ci: scope trivy scan to dependency changes on PRs, block releases

.github/workflows/build-and-test.yaml

@@ -102,43 +102,6 @@ jobs:
       - name: Lint
         run: npm run lint
 
-  trivy-scan:
-    name: Security - Trivy Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ inputs.node-version }}
-          cache: 'npm'
-
-      - name: Cache dependencies
-        uses: actions/cache@v4
-        id: node-modules-cache
-        with:
-          path: '**/node_modules'
-          key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-modules-
-
-      - name: Install dependencies
-        if: steps.node-modules-cache.outputs.cache-hit != 'true'
-        run: npm ci
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          format: 'table'
-          severity: 'CRITICAL,HIGH'
-          exit-code: '1'
-          ignore-unfixed: true
-          scanners: 'vuln' # Only scan for vulnerabilities, not secrets
-
   fossa-scan:
     name: License - Fossa Scan
     runs-on: ubuntu-latest

.github/workflows/pull_request.yaml

@@ -18,6 +18,54 @@ jobs:
     secrets:
       fossa-api-key: ${{ secrets.FOSSA_API_KEY }}
 
+  check-dependency-changes:
+    name: Check for dependency changes
+    runs-on: ubuntu-latest
+    outputs:
+      deps-changed: ${{ steps.filter.outputs.deps }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check for dependency file changes
+        id: filter
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            deps:
+              - 'package.json'
+              - 'package-lock.json'
+              - 'Dockerfile'
+
+  trivy-scan:
+    name: Security - Trivy Scan
+    needs: check-dependency-changes
+    if: needs.check-dependency-changes.outputs.deps-changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.1.0'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+          ignore-unfixed: true
+          scanners: 'vuln'
+
   build-docker-image:
     name: Build the Docker Image
     runs-on: ubuntu-latest

.github/workflows/release-to-ghcr.yaml

@@ -128,9 +128,39 @@ jobs:
           VERSION: ${{ needs.get-context.outputs.new-version }}
           RELEASE_NOTES: ${{ steps.generate-notes.outputs.notes }}
 
+  trivy-scan:
+    name: Security - Trivy Scan
+    needs: [get-context]
+    if: ${{ needs.get-context.outputs.version-changed == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.commit_sha || github.sha }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+          ignore-unfixed: true
+          scanners: 'vuln'
+
   build-and-push:
     name: Build and push image to GHCR
-    needs: [get-context, create-release]
+    needs: [get-context, create-release, trivy-scan]
     if: ${{ needs.get-context.outputs.version-changed == 'true' }}
     runs-on: ubuntu-latest
     steps: