ci: add pushing canary build images to registries (#2428)

.github/workflows/canary.yaml

@@ -3,6 +3,10 @@ on:
   push:
     branches:
       - 'main'
+    paths:
+      - '**.go'
+      - 'Dockerfile.canary'
+      - '.github/workflows/canary.yaml'
   workflow_dispatch:
 
 jobs:

.github/workflows/reusable-release.yaml

@@ -84,6 +84,21 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
 
+      ## push images to registries
+      ## only for canary build
+      - name: Build and push
+        if: ${{ inputs.goreleaser_config == 'goreleaser-canary.yml' }}
+        uses: docker/build-push-action@v3
+        with:
+          platforms: linux/amd64, linux/arm64
+          file: ./Dockerfile.canary # path to Dockerfile
+          context: .
+          push: true
+          tags: |
+            aquasec/trivy:canary
+            ghcr.io/aquasecurity/trivy:canary
+            public.ecr.aws/aquasecurity/trivy:canary
+
       - name: Cache Trivy binaries
         uses: actions/cache@v3.0.4
         with:
@@ -91,4 +106,4 @@ jobs:
           # use 'github.sha' to create a unique cache folder for each run.
           # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
           # e.g. build and release runs
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

Dockerfile.canary

@@ -0,0 +1,10 @@
+FROM alpine:3.16.0
+RUN apk --no-cache add ca-certificates git
+
+# binaries were created with GoReleaser
+# need to copy binaries from folder with correct architecture
+# example architecture folder: dist/trivy_canary_build_linux_arm64/trivy
+ARG TARGETARCH
+COPY "dist/trivy_canary_build_linux_${TARGETARCH}/trivy" /usr/local/bin/trivy
+COPY contrib/*.tpl contrib/
+ENTRYPOINT ["trivy"]