ci(github-actions): integrate Trivy security scanning into CI and releases

- Add a reusable Trivy security scan workflow triggered on pushes, pull requests, scheduled runs, and workflow calls
- Integrate the Trivy scan into the release workflow and require it to complete before the release job runs
- Configure the scan to fail on high and critical vulnerabilities and upload results to the GitHub Security tab

Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>

Author: appleboy

.github/workflows/release.yml

@@ -8,8 +8,11 @@ jobs:
   test:
     uses: ./.github/workflows/testing.yml
 
+  trivy:
+    uses: ./.github/workflows/trivy.yml
+
   publish:
-    needs: test
+    needs: [test, trivy]
     runs-on: ubuntu-latest
     permissions:
       id-token: write

.github/workflows/trivy.yml

@@ -0,0 +1,35 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 15 * * *" # 23:00 UTC+8
+  workflow_call:
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+          exit-code: 1
+          severity: CRITICAL,HIGH
+
+      - name: Upload results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif