Refine workflow and documentation

Signed-off-by: tdruez <[email protected]>

Author: tdruez

.github/workflows/sca-integration-trivy.yml

@@ -1,11 +1,17 @@
-name: Generate SBOM with Trivy and load in ScanCode.io
+name: Generate SBOM with Trivy and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using Trivy.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
 
 on:
   workflow_dispatch:
+  # TODO: Remove once working properly, ie before merging.
   pull_request:
-  push:
-    branches:
-      - main
   schedule:
     # Run once a week (every 7 days) at 00:00 UTC on Sunday
     - cron: "0 0 * * 0"
@@ -14,13 +20,13 @@ permissions:
   contents: read
 
 env:
-    IMAGE_REFERENCE: "python:3.13.0-slim"
+  IMAGE_REFERENCE: "python:3.13.0-slim"
 
 jobs:
   generate-and-load-sbom:
     runs-on: ubuntu-24.04
     steps:
-      - name: Run Trivy in CycloneDX SBOM mode
+      - name: Generate CycloneDX SBOM with Trivy
         uses: aquasecurity/[email protected]
         with:
           scan-type: "image"
@@ -30,21 +36,28 @@ jobs:
           scanners: "vuln,license"
           version: "latest"
 
-      - name: Upload Trivy SBOM as a Github artifact
+      - name: Upload SBOM as GitHub Artifact
         uses: actions/upload-artifact@v4
         with:
-          name: upload-trivy-sbom-report
+          name: trivy-sbom-report
           path: "${{ github.workspace }}/trivy-report.sbom.json"
           retention-days: 20
 
-      - name: Load the Trivy SBOM into ScanCode.io
+      - name: Import SBOM into ScanCode.io
         uses: aboutcode-org/scancode-action@main
         with:
           pipelines: "load_sbom"
           inputs-path: "${{ github.workspace }}/trivy-report.sbom.json"
+          # TODO: Remove before merging
           scancodeio-repo-branch: "1729-sca-integrations-trivy"
 
-      - name: Check the SBOM was properly loaded in ScanCode.io
+      - name: Verify SBOM Analysis Results in ScanCode.io
         shell: bash
         run: |
-          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190;"
+          scanpipe shell --command "\
+            from scanpipe.models import DiscoveredPackage, DiscoveredDependency; \
+            package_manager = DiscoveredPackage.objects; \
+            assert package_manager.count() > 90; \
+            assert package_manager.vulnerable().count() > 40; \
+            assert DiscoveredDependency.objects.count() > 190; \
+          "