ci: add scanner actions and bump all actions

[NARSimoes]

Summary

• add scanner actions and bump all actions: follow up ci: adjust scanner actions #12

Summary by CodeRabbit

Release Notes

• Chores
  • Updated GitHub Actions to latest stable versions across continuous integration pipelines, including checkout and Docker build tooling.
  • Integrated Docker image security scanning with critical severity vulnerability detection and reporting into the build process.

[coderabbitai]

📝 Walkthrough

Walkthrough

These changes update GitHub Actions workflow dependencies and composite actions to use newer versions, and introduce Docker image security scanning into the build process.

Changes

Cohort / File(s)	Summary
Docker action updates .github/actions/docker-build/action.yaml, .github/actions/docker-prepare/action.yml	Added Anchore security scanning step for Docker images in docker-build action; updated docker/setup-buildx-action to v4.0.0 and removed explicit version specification in docker-prepare action.
Workflow dependency updates .github/workflows/ci.yml	Updated actions/checkout action to a newer commit hash (v6.0.2 reference).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding scanner actions and bumping GitHub Actions versions across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nasimoes-ci-bump-actions

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/actions/docker-prepare/action.yml (1)

9-9: Buildx engine version is now floating.

Line 9 pins the action commit, but without an explicit with.version the Buildx binary uses the latest version available on the GitHub Runner and may change over time. This weakens reproducibility. Consider adding an explicit Buildx version pin and upgrading intentionally.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/docker-prepare/action.yml at line 9, The
docker/setup-buildx-action usage currently pins the action commit (uses:
docker/setup-buildx-action@4d04d5d...) but omits an explicit Buildx binary
version; update the action invocation to include a with.version input to pin the
Buildx engine (e.g., with.version: "v0.10.0" or your chosen release) so the
buildx binary is reproducible and upgrades are intentional, and document/update
the chosen version accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/docker-build/action.yaml:
- Around line 10-17: The Anchore scanner step (anchore/scan-action) is using the
static image name "mattermost/atlantis" instead of the artifact built earlier by
docker/build-push-action; modify the build step (docker/build-push-action) to
include load: true and give the built image a reproducible tag (e.g., set an env
var or output like IMAGE_TAG from the build step), then update the anchore step
to scan that tag (pass the same IMAGE_TAG to the with:image field) so the
scanner analyzes the actual PR-built image instead of the remote latest image.

---

Nitpick comments:
In @.github/actions/docker-prepare/action.yml:
- Line 9: The docker/setup-buildx-action usage currently pins the action commit
(uses: docker/setup-buildx-action@4d04d5d...) but omits an explicit Buildx
binary version; update the action invocation to include a with.version input to
pin the Buildx engine (e.g., with.version: "v0.10.0" or your chosen release) so
the buildx binary is reproducible and upgrades are intentional, and
document/update the chosen version accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4082a4bd-12ce-448a-8f87-7440f7b77566

📥 Commits

Reviewing files that changed from the base of the PR and between 42fb4ad and 8d8107e.

📒 Files selected for processing (3)

• .github/actions/docker-build/action.yaml
• .github/actions/docker-prepare/action.yml
• .github/workflows/ci.yml