Restore the workflow using python:3.13.0-slim #1729

tdruez · tdruez · commit d16b63dc6e84 · 2025-08-19T19:27:40.000+04:00
Signed-off-by: tdruez &lt;tdruez@nexb.com&gt;
diff --git a/.github/workflows/sca-integration-trivy.yml b/.github/workflows/sca-integration-trivy.yml
@@ -10,8 +10,6 @@ name: Generate SBOM with Trivy and load into ScanCode.io
 
 on:
   workflow_dispatch:
-  # TODO: Remove once working properly, ie before merging.
-  pull_request:
   schedule:
     # Run once a week (every 7 days) at 00:00 UTC on Sunday
     - cron: "0 0 * * 0"
@@ -23,51 +21,33 @@ env:
   IMAGE_REFERENCE: "python:3.13.0-slim"
 
 jobs:
-  generate-sbom:
-    runs-on: ubuntu-latest
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
     steps:
-      - name: Generate SBOM for Alpine 3.17.0
+      - name: Generate CycloneDX SBOM with Trivy
         uses: aquasecurity/trivy-action@0.32.0
         with:
           scan-type: "image"
-          image-ref: "alpine:3.17.0"
+          image-ref: ${{ env.IMAGE_REFERENCE }}
           format: "cyclonedx"
-          output: "alpine-3.17-sbom.json"
+          output: "trivy-report.sbom.json"
           scanners: "vuln,license"
           version: "latest"
 
-      - name: Upload the SBOM
+      - name: Upload SBOM as GitHub Artifact
         uses: actions/upload-artifact@v4
         with:
-          path: alpine-3.17-sbom.json
+          name: trivy-sbom-report
+          path: "trivy-report.sbom.json"
+          retention-days: 20
 
-#  generate-and-load-sbom:
-#    runs-on: ubuntu-24.04
-#    steps:
-#      - name: Generate CycloneDX SBOM with Trivy
-#        uses: aquasecurity/trivy-action@0.32.0
-#        with:
-#          scan-type: "image"
-#          image-ref: ${{ env.IMAGE_REFERENCE }}
-#          format: "cyclonedx"
-#          output: "trivy-report.sbom.json"
-#          scanners: "vuln,license"
-#          version: "latest"
-#
-#      - name: Upload SBOM as GitHub Artifact
-#        uses: actions/upload-artifact@v4
-#        with:
-#          name: trivy-sbom-report
-#          path: "${{ github.workspace }}/trivy-report.sbom.json"
-#          retention-days: 20
-#
-#      - name: Import SBOM into ScanCode.io
-#        uses: aboutcode-org/scancode-action@main
-#        with:
-#          pipelines: "load_sbom"
-#          inputs-path: "${{ github.workspace }}/trivy-report.sbom.json"
-#
-#      - name: Verify SBOM Analysis Results in ScanCode.io
-#        shell: bash
-#        run: |
-#          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190"
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "trivy-report.sbom.json"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190"
