Make use of cc-utils trusted checkout (#1596)

* Make use of cc-utils trusted checkout

* Make use of .ci/verify

* Fix .ci/verify

* Fix sast report job

Author: hebelsan

.ci/verify

@@ -9,9 +9,4 @@ cd "$(dirname $0)/.."
 git config --global user.email "gardener@sap.com"
 git config --global user.name "Gardener CI/CD"
 
-# Required due to https://github.com/kubernetes/kubernetes/issues/86753 - can be removed once the issue is fixed.
-mkdir -p /go/src/github.com/gardener/gardener-extension-provider-aws
-cp -r . /go/src/github.com/gardener/gardener-extension-provider-aws
-cd /go/src/github.com/gardener/gardener-extension-provider-aws
-
 make verify-extended

.github/workflows/build.yaml

@@ -28,47 +28,36 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: '1.25'
-      - uses: actions/checkout@v5
-      - uses: gardener/cc-utils/.github/actions/setup-git-identity@master
+      - uses: gardener/cc-utils/.github/actions/trusted-checkout@master
         with:
           remove-trusted-label: false
-      - name: verify
+      - name: run-verify
         run: |
           set -euo pipefail
+          .ci/verify
+          # verify calls `make sast-report`, which generates `gosec-report.sarif`
           mkdir /tmp/blobs.d
-          make verify-extended |& tee /tmp/blobs.d/verify-log.txt
-          tar czf /tmp/blobs.d/verify-log.tar.gz -C/tmp/blobs.d verify-log.txt
           tar czf /tmp/blobs.d/gosec-report.tar.gz gosec-report.sarif
-      - name: add-reports-to-component-descriptor
+      - name: add-sast-report-to-component-descriptor
         uses: gardener/cc-utils/.github/actions/export-ocm-fragments@master
         with:
           blobs-directory: /tmp/blobs.d
           ocm-resources: |
-            - name: gosec-report
-              relation: local
-              access:
-                type: localBlob
-                localReference: gosec-report.tar.gz
-              labels:
-                - name: gardener.cloud/purposes
-                  value:
-                    - lint
-                    - sast
-                    - pybandit
-                - name: gardener.cloud/comment
-                  value: |
-                    we use gosec (linter) for SAST Scans.
-                    see: https://github.com/securego/gosec
-                    enabled by: https://github.com/gardener/gardener-extension-provider-aws/pull/112
-            - name: test-results
-              relation: local
-              access:
-                type: localBlob
-                localReference: verify-log.tar.gz
-              labels:
-                - name: gardener.cloud/purposes
-                  value:
-                    - test
+            name: gosec-report
+            relation: local
+            access:
+              type: localBlob
+              localReference: gosec-report.tar.gz
+            labels:
+              - name: gardener.cloud/purposes
+                value:
+                  - lint
+                  - sast
+                  - gosec
+              - name: gardener.cloud/comment
+                value: |
+                  we use gosec (linter) for SAST scans
+                  see: https://github.com/securego/gosec
 
   oci-images:
     name: Build OCI-Images