From 0bbe320c2ee772b30a4b1c73b355e466341514cf Mon Sep 17 00:00:00 2001
From: Flamur Gogolli <flamur.gogolli@gmail.com>
Date: Tue, 3 Sep 2024 11:05:30 +0000
Subject: [PATCH] Add further changes to GH actions to fix page upload and
 trivy SARIF upload

---
 .github/conf/trivy.yaml            |  4 ++--
 .github/workflows/doc_builder.yaml |  3 ++-
 .github/workflows/iac_scan.yaml    | 10 +++++++---
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/conf/trivy.yaml b/.github/conf/trivy.yaml
index fb0680cf..0850d4e8 100644
--- a/.github/conf/trivy.yaml
+++ b/.github/conf/trivy.yaml
@@ -29,5 +29,5 @@ scan:
 #   - CRITICAL
 #   - UNKNOWN
 
-# vulnerability:
-#   ignore-unfixed: true
+vulnerability:
+  ignore-unfixed: true
diff --git a/.github/workflows/doc_builder.yaml b/.github/workflows/doc_builder.yaml
index b160ab7b..857140dd 100644
--- a/.github/workflows/doc_builder.yaml
+++ b/.github/workflows/doc_builder.yaml
@@ -14,7 +14,8 @@ jobs:
   build:
     name: Deploy docs
     permissions:
-      contents: write # for actions/checkout to fetch code
+      contents: write # for actions/checkout to fetch code and  creating gh-pages
+      pages: write # for creating github pages
       security-events: write # for creating github pages
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/iac_scan.yaml b/.github/workflows/iac_scan.yaml
index 85e31710..c8e5aaa2 100644
--- a/.github/workflows/iac_scan.yaml
+++ b/.github/workflows/iac_scan.yaml
@@ -25,13 +25,15 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run trivy in fs mode and generate report
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.20.0
         with:
           scan-type: 'fs'
-          ignore-unfixed: true
+          # ignore-unfixed: true
           trivy-config: ".github/conf/trivy.yaml"
           trivyignores: ".github/conf/.trivyignore"
+          exit-code: '0'
           # severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+          # format: 'sarif'
           # output: ${{ env.TRIVY_REPORT_FILE }} # This flag doesnt seem to be working.
         env:
           TRIVY_OUTPUT: ${{ env.TRIVY_REPORT_FILE }}
@@ -39,7 +41,9 @@ jobs:
       # As per the following issue/solution: https://github.com/aquasecurity/trivy/issues/5003
       - name: Fix trivy SARIF report for URI scheme
         run: |-
-          sed -i 's#git::https:/##g' ${{ env.TRIVY_REPORT_FILE }}
+          cat ${{ env.TRIVY_REPORT_FILE }}
+          # sed -i.bak 's#git::https:/##g' ${{ env.TRIVY_REPORT_FILE }}
+          # diff -w ${{ env.TRIVY_REPORT_FILE }} "${{ env.TRIVY_REPORT_FILE }}.bak"
 
       - name: Upload trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3