ci(deploy): login and pull images before Trivy scan

The scan-images job runs on a fresh runner that does not have the images built by the build-and-push job. Login to the registry and pull the images before scanning, otherwise Trivy cannot find them.
2026-06-13 19:29:47 +03:00
parent 4054d49ccb
commit b952be23eb
1 changed files with 14 additions and 1 deletions
@@ -70,6 +70,13 @@ jobs:
    needs: build-and-push
    runs-on: ubuntu-latest
    steps:
+      - name: Login to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.codeanddice.ru
+          username: toutsu
+          password: ${{ secrets.GIT_TOKEN }}
+
      - name: Install Trivy
        run: |
          # Install Trivy from the official Docker image instead of the
@@ -78,7 +85,7 @@ jobs:
          #      GitHub releases API; when a release is unpublished or
          #      yanked, the script fails with
          #      `unable to find '<tag>' - use 'latest' or see ...`
-          #      even when the release once existed. We hit this with
+          #      when the release once existed. We hit this with
          #      v0.71.0.
          #   2. Docker Hub tags are content-addressed and rarely
          #      removed, so a pinned image tag is much more stable.
@@ -94,6 +101,12 @@ jobs:
          chmod +x /usr/local/bin/trivy
          trivy --version

+      - name: Pull images for scan
+        run: |
+          docker pull git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }}
+          docker pull git.codeanddice.ru/toutsu/gmrelay-discord-bot:${{ env.VERSION }}
+          docker pull git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
+
      - name: Scan Bot image
        run: |
          trivy image \