ci(dir): extend security scanner to support more tag

arpad-csepi · arpad-csepi · commit e7c86a30491d · 2026-03-13T20:19:19.000+01:00
Signed-off-by: Árpád Csepi &lt;csepi.arpad@outlook.com&gt;
diff --git a/.github/workflows/container-security-scan.yml b/.github/workflows/container-security-scan.yml
@@ -11,7 +11,7 @@ on:
       image-tag:
         required: false
         type: string
-        description: "Override tag for repo images (empty for latest)"
+        description: "Override tag for repo images (latest for latest release version)"
 
 permissions:
   contents: read
@@ -20,8 +20,9 @@ permissions:
   issues: write # create issues for critical CVEs
 
 jobs:
-  resolve-tag:
-    name: Resolve image tag
+  resolve-latest-tag:
+    if: ${{ github.event.inputs.image-tag == 'latest' }}
+    name: Resolve latest release version tag
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.resolve.outputs.version }}
@@ -53,10 +54,28 @@ jobs:
             echo "version=${TAG_VERSION}" >> $GITHUB_OUTPUT
           fi
 
+  build-from-main:
+    if: ${{ github.event.inputs.image-tag == 'latest' && github.event.inputs.image-tag == '' }}
+    name: Build main branch
+    runs-on: ubuntu-latest
+    outputs:
+      main_sha: ${{ steps.get-commit-sha.outputs.main_sha }}
+    steps:
+      - name: Get main branch SHA
+        id: get-commit-sha
+        run: |
+          MAIN_SHA=gh api repos/${{ github.repository }}/git/refs/heads/${{ github.event.repository.default_branch }} | jq -r .object.sha
+          echo "main_sha=${MAIN_SHA}" >> $GITHUB_OUTPUT
+
+      - uses: ./.github/workflows/reusable-build.yaml
+        with:
+          image_repo: ghcr.io/agntcy
+          image_tag: ${{ steps.get-commit-sha.outputs.main_sha }}
+
   image-list:
     name: Resolve image list
     runs-on: ubuntu-latest
-    needs: [resolve-tag]
+    needs: [resolve-latest-tag, build-from-main]
     outputs:
       matrix: ${{ steps.matrix.outputs.matrix }}
     steps:
@@ -70,7 +89,7 @@ jobs:
       - name: Get image list from task
         id: matrix
         env:
-          IMAGE_TAG: ${{ needs.resolve-tag.outputs.version }}
+          IMAGE_TAG: ${{ needs.resolve-latest-tag.outputs.version || needs.build-from-main.outputs.main_sha || github.event.inputs.image-tag }}
           IMAGE_REPO: ghcr.io/${{ github.repository_owner }}
         run: |
           matrix=$(task --silent deps:vuln:images:list | jq -R -s -c 'split("\n") | map(select(length > 0)) | {image: .}')
