From a609c5520987876f9abcb7141d516b6964c539b3 Mon Sep 17 00:00:00 2001
From: chgl <chgl@users.noreply.github.com>
Date: Wed, 23 Oct 2024 21:44:07 +0200
Subject: [PATCH] fix: use alt mirrors for trivy db (#89)

* fix: use alt mirrors for trivy db

* rm cache dir

* added to standard lint

* schedule
---
 .github/workflows/standard-build.yaml    | 23 ++++-------------------
 .github/workflows/standard-lint.yaml     |  4 ++++
 .github/workflows/standard-schedule.yaml |  4 ++++
 3 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/standard-build.yaml b/.github/workflows/standard-build.yaml
index 114e8f9..e2df29e 100644
--- a/.github/workflows/standard-build.yaml
+++ b/.github/workflows/standard-build.yaml
@@ -7,6 +7,10 @@ defaults:
   run:
     shell: bash
 
+env:
+  TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+  TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
 on:
   workflow_call:
     inputs:
@@ -234,23 +238,6 @@ jobs:
           wget https://github.com/aquasecurity/trivy/releases/download/v0.56.0/trivy_0.56.0_Linux-64bit.deb
           sudo dpkg -i trivy_0.56.0_Linux-64bit.deb
 
-      - name: Check trivy db sha
-        id: trivy-db-sha
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
-          headers='Accept: application/vnd.github+json'
-          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
-          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
-          echo "Trivy DB sha256:${sha}"
-          echo "sha=${sha}" >> "${GITHUB_OUTPUT}"
-
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
-        with:
-          path: "${{ github.workspace }}/.cache/trivy"
-          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db-sha.outputs.sha }}
-
       - name: Create Trivy vulnerability attestation
         if: ${{ inputs.enable-trivy-scan }}
         env:
@@ -258,7 +245,6 @@ jobs:
         run: |
           trivy image \
             --exit-code=0 \
-            --cache-dir="${{ github.workspace }}/.cache/trivy" \
             --format=cosign-vuln \
             --output=trivy-vuln-attestation.json \
             --ignore-unfixed="${{ inputs.trivy-ignore-unfixed }}" \
@@ -284,7 +270,6 @@ jobs:
         run: |
           trivy image \
             --exit-code=0 \
-            --cache-dir="${{ github.workspace }}/.cache/trivy" \
             --format=template \
             --output=trivy-pr-report.md \
             --template="@trivy-pr-report.md.tpl" \
diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml
index 4157c8e..c5c3905 100644
--- a/.github/workflows/standard-lint.yaml
+++ b/.github/workflows/standard-lint.yaml
@@ -7,6 +7,10 @@ defaults:
   run:
     shell: bash
 
+env:
+  TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+  TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/standard-schedule.yaml b/.github/workflows/standard-schedule.yaml
index 3c0fcc3..4660d83 100644
--- a/.github/workflows/standard-schedule.yaml
+++ b/.github/workflows/standard-schedule.yaml
@@ -20,6 +20,10 @@ on:
         description: "The GitHub workflow token used to push to ghcr.io. Also used by MegaLinter"
         required: true
 
+env:
+  TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+  TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+
 jobs:
   check-links:
     name: check links using lychee