Simplify logic to pass unique category

ddelnano · ddelnano · commit bcf24622c687 · 2025-07-16T00:35:38.000Z
Signed-off-by: Dom Del Nano &lt;ddelnano@gmail.com&gt;
diff --git a/.github/workflows/trivy_images.yaml b/.github/workflows/trivy_images.yaml
@@ -14,7 +14,7 @@ jobs:
     uses: ./.github/workflows/get_image.yaml
     with:
       image-base-name: "dev_image_with_extras"
-  generate-sarif:
+  image-scan:
     strategy:
       fail-fast: false
       matrix:
@@ -67,77 +67,11 @@ jobs:
     - run: |
         for f in "sarif/${{ matrix.artifact }}/"*; do
           jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp
-          mv tmp "$f"
+          # The runAutomationDetails's id field must contain a unique category as required by the CodeQL SARIF uploader
+          # This value will be interpreted like so: "${category}/${run_id}"
+          filename=$(basename "$f")/
+          jq --arg id "$filename" '.runAutomationDetails.id = $id/' < tmp > "$f"
         done
-    - name: Upload artifacts
-      uses: actions/upload-artifact@v4
-      with:
-        name: sarif-${{ matrix.artifact }}
-        path: sarif/
-        retention-days: 1
-
-  collect-sarifs:
-    # GitHub Actions matrix job outputs cannot be directly used as job outputs
-    # because matrix jobs create multiple output values (one per matrix combination).
-    # We need a separate job to collect all SARIF files from all artifacts
-    # and create a single unified matrix for the upload job.
-    needs: generate-sarif
-    runs-on: oracle-8cpu-32gb-x86-64
-    outputs:
-      matrix: ${{ steps.combine-sarifs.outputs.matrix }}
-      has-sarifs: ${{ steps.combine-sarifs.outputs.has-sarifs }}
-    steps:
-    - name: Download all artifacts
-      uses: actions/download-artifact@v4
-      with:
-        pattern: sarif-*
-        merge-multiple: true
-    - id: combine-sarifs
-      run: |
-        # With merge-multiple: true, all artifacts are in the same directory
-        # Find all SARIF files regardless of subdirectory structure
-        all_files=()
-        while IFS= read -r -d '' file; do
-          echo "Found file: $file"
-          all_files+=("$file")
-        done < <(find . -name "*.sarif" -type f -print0)
-
-        echo "Total files found: ${#all_files[@]}"
-
-        if [ ${#all_files[@]} -eq 0 ]; then
-          echo "matrix={\"include\":[]}" >> $GITHUB_OUTPUT
-          echo "has-sarifs=false" >> $GITHUB_OUTPUT
-        else
-          matrix_json=$(printf '%s\n' "${all_files[@]}" | jq -R -s '
-            split("\n") | map(select(length > 0)) | {
-              include: map({
-                file: .,
-                category: ("trivy-images-" + (split("/")[1]) + "-" + (split("/")[-1] | split(".")[0])),
-                artifact: ("sarif-" + (split("/")[1]))
-              })
-            }' | jq -c '.')
-
-          echo "matrix=$matrix_json" >> $GITHUB_OUTPUT
-          echo "has-sarifs=true" >> $GITHUB_OUTPUT
-        fi
-
-  upload-sarif:
-    needs: collect-sarifs
-    if: needs.collect-sarifs.outputs.has-sarifs == 'true'
-    strategy:
-      matrix: ${{ fromJson(needs.collect-sarifs.outputs.matrix) }}
-    runs-on: oracle-8cpu-32gb-x86-64
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
-    - name: Download artifacts
-      uses: actions/download-artifact@v4
-      with:
-        name: ${{ matrix.artifact }}
     - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
       with:
-        sarif_file: ${{ matrix.file }}
-        category: ${{ matrix.category }}
+        sarif_file: sarif/${{ matrix.artifact }}
