From 3df454681a4d688d6ffec15472e2bc6728df7002 Mon Sep 17 00:00:00 2001
From: bhoff <bruce.hoff@sagebase.org>
Date: Thu, 31 Oct 2024 08:27:11 -0700
Subject: [PATCH] IT-3921: Rebuild container when Trivy code scan fails

---
 .github/workflows/trivy.yml                     |  3 +++
 .github/workflows/trivy_periodic_image_scan.yml | 14 ++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index da967cb..91c4a83 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -87,4 +87,7 @@ jobs:
         with:
           sarif_file: ${{ env.sarif_file_name  }}
           wait-for-processing: true
+
+    outputs:
+      trivy_conclusion: steps.trivy.outputs.conclusion
 ...
diff --git a/.github/workflows/trivy_periodic_image_scan.yml b/.github/workflows/trivy_periodic_image_scan.yml
index 1f57eef..f4429bb 100644
--- a/.github/workflows/trivy_periodic_image_scan.yml
+++ b/.github/workflows/trivy_periodic_image_scan.yml
@@ -32,4 +32,18 @@ jobs:
       # While GitHub repo's can be mixed (upper and lower) case,
       # Docker images can only be lower case
       IMAGE_NAME: ${{ needs.to-lower-case.outputs.lowercase-repo-name }}
+      EXIT_CODE: 1
+
+  # If scan failed, rebuild the image
+  update-image:
+    needs: periodic-scan
+    runs-on: ubuntu-latest
+    if: ${{needs.periodic-scan.outputs.trivy_conclusion == 'failure' }}
+    # tag the repo to trigger a new build
+    steps:
+      - name: Bump version and push tag
+        id: tag_version
+        uses: mathieudutour/github-tag-action@v6.2
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 ...