refactor(ci): combined image scan logic in build stage

subrotokumar · subrotokumar · commit fb9d85470549 · 2026-03-22T19:10:42.000Z
diff --git a/ci/container-scan.yml b/ci/container-scan.yml
@@ -3,23 +3,10 @@
   image: 
     name: aquasec/trivy:${TRIVY_VERSION}
     entrypoint: [""]
-  before_script:
-    - export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
-    - apk add --no-cache aws-cli
-    - export AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION:-ap-south-1}"
-    - STS_OUTPUT=$(aws sts assume-role-with-web-identity --region "$AWS_DEFAULT_REGION" --role-arn "${AWS_ROLE_ARN}" --role-session-name gitlab-ci-${CI_JOB_ID} --web-identity-token "${GITLAB_OIDC_TOKEN}" --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" --output text)
-    - export AWS_ACCESS_KEY_ID=$(echo $STS_OUTPUT | awk '{print $1}')
-    - export AWS_SECRET_ACCESS_KEY=$(echo $STS_OUTPUT | awk '{print $2}')
-    - export AWS_SESSION_TOKEN=$(echo $STS_OUTPUT | awk '{print $3}')
-    - unset STS_OUTPUT
-    - aws ecr get-login-password --region "$AWS_DEFAULT_REGION" | 
-        trivy registry login 
-          --username AWS 
-          --password-stdin 
-          ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com
   script:
-    - trivy image --exit-code 0 --no-progress --format json -o ${REPORT_FILE} ${IMAGE}
-    - trivy image --exit-code 1 --severity CRITICAL --no-progress ${IMAGE}
+    - trivy fs .
+    # - trivy image --exit-code 0 --no-progress --format json -o ${REPORT_FILE} ${IMAGE}
+    # - trivy image --exit-code 1 --severity CRITICAL --no-progress ${IMAGE}
   artifacts:
     reports:
       container_scanning: ${REPORT_FILE}
diff --git a/ci/templates.yml b/ci/templates.yml
@@ -38,10 +38,11 @@
 .gitops_setup:
   image: alpine:latest
   before_script:
-    - apk add --no-cache git yq
+    - apk add --no-cache git curl
+    - curl -fsSL https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -o /usr/local/bin/yq
+    - chmod +x /usr/local/bin/yq
     - git config --global user.email "${GITLAB_USER_EMAIL}"
     - git config --global user.name "${GITLAB_USER_NAME}"
-    - git config --global url."https://oauth2:${GITOPS_ACCESS_TOKEN}@gitlab.com/".insteadOf "https://gitlab.com/"
 
 # ---- Shared rule sets ----
 
diff --git a/ci/update-manifests.yml b/ci/update-manifests.yml
@@ -5,6 +5,7 @@
     - container_scanning:transcoder
   script:
     - |
+      GITOPS_REPO="https://oauth2:${GITOPS_ACCESS_TOKEN}@gitlab.com/subrotokumar/playstack-ops.git"
       git clone ${GITOPS_REPO} gitops
       cd gitops
       git checkout ${GITOPS_BRANCH}
@@ -30,7 +31,7 @@ update:manifests:dev:
   stage: update-manifests-dev
   variables:
     ENVIRONMENT: dev
-    VALUES_FILE: helm/values.dev.yaml
+    VALUES_FILE: helm/values.yaml
   rules:
     - if: '$CI_COMMIT_BRANCH == "dev"'
 
