fix(ci): only upload Trivy SARIF when scan succeeds

dextmorgn · dextmorgn · commit 73bb4a0e7aaa · 2026-01-25T23:39:19.000+01:00
diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
@@ -69,6 +69,7 @@ jobs:
           sbom: true
 
       - name: Run Trivy vulnerability scanner
+        id: trivy
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ghcr.io/${{ github.repository_owner }}/flowsint-app:${{ github.ref_name }}
@@ -78,7 +79,7 @@ jobs:
 
       - name: Upload Trivy scan results
         uses: github/codeql-action/upload-sarif@v3
-        if: always()
+        if: always() && steps.trivy.outcome == 'success'
         with:
           sarif_file: "trivy-frontend.sarif"
 
@@ -142,6 +143,7 @@ jobs:
           sbom: true
 
       - name: Run Trivy vulnerability scanner
+        id: trivy
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ghcr.io/${{ github.repository_owner }}/flowsint-api:${{ github.ref_name }}
@@ -151,7 +153,7 @@ jobs:
 
       - name: Upload Trivy scan results
         uses: github/codeql-action/upload-sarif@v3
-        if: always()
+        if: always() && steps.trivy.outcome == 'success'
         with:
           sarif_file: "trivy-backend.sarif"
 
