From 378edb939d31664828dd743358217ab8b16ea00c Mon Sep 17 00:00:00 2001
From: Brad Davidson <brad.davidson@rancher.com>
Date: Wed, 4 Sep 2024 23:24:09 +0000
Subject: [PATCH] Tag PR image build as latest before scanning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is less effort than passing the tag across steps 🤷‍♂️

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 .github/workflows/trivy.yaml |  3 ++-
 scripts/tag-image-latest     | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100755 scripts/tag-image-latest

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index 80d0fa312df1..9b7a574a14b9 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -27,11 +27,12 @@ jobs:
       run: |
         make local
         make package-image
+        make tag-image-latest
 
     - name: Run Trivy vulnerability scanner
       uses: aquasecurity/trivy-action@0.24.0
       with:
-        image-ref: 'rancher/k3s'
+        image-ref: 'rancher/k3s:latest'
         format: 'table'
         severity: "HIGH,CRITICAL"
         output: "trivy-report.txt"
diff --git a/scripts/tag-image-latest b/scripts/tag-image-latest
new file mode 100755
index 000000000000..a462347e8a8b
--- /dev/null
+++ b/scripts/tag-image-latest
@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+cd $(dirname $0)/..
+
+. ./scripts/version.sh
+
+TAG=${TAG:-${VERSION_TAG}${SUFFIX}}
+REPO=${REPO:-rancher}
+IMAGE_NAME=${IMAGE_NAME:-k3s}
+
+IMAGE=${REPO}/${IMAGE_NAME}:${TAG}
+LATEST=${REPO}/${IMAGE_NAME}:latest
+docker image tag ${IMAGE} ${LATEST}
+echo Tagged ${IMAGE} as ${LATEST}