fix(scout): just run in the release PR

ZcashFoundation · Sep 19, 2024 · 8062b04 · 8062b04
1 parent 41e757a
commit 8062b04
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/.github/workflows/sub-build-docker-image.yml b/.github/workflows/sub-build-docker-image.yml
@@ -184,6 +184,7 @@ jobs:
 
         # For the latest built image, display:
         # - the vulnerabilities (ignoring the base image, and only displaying vulnerabilities with a critical or high security severity)
+        # - the available recommendations
         # - compare it to the latest image indexed in Docker Hub (only displaying changed packages and vulnerabilities that already have a fix)
         #
         # Record the image to Scout environment based on the event type, for example:
@@ -195,9 +196,11 @@ jobs:
         uses: docker/[email protected]
         # We only run Docker Scout on the runtime target, as the other targets are not meant to be released
         # and are commonly used for testing, and thus are ephemeral.
-        if: ${{ inputs.dockerfile_target == 'runtime' }}
+        # TODO: Remove the `contains` check once we have a better way to determine if just new vulnerabilities are present.
+        # See: https://github.com/docker/scout-action/issues/56
+        if: ${{ inputs.dockerfile_target == 'runtime' && contains(github.event.pull_request.title, 'Release v') }}
         with:
-          command: cves,compare
+          command: cves,recommendations,compare
           image: us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
           to: zfnd/zebra:latest
           ignore-base: true