feat: Mount Temp Directory to KICS container

.github/workflows/release.yaml

@@ -6,17 +6,6 @@ on:
       - main
       - master
   workflow_dispatch:
-    inputs:
-      version_type:
-        description: 'Type of version bump'
-        required: false
-        default: 'auto'
-        type: choice
-        options:
-          - auto
-          - patch
-          - minor
-          - major
 
 jobs:
   release:
@@ -52,7 +41,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: "20"
 
       - name: Install semantic-release dependencies
         run: |
@@ -66,64 +55,32 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.event.inputs.version_type }}" != "auto" ]]; then
-            # Manual release with specified version type
-            echo "Manual release triggered with version type: ${{ github.event.inputs.version_type }}"
-            npx semantic-release --dry-run > release_output.txt 2>&1 || true
-
-            # Extract current version and calculate next version
-            CURRENT_VERSION=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
-            CURRENT_VERSION=${CURRENT_VERSION#v}
-
-            case "${{ github.event.inputs.version_type }}" in
-              "patch")
-                NEW_VERSION=$(echo $CURRENT_VERSION | awk -F. '{printf "%d.%d.%d", $1, $2, $3+1}')
-                ;;
-              "minor")
-                NEW_VERSION=$(echo $CURRENT_VERSION | awk -F. '{printf "%d.%d.0", $1, $2+1}')
-                ;;
-              "major")
-                NEW_VERSION=$(echo $CURRENT_VERSION | awk -F. '{printf "%d.0.0", $1+1}')
-                ;;
-            esac
-
-            echo "new_release_version=$NEW_VERSION" >> $GITHUB_OUTPUT
-            echo "new_release_published=true" >> $GITHUB_OUTPUT
+          # Automatic semantic release with error handling
+          echo "Running automatic semantic release..."
+
+          # Try semantic-release, but handle PR-related failures gracefully
+          if npx semantic-release --debug; then
+            echo "✅ Semantic release completed successfully"
 
-            # Create the release in ITV/kics-github-action repository
-            gh release create "v$NEW_VERSION" \
-              --repo "ITV/kics-github-action" \
-              --title "Release v$NEW_VERSION" \
-              --notes "Manual release: ${{ github.event.inputs.version_type }} version bump" \
-              --target main
+            # Get the version that was created
+            LATEST_TAG=$(gh release list --limit 1 | head -n 1 | awk '{print $1}')
+            echo "🔍 Debug: Latest release tag from semantic-release: $LATEST_TAG"
+            echo "new_release_version=${LATEST_TAG#v}" >> $GITHUB_OUTPUT
+            echo "new_release_published=true" >> $GITHUB_OUTPUT
           else
-            # Automatic semantic release with error handling
-            echo "Running automatic semantic release..."
-
-            # Try semantic-release, but handle PR-related failures gracefully
-            if npx semantic-release --debug; then
-              echo "✅ Semantic release completed successfully"
-
-              # Get the version that was created
+            SEMANTIC_EXIT_CODE=$?
+            echo "⚠️  Semantic release failed with exit code: $SEMANTIC_EXIT_CODE"
+
+            # Check if this was a PR-related failure and the release was actually created
+            if gh release list --limit 1 | head -n 1 | grep -q "v"; then
               LATEST_TAG=$(gh release list --limit 1 | head -n 1 | awk '{print $1}')
-              echo "🔍 Debug: Latest release tag from semantic-release: $LATEST_TAG"
+              echo "✅ Release $LATEST_TAG was created despite semantic-release error"
+              echo "🔍 Debug: Latest release tag from fallback: $LATEST_TAG"
               echo "new_release_version=${LATEST_TAG#v}" >> $GITHUB_OUTPUT
               echo "new_release_published=true" >> $GITHUB_OUTPUT
             else
-              SEMANTIC_EXIT_CODE=$?
-              echo "⚠️  Semantic release failed with exit code: $SEMANTIC_EXIT_CODE"
-
-              # Check if this was a PR-related failure and the release was actually created
-              if gh release list --limit 1 | head -n 1 | grep -q "v"; then
-                LATEST_TAG=$(gh release list --limit 1 | head -n 1 | awk '{print $1}')
-                echo "✅ Release $LATEST_TAG was created despite semantic-release error"
-                echo "🔍 Debug: Latest release tag from fallback: $LATEST_TAG"
-                echo "new_release_version=${LATEST_TAG#v}" >> $GITHUB_OUTPUT
-                echo "new_release_published=true" >> $GITHUB_OUTPUT
-              else
-                echo "❌ No release was created"
-                exit $SEMANTIC_EXIT_CODE
-              fi
+              echo "❌ No release was created"
+              exit $SEMANTIC_EXIT_CODE
             fi
           fi
 
@@ -156,18 +113,18 @@ jobs:
         run: |
           VERSION="${{ needs.release.outputs.version }}"
           echo "🔍 Debug: Received version from release job: '$VERSION'"
-          
+
           if [ -z "$VERSION" ]; then
             echo "❌ Error: Version is empty!"
             exit 1
           fi
-          
+
           echo "full=$VERSION" >> $GITHUB_OUTPUT
 
           # Extract major, minor, patch
           IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
           echo "🔍 Debug: Version components - MAJOR=$MAJOR, MINOR=$MINOR, PATCH=$PATCH"
-          
+
           echo "major=$MAJOR" >> $GITHUB_OUTPUT
           echo "minor=$MINOR" >> $GITHUB_OUTPUT
           echo "patch=$PATCH" >> $GITHUB_OUTPUT
@@ -176,7 +133,7 @@ jobs:
           echo "major_tag=v$MAJOR" >> $GITHUB_OUTPUT
           echo "minor_tag=v$MAJOR.$MINOR" >> $GITHUB_OUTPUT
           echo "patch_tag=v$MAJOR.$MINOR.$PATCH" >> $GITHUB_OUTPUT
-          
+
           echo "🔍 Debug: Generated tags - major_tag=v$MAJOR, minor_tag=v$MAJOR.$MINOR, patch_tag=v$MAJOR.$MINOR.$PATCH"
 
       - name: Generate Docker metadata
@@ -231,27 +188,27 @@ jobs:
         run: |
           VERSION="${{ needs.release.outputs.version }}"
           echo "Creating mutable tags for version: $VERSION"
-          
+
           # Extract version components
           IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
           echo "Version components: MAJOR=$MAJOR, MINOR=$MINOR, PATCH=$PATCH"
-          
+
           # Configure git
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          
+
           # Create and push major version tag (v1, v2, etc.)
           echo "Creating major version tag: v$MAJOR"
           git tag -f "v$MAJOR"
           git push origin "v$MAJOR" --force
           echo "✅ Updated mutable tag v$MAJOR to point to v$VERSION"
-          
+
           # Create and push minor version tag (v1.2, v1.3, etc.)
           echo "Creating minor version tag: v$MAJOR.$MINOR"
           git tag -f "v$MAJOR.$MINOR"
           git push origin "v$MAJOR.$MINOR" --force
           echo "✅ Updated mutable tag v$MAJOR.$MINOR to point to v$VERSION"
-          
+
           # List all tags to verify
           echo "Current tags:"
           git tag --sort=-version:refname | head -10
@@ -282,4 +239,4 @@ jobs:
           # Use major version (gets latest compatible updates)
           uses: ITV/kics-github-action@v$(echo ${{ needs.release.outputs.version }} | cut -d. -f1)
           ```
-          EOF
+          EOF

action.yml

@@ -123,8 +123,10 @@ runs:
           IMAGE="ghcr.io/itv/kics-github-action:develop"
         fi
         echo "Using image: $IMAGE"
+
         docker run --quiet --name kics-scan \
         -v "${{ github.workspace }}":"${{ github.workspace }}" \
+        -v "${{ runner.temp }}":"${{ runner.temp }}" \
         -w "${{ github.workspace }}" \
         -e GITHUB_ACTION \
         -e GITHUB_ACTOR \