From 56663023f5d1e93791dcdfa0714bcc8fe684d976 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Mon, 10 Mar 2025 18:30:07 +0200 Subject: [PATCH] ci: Security scan ARM images Scan ARM images using Anchore's scan action, by utilizing the Ubuntu ARM runners provided by GitHub. While our ARM images are used only in macOS silicon platforms, we can use the Ubuntu ARM runners just for scanning. Closes #1008 --- .github/workflows/scan.yml | 14 ++++++++++++-- .github/workflows/scan_released.yml | 14 +++++++++----- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index e08dcef..345a7a4 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,7 +10,12 @@ on: jobs: security-scan-container: - runs-on: ubuntu-latest + strategy: + matrix: + runs-on: + - ubuntu-24.04 + - ubuntu-24.04-arm + runs-on: ${{ matrix.runs-on }} steps: - name: Checkout uses: actions/checkout@v4 @@ -58,7 +63,12 @@ jobs: severity-cutoff: critical security-scan-app: - runs-on: ubuntu-latest + strategy: + matrix: + runs-on: + - ubuntu-24.04 + - ubuntu-24.04-arm + runs-on: ${{ matrix.runs-on }} steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/scan_released.yml b/.github/workflows/scan_released.yml index 3688e61..b8d555e 100644 --- a/.github/workflows/scan_released.yml +++ b/.github/workflows/scan_released.yml @@ -9,11 +9,10 @@ jobs: strategy: matrix: include: - - runs-on: ubuntu-latest + - runs-on: ubuntu-24.04 arch: i686 - # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms. - # - runs-on: macos-latest - # arch: arm64 + - runs-on: ubuntu-24.04-arm + arch: arm64 runs-on: ${{ matrix.runs-on }} steps: - name: Checkout @@ -55,7 +54,12 @@ jobs: severity-cutoff: critical security-scan-app: - runs-on: ubuntu-latest + strategy: + matrix: + runs-on: + - ubuntu-24.04 + - ubuntu-24.04-arm + runs-on: ${{ matrix.runs-on }} steps: - name: Checkout uses: actions/checkout@v4