use specific nofos commit

coilysiren · coilysiren · commit b8b38509490a · 2025-05-20T13:52:46.000-07:00
diff --git a/.github/workflows/vulnerability-scans-nofos.yml b/.github/workflows/vulnerability-scans-nofos.yml
@@ -68,6 +68,12 @@ jobs:
           path: ${{ github.workspace }}/.cache/trivy
           key: trivy-cache-${{ steps.date.outputs.date }}
 
+      - name: Restore NOFOs commit hash
+        uses: actions/cache/restore@v4
+        with:
+          path: /tmp/commit-hash.txt
+          key: nofos-commit-${{ github.sha }}-${{ github.run_id }}
+
       - name: Restore cached Docker image
         uses: actions/cache/restore@v4
         with:
@@ -78,13 +84,11 @@ jobs:
         run: |
           docker load < /tmp/docker-image.tar
 
-      - run: docker images
-
       - name: Run Trivy vulnerability scan
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: image
-          image-ref: nofos:latest
+          image-ref: nofos:"$(cat /tmp/commit-hash.txt)"
           format: table
           exit-code: 1
           ignore-unfixed: true
@@ -117,6 +121,12 @@ jobs:
           rm .grype.yml
           mv new.grype.yml .grype.yml
 
+      - name: Restore NOFOs commit hash
+        uses: actions/cache/restore@v4
+        with:
+          path: /tmp/commit-hash.txt
+          key: nofos-commit-${{ github.sha }}-${{ github.run_id }}
+
       - name: Restore cached Docker image
         uses: actions/cache/restore@v4
         with:
@@ -132,7 +142,7 @@ jobs:
         uses: anchore/scan-action@v4
         id: anchore-scan-json
         with:
-          image: nofos:latest
+          image: nofos:"$(cat /tmp/commit-hash.txt)"
           output-format: json
           fail-build: true
           severity-cutoff: medium
@@ -141,7 +151,7 @@ jobs:
         if: always() # Runs even if there is a failure
         uses: anchore/scan-action@v4
         with:
-          image: nofos:latest
+          image: nofos:"$(cat /tmp/commit-hash.txt)"
           output-format: table
           fail-build: true
           severity-cutoff: medium
@@ -158,6 +168,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Restore NOFOs commit hash
+        uses: actions/cache/restore@v4
+        with:
+          path: /tmp/commit-hash.txt
+          key: nofos-commit-${{ github.sha }}-${{ github.run_id }}
+
       - name: Restore cached Docker image
         uses: actions/cache/restore@v4
         with:
@@ -179,7 +195,7 @@ jobs:
       - name: Run Dockle container linter
         uses: erzz/dockle-action@v1.4.0
         with:
-          image: nofos:latest
+          image: nofos:"$(cat /tmp/commit-hash.txt)"
           exit-code: "1"
           failure-threshold: WARN
           accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }}
