From b97d32f9948b5ac07088326828597052f455981e Mon Sep 17 00:00:00 2001
From: ben-harvey <benjaminriderharvey@gmail.com>
Date: Fri, 15 Nov 2024 09:38:05 -0500
Subject: [PATCH 1/4] Use GitHub PAT

---
 .github/workflows/_docker-build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/_docker-build.yml b/.github/workflows/_docker-build.yml
index a8b279b..27d8112 100644
--- a/.github/workflows/_docker-build.yml
+++ b/.github/workflows/_docker-build.yml
@@ -87,8 +87,9 @@ jobs:
           provenance: false # the default behavior adds an 'image index' which clutters up ECR, see https://github.com/docker/buildx/issues/1533
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
         with:
+          github-pat: ${{ secrets.SERVICE_ACCOUNT_GITHUB_TOKEN }}
           image-ref: ${{ steps.set-image-tag-with-repo.outputs.image-tag-with-repo }}
           format: "table"
           exit-code: "1"

From f158651fdd8f62e4a99b309dcba2eb5659b38211 Mon Sep 17 00:00:00 2001
From: ben-harvey <benjaminriderharvey@gmail.com>
Date: Fri, 15 Nov 2024 09:45:34 -0500
Subject: [PATCH 2/4] try setup-trivy action

---
 .github/workflows/_docker-build.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/_docker-build.yml b/.github/workflows/_docker-build.yml
index 27d8112..e902917 100644
--- a/.github/workflows/_docker-build.yml
+++ b/.github/workflows/_docker-build.yml
@@ -86,10 +86,16 @@ jobs:
           load: true # this loads the image to the current docker instance so it can be referenced by tag in the subsequent steps: https://docs.docker.com/engine/reference/commandline/buildx_build/#docker
           provenance: false # the default behavior adds an 'image index' which clutters up ECR, see https://github.com/docker/buildx/issues/1533
 
+      - name: Install Trivy vulnerability scanner
+        uses: aquasecurity/setup-trivy@v0.2.2
+        with:
+          cache: true
+          token: ${{ secrets.SERVICE_ACCOUNT_GITHUB_TOKEN }}
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@0.28.0
         with:
-          github-pat: ${{ secrets.SERVICE_ACCOUNT_GITHUB_TOKEN }}
+          skip-setup-trivy: true
           image-ref: ${{ steps.set-image-tag-with-repo.outputs.image-tag-with-repo }}
           format: "table"
           exit-code: "1"

From f36e22919cbee42c56d891b5feafa54c39263b49 Mon Sep 17 00:00:00 2001
From: ben-harvey <benjaminriderharvey@gmail.com>
Date: Fri, 15 Nov 2024 09:54:21 -0500
Subject: [PATCH 3/4] try ECR mirror

---
 .github/workflows/_docker-build.yml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/_docker-build.yml b/.github/workflows/_docker-build.yml
index e902917..51bfcd4 100644
--- a/.github/workflows/_docker-build.yml
+++ b/.github/workflows/_docker-build.yml
@@ -86,16 +86,17 @@ jobs:
           load: true # this loads the image to the current docker instance so it can be referenced by tag in the subsequent steps: https://docs.docker.com/engine/reference/commandline/buildx_build/#docker
           provenance: false # the default behavior adds an 'image index' which clutters up ECR, see https://github.com/docker/buildx/issues/1533
 
-      - name: Install Trivy vulnerability scanner
-        uses: aquasecurity/setup-trivy@v0.2.2
-        with:
-          cache: true
-          token: ${{ secrets.SERVICE_ACCOUNT_GITHUB_TOKEN }}
+      # - name: Install Trivy vulnerability scanner
+      #   uses: aquasecurity/setup-trivy@v0.2.2
+      #   with:
+      #     cache: true
+      #     token: ${{ secrets.SERVICE_ACCOUNT_GITHUB_TOKEN }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@0.28.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
         with:
-          skip-setup-trivy: true
           image-ref: ${{ steps.set-image-tag-with-repo.outputs.image-tag-with-repo }}
           format: "table"
           exit-code: "1"

From 8fe9ee2a1296d24e35336bafe75a5c15526831f4 Mon Sep 17 00:00:00 2001
From: ben-harvey <benjaminriderharvey@gmail.com>
Date: Fri, 15 Nov 2024 10:00:46 -0500
Subject: [PATCH 4/4] Add comment

---
 .github/workflows/_docker-build.yml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/.github/workflows/_docker-build.yml b/.github/workflows/_docker-build.yml
index 51bfcd4..49c42cb 100644
--- a/.github/workflows/_docker-build.yml
+++ b/.github/workflows/_docker-build.yml
@@ -86,15 +86,10 @@ jobs:
           load: true # this loads the image to the current docker instance so it can be referenced by tag in the subsequent steps: https://docs.docker.com/engine/reference/commandline/buildx_build/#docker
           provenance: false # the default behavior adds an 'image index' which clutters up ECR, see https://github.com/docker/buildx/issues/1533
 
-      # - name: Install Trivy vulnerability scanner
-      #   uses: aquasecurity/setup-trivy@v0.2.2
-      #   with:
-      #     cache: true
-      #     token: ${{ secrets.SERVICE_ACCOUNT_GITHUB_TOKEN }}
-
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@0.28.0
         env:
+          # avoid GHCR rate limits, see https://github.com/aquasecurity/trivy-db/pull/440 and https://github.com/aquasecurity/trivy-action/issues/389
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
         with:
           image-ref: ${{ steps.set-image-tag-with-repo.outputs.image-tag-with-repo }}