From b443fcbdb9ae045ef7cceb4bdd9f0cfc90994460 Mon Sep 17 00:00:00 2001
From: Oliver Trosien <oliver.trosien@zalando.de>
Date: Thu, 30 Oct 2025 14:56:39 +0100
Subject: [PATCH 1/2] Fix docker image reference in Trivy scan

Signed-off-by: Oliver Trosien <oliver.trosien@zalando.de>
---
 .github/workflows/docker-multiarch.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-multiarch.yaml b/.github/workflows/docker-multiarch.yaml
index 644bf90..ccd9f46 100644
--- a/.github/workflows/docker-multiarch.yaml
+++ b/.github/workflows/docker-multiarch.yaml
@@ -91,7 +91,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}-${{ github.sha:0:7 }}
           format: 'sarif'
           output: 'trivy-results.sarif'
 

From 95dcaa0b134c385f16ff9e80724fe77beb0236e5 Mon Sep 17 00:00:00 2001
From: Oliver Trosien <oliver.trosien@zalando.de>
Date: Thu, 30 Oct 2025 15:52:33 +0100
Subject: [PATCH 2/2] Use outputs-based approach for passing image refs between
 push + security scan

Signed-off-by: Oliver Trosien <oliver.trosien@zalando.de>
---
 .github/workflows/docker-multiarch.yaml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-multiarch.yaml b/.github/workflows/docker-multiarch.yaml
index ccd9f46..0359c00 100644
--- a/.github/workflows/docker-multiarch.yaml
+++ b/.github/workflows/docker-multiarch.yaml
@@ -18,6 +18,9 @@ env:
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    outputs:
+      image-digest: ${{ steps.build.outputs.digest }}
+      image-metadata: ${{ steps.meta.outputs.json }}
 
     permissions:
       contents: read
@@ -71,6 +74,7 @@ jobs:
           GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -o build/linux/arm64/es-operator -ldflags "-X main.version=$(git describe --tags --always --dirty) -w -s" .
 
       - name: Build and push Docker image
+        id: build
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -88,10 +92,18 @@ jobs:
     if: github.event_name != 'pull_request'
 
     steps:
+      - name: Get image reference from metadata
+        id: image-ref
+        run: |
+          # Extract the first tag from the metadata JSON as the primary image reference
+          IMAGE_REF=$(echo '${{ needs.build-and-push.outputs.image-metadata }}' | jq -r '.tags[0]')
+          echo "image-ref=${IMAGE_REF}" >> $GITHUB_OUTPUT
+          echo "Using image reference: ${IMAGE_REF}"
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}-${{ github.sha:0:7 }}
+          image-ref: ${{ steps.image-ref.outputs.image-ref }}
           format: 'sarif'
           output: 'trivy-results.sarif'