security(trivy): build, deploy

Author: moscaale

.github/workflows/build_and_deploy.yml

@@ -1,4 +1,4 @@
-name: Build and deploy
+name: Build, scan images and deploy
 
 on:
   push:
@@ -8,13 +8,10 @@ on:
     types:
       - published
       - edited
-  workflow_dispatch: # Add this to allow manual triggering
-  pull_request:
-    branches:
-      - main
+  workflow_dispatch:
 
 jobs:
-  build-api:
+  build-opengatellm-api:
     name: Build and push OpenGateLLM API image
     runs-on: ubuntu-latest
     env:
@@ -126,12 +123,12 @@ jobs:
       matrix:
         environment: [dev, staging, prod]
         include:
-          - environment: prod
-            url: https://albert.playground.etalab.gouv.fr
-          - environment: staging
-            url: https://albert.playground.staging.etalab.gouv.fr
           - environment: dev
             url: https://albert.playground.dev.etalab.gouv.fr
+          - environment: staging
+            url: https://albert.playground.staging.etalab.gouv.fr
+          - environment: prod
+            url: https://albert.playground.etalab.gouv.fr
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -164,29 +161,37 @@ jobs:
 
   trivy-scan-api:
     name: Trivy scan — API
-    needs: build-api
+    needs: build-opengatellm-api
     uses: ./.github/workflows/trivy-scan.yml
     with:
       image-name: ghcr.io/etalab-ia/opengatellm/api
       image-tag: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }}
-      category-prefix: trivy-api
+
+  trivy-scan-playground:
+    name: Trivy scan — Playground
+    needs: build-opengatellm-playground
+    uses: ./.github/workflows/trivy-scan.yml
+    with:
+      image-name: ghcr.io/etalab-ia/opengatellm/playground
+      image-tag: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }}
 
   deploy-dev:
     if: github.event_name == 'push' # Only deploy on push to main
     name: Deploy from ${{ github.ref_name }}/${{ github.sha }}
     runs-on: ubuntu-latest
     needs:
-      - build-api
+      - build-opengatellm-api
       - build-opengatellm-playground
       - build-albert-playground
       - trivy-scan-api
+      - trivy-scan-playground
     steps:
       - name: Trigger dev deployment
         run: |
           RESPONSE="$(curl --request POST \
             --form token=${{ secrets.GITLAB_CI_TOKEN }} \
             --form ref=main \
-            --form 'variables[pipeline_name]=${{ github.event.repository.name }} - ${{ needs.build-api.outputs.commit_title }}' \
+            --form 'variables[pipeline_name]=${{ github.event.repository.name }} - ${{ needs.build-opengatellm-api.outputs.commit_title }}' \
             --form 'variables[docker_image_tag]=latest' \
             --form 'variables[application_to_deploy]=albert-api' \
             --form 'variables[deployment_environment]=dev' \

.github/workflows/trivy-scan.yml

@@ -11,56 +11,37 @@ on:
         description: "Image tag to scan"
         required: true
         type: string
-      category-prefix:
-        description: "Prefix for SARIF category (ex: trivy-api)"
-        required: true
-        type: string
 
 jobs:
   trivy-scan:
-    name: Trivy scan — ${{ inputs.category-prefix }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # HIGH → notifie sans bloquer
       - name: Trivy scan (HIGH — warning)
-        if: always()
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.35.0
         with:
           image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
-          format: sarif
-          output: trivy-high.sarif
-          severity: HIGH
+          format: 'table'
+          severity: 'HIGH'
           exit-code: "0"
-          ignore-unfixed: true
-
-      - name: Upload HIGH results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
-        if: always()
-        with:
-          sarif_file: trivy-high.sarif
-          category: ${{ inputs.category-prefix }}-high
 
       # CRITICAL → bloque le pipeline
       - name: Trivy scan (CRITICAL — blocking)
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.35.0
         with:
           image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
-          format: sarif
-          output: trivy-critical.sarif
-          severity: CRITICAL
+          format: 'table'
+          severity: 'CRITICAL'
           exit-code: "1"
-          ignore-unfixed: true
-
-      - name: Upload CRITICAL results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
-        if: always()
-        with:
-          sarif_file: trivy-critical.sarif
-          category: ${{ inputs.category-prefix }}-critical