && \
+    rm -rf "$PICO_DIR"/* && \
+    tar xzf /tmp/p.tgz --strip-components=1 -C "$PICO_DIR" && \
+    rm /tmp/p.tgz
 
 RUN addgroup --system --gid 1001 nodejs && \
     adduser --system --uid 1001 nextjs