From 1ff70e1f0daa4d08a79b77efb67cb5a9f7c3cd6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?=
 <vroldanbet@authzed.com>
Date: Mon, 17 Jul 2023 13:14:08 +0100
Subject: [PATCH 1/3] update docker image used in CI

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index fbab2972..54e0af08 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.19-alpine3.16 AS zed-builder
+FROM golang:1.20-alpine3.18 AS zed-builder
 WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 COPY . .

From d2e19787074460b4bb7a83dfe5de03bd7972daf2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?=
 <vroldanbet@authzed.com>
Date: Mon, 17 Jul 2023 13:50:46 +0100
Subject: [PATCH 2/3] add trivy scan to release images

---
 .github/workflows/lint.yaml | 44 ++++++++++++++++++++++++++++---------
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 8d3f26fa..22e0cb71 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -47,20 +47,44 @@ jobs:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/codeql@main"
 
-  trivy:
-    name: "Analyze with Trivy"
+  trivy-fs:
+    name: "Analyze FS with Trivy"
     runs-on: "ubuntu-latest"
     steps:
       - uses: "actions/checkout@v3"
-      - name: "Run Trivy vulnerability scanner"
-        uses: "aquasecurity/trivy-action@master"
+      - uses: "aquasecurity/trivy-action@master"
         with:
           scan-type: "fs"
           ignore-unfixed: true
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL"
-      - name: "Upload Trivy scan results to GitHub Security tab"
-        uses: "github/codeql-action/upload-sarif@v2"
+          format: 'table'
+          exit-code: '1'
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+  trivy-image:
+    name: "Analyze Release Image with Trivy"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "authzed/actions/setup-go@main"
+        with:
+          go-version: "${{ env.GO_VERSION }}"
+      # Workaround until goreleaser release supports --single-target
+      # makes the build faster by not building everything
+      - name: "modify goreleaser config to skip building all targets"
+        run: |
+          echo "partial:
+            by: target" >> .goreleaser.docker.yml
+      - uses: "goreleaser/goreleaser-action@v4"
+        id: "goreleaser"
         with:
-          sarif_file: "trivy-results.sarif"
+          distribution: "goreleaser-pro"
+          version: "latest"
+          args: "release -f .goreleaser.docker.yml --clean --split --snapshot"
+        env:
+          GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
+      - name: "Obtain container image to scan"
+        run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64/metadata.json --raw-output)" >> $GITHUB_ENV'
+      - name: "run trivy on release image"
+        run: 'docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/zed:v${{ env.IMAGE_VERSION }}-amd64'
+      - name: "run trivy on debug image"
+        run: 'docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/zed:v${{ env.IMAGE_VERSION }}-amd64-debug'

From 69d69d08690725f8d4e6c4514fe1ccd83da17a4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?=
 <vroldanbet@authzed.com>
Date: Mon, 17 Jul 2023 13:57:54 +0100
Subject: [PATCH 3/3] update debug images to use non-deprecated chainguard
 image

---
 .goreleaser.docker.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.goreleaser.docker.yml b/.goreleaser.docker.yml
index 58162739..93552c31 100644
--- a/.goreleaser.docker.yml
+++ b/.goreleaser.docker.yml
@@ -50,7 +50,7 @@ dockers:
     use: "buildx"
     build_flag_templates:
       - "--platform=linux/amd64"
-      - "--build-arg=BASE=cgr.dev/chainguard/alpine-base:latest"
+      - "--build-arg=BASE=cgr.dev/chainguard/busybox:latest"
   # ARM64
   - image_templates:
       - &arm_image_quay "quay.io/authzed/zed:v{{ .Version }}-arm64"
@@ -75,7 +75,7 @@ dockers:
     use: "buildx"
     build_flag_templates:
       - "--platform=linux/arm64"
-      - "--build-arg=BASE=cgr.dev/chainguard/alpine-base:latest"
+      - "--build-arg=BASE=cgr.dev/chainguard/busybox:latest"
 
 docker_manifests:
   # Quay