updates CI

.github/actions/docker_build/action.yml

@@ -107,7 +107,9 @@ runs:
     - name: "Image Name"
       shell: bash
       id: image_name
-      run: echo "name=${{ inputs.image }}:${{ steps.meta.outputs.version }}" >> $GITHUB_OUTPUT
+      run: |
+          echo "name=${{ inputs.image }}:${{ steps.meta.outputs.version }}" >> $GITHUB_OUTPUT
+          echo "test_name=${{ inputs.image }}:test-${{ steps.meta.outputs.version }}" >> $GITHUB_OUTPUT
     - name: "Check Image"
       id: image_status
       shell: bash
@@ -170,7 +172,7 @@ runs:
         push: true
         sbom: true
         provenance: true
-        cache-from: type=registry,ref=${{ steps.image_name.outputs.name }}-cache
+        cache-from: type=registry,ref=${{ steps.image_name.outputs.name }}-cache,ref=${{ steps.image_name.outputs.test_name }}-cache
         cache-to: type=registry,ref=${{ steps.image_name.outputs.name }}-cache,mode=max,image-manifest=true
         build-args: |
             GITHUB_SERVER_URL=${{ github.server_url }}

.github/workflows/security.yml

@@ -1,4 +1,4 @@
-name: Lint
+name: Security
 on:
   push:
     branches:
@@ -47,12 +47,28 @@ jobs:
     needs: changes
     runs-on: ubuntu-latest
     if: github.event.pull_request.draft == false && needs.changes.outputs.lint
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v2
-        with:
-          python-version: '3.12'
-      - name: Install requirements
-        run: pip install bandit
-      - name: bandit
-        run: bandit src/
+      - name: Bandit Scan
+        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+        with: # optional arguments
+          # exit with 0, even with results found
+          exit_zero: true # optional, default is DEFAULT
+          # Github token of the repository (automatically created by Github)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
+          # File or directory to run bandit on
+          # path: # optional, default is .
+          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # level: # optional, default is UNDEFINED
+          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # confidence: # optional, default is UNDEFINED
+          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+          # excluded_paths: # optional, default is DEFAULT
+          # comma-separated list of test IDs to skip
+          # skips: # optional, default is DEFAULT
+          # path to a .bandit file that supplies command line arguments
+          # ini_path: # optional, default is DEFAULT

.github/workflows/test.yml

@@ -146,6 +146,10 @@ jobs:
     name: Check Image with Trivy
     runs-on: ubuntu-latest
     needs: [ build ]
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     if: needs.build.outputs.created == 'true' || contains(github.event.head_commit.message, 'ci:scan')
     steps:
       - name: Checkout code
@@ -156,6 +160,8 @@ jobs:
           image-ref: ${{needs.build.outputs.image}}
           format: 'sarif'
           output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with: