Update .github/workflows.yaml

.github/workflows.yaml

@@ -1,19 +1,29 @@
-name: Gitea Actions Demo
+name: build
-run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
+on:
-on: [push]
+  push:
-
+    branches:
+      - main
+      - devpod
+  pull_request:
 jobs:
-  Explore-Gitea-Actions:
+  build:
-    runs-on: ubuntu-latest
+    name: Build
+    runs-on: ubuntu-20.04
     steps:
-      - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event."
+      - name: Checkout code
-      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!"
-      - run: echo "🔎 The name of your branch is ${{ gitea.ref }} and your repository is ${{ gitea.repository }}."
-      - name: Check out repository code
         uses: actions/checkout@v4
-      - run: echo "💡 The ${{ gitea.repository }} repository has been cloned to the runner."
+
-      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
+      - name: Run Trivy vulnerability scanner in IaC mode
-      - name: List files in the repository
+        uses: aquasecurity/trivy-action@0.28.0
-        run: |
+        with:
-          ls ${{ gitea.workspace }}
+          scan-type: 'config'
-      - run: echo "🍏 This job's status is ${{ job.status }}."
+          hide-progress: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'