Add Trivy scan for release branches #701

	name: Trivy

	on:
	pull_request:
	schedule:
	- cron: '0 10 * * *'

	jobs:
	prepare:
	runs-on: ubuntu-latest
	outputs:
	branches: ${{ steps.branches.outputs.branches }}
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Create branches to test
	id: branches
	run: \|
	# regex matches branches like
	# origin/1.28
	# origin/v1.1
	# origin/release-1.30
	# origin/master
	# origin/main
	BRANCHES=$(git branch -r \| grep -E '^ origin\/(((v\|release-)?[0-9]+.[0-9]+)\|(master\|main))$' \| \
	sed -e 's#^ origin/##' \| jq -R -s -c 'split("\n")[:-1]')
	echo "branches=$(echo $BRANCHES)" >> $GITHUB_OUTPUT
	scan:
	runs-on: ubuntu-latest
	needs: prepare
	strategy:
	matrix:
	branch: ${{ fromJson(needs.prepare.outputs.branches) }}
	permissions:
	security-events: write
	steps:
	- name: Checking out repo
	uses: actions/checkout@v4
	with:
	ref: ${{ matrix.branch }}
	fetch-depth: 0
	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@0.28.0
	with:
	scan-type: "fs"
	ignore-unfixed: true
	format: "sarif"
	output: "output.sarif"
	severity: "MEDIUM,HIGH,CRITICAL"
	env:
	TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
	- name: Get commit sha
	run: \|
	SHA="$(git rev-parse HEAD)"
	echo "head_sha=$SHA" >> "$GITHUB_ENV"
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "output.sarif"
	sha: ${{ env.head_sha }}
	ref: refs/heads/${{ matrix.branch }}

Provide feedback