CI: Update CodeQL to v4, conditional SARIF uploads, and enable buildx load for Trivy

Demiserular · Demiserular · commit 4e831e141971 · 2025-12-08T15:12:59.000+05:30
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -76,9 +76,14 @@ jobs:
               with:
                   args: -fmt sarif -out gosec-results.sarif ./...
 
+            - name: Check for Gosec SARIF results
+              id: check-gosec
+              run: |
+                  if [ -f gosec-results.sarif ]; then echo "exists=true" >> $GITHUB_OUTPUT; else echo "exists=false" >> $GITHUB_OUTPUT; fi
+
             - name: Upload Gosec results to GitHub Security
-              uses: github/codeql-action/upload-sarif@v3
-              if: always()
+              uses: github/codeql-action/upload-sarif@v4
+              if: ${{ always() && (steps.check-gosec.outputs.exists == 'true') }}
               with:
                   sarif_file: gosec-results.sarif
 
@@ -125,6 +130,7 @@ jobs:
               with:
                   context: .
                   push: false
+                  load: true
                   tags: minipaas:${{ github.sha }}
                   cache-from: type=gha
                   cache-to: type=gha,mode=max
@@ -137,8 +143,13 @@ jobs:
                   output: "trivy-results.sarif"
                   severity: "CRITICAL,HIGH"
 
+            - name: Check for Trivy SARIF results
+              id: check-trivy
+              run: |
+                  if [ -f trivy-results.sarif ]; then echo "exists=true" >> $GITHUB_OUTPUT; else echo "exists=false" >> $GITHUB_OUTPUT; fi
+
             - name: Upload Trivy scan results
-              uses: github/codeql-action/upload-sarif@v3
-              if: always()
+              uses: github/codeql-action/upload-sarif@v4
+              if: ${{ always() && (steps.check-trivy.outputs.exists == 'true') }}
               with:
                   sarif_file: trivy-results.sarif
