use DB digest instead of date for caching

autonomys · Nov 1, 2024 · 831c4f5 · 831c4f5
1 parent e544547
commit 831c4f5
Showing 1 changed file with 13 additions and 8 deletions.
diff --git a/.github/workflows/trivy-security-scan.yml b/.github/workflows/trivy-security-scan.yml
@@ -24,20 +24,25 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      # Cache restore for Trivy DB
+      - name: Setup oras
+        uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.21
+
+      # Get DB digest for cache key
+      - name: Get Trivy DB digest
+        id: db-digest
+        run: |
+          DIGEST=$(oras manifest fetch ghcr.io/aquasecurity/trivy-db:2 | sha256sum | cut -d' ' -f1)
+          echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
+
+      # Cache restore with digest key
       - name: Check and restore Trivy DB cache
         id: cache-trivy-db
         uses: actions/cache@v4
         with:
           path: .cache/trivy
-          key: trivy-${{ steps.date.outputs.date }}
-          restore-keys: |
-            trivy-
-
-      - name: Setup oras
-        if: steps.cache-trivy-db.outputs.cache-hit != 'true'
-        uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c # v1.21
+          key: trivy-${{ steps.db-digest.outputs.digest }}
 
+      # Download the DB if cache miss
       - name: Download and extract Trivy DB
         if: steps.cache-trivy-db.outputs.cache-hit != 'true'
         run: |