feat(docker-build): enhance reporting (#39)

TartanLeGrand · web-flow · commit 298ec521fe7e · 2025-04-29T11:17:36.000+02:00
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -66,14 +66,6 @@ jobs:
           username: ${{ secrets.username }}
           password: ${{ secrets.password }}
 
-      - name: Run Hadolint Dockerfile linter
-        if: ${{ inputs.hadolint }}
-        uses: hadolint/hadolint-action@v3.1.0
-        with:
-          dockerfile: ${{ inputs.dockerfile }}
-          output-file: hadolint.txt
-          no-fail: true
-
       - name: Build Docker Image
         if: ${{ inputs.push }}
         uses: docker/build-push-action@v6
@@ -91,6 +83,7 @@ jobs:
           docker save -o vuln-image.tar ${{ inputs.image-name }}:${{ inputs.image-tag }}
 
       - name: Run Trivy vulnerability scanner
+        id: trivy
         if: ${{ inputs.security-scan }}
         uses: aquasecurity/trivy-action@0.29.0
         with:
@@ -102,60 +95,87 @@ jobs:
           hide-progress: true
           output: trivy.txt
 
-      - name: Update Pull Request with Security Scan Results
-        uses: actions/github-script@v7
+      - name: Read Trivy report file
+        id: read_trivy
         if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment'
+        run: |
+          echo "report<<EOF" >> "$GITHUB_OUTPUT"
+          cat trivy.txt >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+
+      - name: Find existing Trivy comment
+        if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment'
+        id: find_trivy
+        uses: peter-evans/find-comment@v3
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: 'Trivy Security Scan Results'
+
+      - name: Create or update Trivy comment
+        if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment'
+        uses: peter-evans/create-or-update-comment@v4
         with:
-          script: |
-            const fs = require('fs');
-            const trivyResults = fs.readFileSync('trivy.txt', 'utf8');
-      
-            const output = `
+          token: ${{ secrets.GITHUB_TOKEN }}
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-id: ${{ steps.find_trivy.outputs.comment-id }}
+          edit-mode: replace
+          body: |
+            <!-- trivy-scan -->
             ### 🔒 Trivy Security Scan Results
             <details><summary>Click to expand detailed results</summary>
-      
-            \`\`\`
-            ${trivyResults}
-            \`\`\`
+
+            ```bash
+            ${{ steps.read_trivy.outputs.report }}
+            ```
             </details>
-            `;
-      
-            await github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: output
-            });
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'sarif'
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
 
-      - name: Update Pull Request with Hadolint Results
-        uses: actions/github-script@v7
-        if: github.event_name == 'pull_request' && inputs.hadolint
+      - name: Run Hadolint Dockerfile linter
+        id: hadolint
+        if: ${{ inputs.hadolint }}
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ${{ inputs.dockerfile }}
+          output-file: hadolint.txt
+          no-fail: true
+
+      - name: Read Hadolint report file
+        id: read_hadolint
+        if: ${{ inputs.hadolint }}
+        run: |
+          echo "report<<EOF" >> "$GITHUB_OUTPUT"
+          cat hadolint.txt >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+
+      - name: Find existing Hadolint comment
+        id: find_hadolint
+        if: ${{ inputs.hadolint }}
+        uses: peter-evans/find-comment@v3
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: 'Hadolint Dockerfile Lint Results'
+
+      - name: Create or update Hadolint comment
+        if: ${{ inputs.hadolint && steps.read_hadolint.outputs.report != '' }}
+        uses: peter-evans/create-or-update-comment@v4
         with:
-          script: |
-            const fs = require('fs');
-            const hadolintResults = fs.readFileSync('hadolint.txt', 'utf8').trim();
-            
-            if (hadolintResults.length > 0) {
-              const output = `
-              ### 🐳 Hadolint Dockerfile Lint Results
-              <details><summary>Click to expand</summary>
-            
-              \`\`\`
-              ${hadolintResults}
-              \`\`\`
-              </details>
-              `;
-
-              await github.rest.issues.createComment({
-                issue_number: context.issue.number,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                body: output
-              });
-            }
+          token: ${{ secrets.GITHUB_TOKEN }}
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-id: ${{ steps.find_hadolint.outputs.comment-id }}
+          edit-mode: replace
+          body: |
+            <!-- hadolint-scan -->
+            ### 🐳 Hadolint Dockerfile Lint Results
+            <details><summary>Click to expand detailed results</summary>
+
+            ```bash
+            ${{ steps.read_hadolint.outputs.report }}
+            ```
+            </details>
