ci: add scanner and bump actions

[NARSimoes]

Summary

• Start using scan action: follow up ci: adjust scanner actions mattermost-operator#454

Release Note

Summary by CodeRabbit

• New Features

  • Added automated Docker image security scans during builds for standard and end-to-end images; scans report fixed critical vulnerabilities in table format and are non-blocking (will not fail the build).

• Chores

  • Upgraded CI/build tooling to newer stable action versions to improve pipeline reliability, consistency and release workflow stability.

[mm-cloud-bot]

@NARSimoes: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

I understand the commands that are listed here

[mm-cloud-bot]

@NARSimoes: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

I understand the commands that are listed here

[coderabbitai]

📝 Walkthrough

Walkthrough

Pinned GitHub Action versions were bumped across workflows and composite actions, and Anchore anchore/scan-action@v7.3.2 steps were added to run vulnerability scans (output-format: table, only-fixed: true, severity-cutoff: critical, fail-build: false) against temporary, E2E, test, and release Docker images.

Changes

Cohort / File(s)	Summary
Docker Security Scanning ​.github/actions/docker-build/action.yaml	Added two composite action steps to run anchore/scan-action@v7.3.2 for mattermost/mattermost-cloud and mattermost/mattermost-cloud-e2e images with only-fixed: true, severity-cutoff: critical, fail-build: false, and output-format: table.
Docker Prepare Action ​.github/actions/docker-prepare/action.yml	Updated docker/setup-buildx-action pin from the v3.1.0 commit to v4.0.0 commit.
CI Workflow Updates ​.github/workflows/ci.yml	Bumped actions/checkout v5.0.0→v6.0.2 and actions/setup-go v6.0.0→v6.3.0 in lint/mocks/test jobs; bumped docker/setup-buildx-action and docker/login-action to v4.0.0 in Docker jobs; inserted Anchore scans after temp image builds for AMD64/ARM64 and E2E jobs.
Auxiliary Workflow Pins & Release Scans ​.github/workflows/claude.yml, ​.github/workflows/notify-release.yml, ​.github/workflows/release.yml	Updated actions/checkout to v6.0.2 in claude/notify-release; in release workflow also bumped actions/setup-go, docker/setup-buildx-action, docker/login-action, updated softprops/action-gh-release to v2.6.1, and added Anchore scan steps for test and release images.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer
  participant GH as GitHub Actions Runner
  participant Build as Docker Build (buildx)
  participant Scan as Anchore Scan Action
  participant Reg as Docker Registry

  Dev->>GH: push / PR triggers workflow
  GH->>Build: build temp images (amd64 / arm64 / e2e)
  Build-->>GH: tag images (temp-${GITHUB_SHA}-{arch})
  GH->>Scan: run anchore/scan-action on temp images
  Scan-->>GH: return scan results (table, only-fixed, severity:critical)
  GH->>Reg: push images (if build continues)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: adjust scanner actions #1153: Modifies the same Docker build composite actions—removes Trivy-based scan steps while this PR adds Anchore-based scan steps.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two primary changes: adding security scanning (scanner) and updating GitHub Actions versions (bump actions).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nasimoes-ci-bump-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/docker-build/action.yaml:
- Around line 10-17: The scan steps use untagged images
("mattermost/mattermost-cloud" and "mattermost/mattermost-cloud-e2e") and run
before the build output is tied to this run; update the anchore scan steps (the
steps named "cd/scan-docker-security" and the e2e scan step using
anchore/scan-action) to consume an explicit tag or digest produced by the build
(capture the image ID/tag from the build step output or via docker
inspect/docker build --tag and/or docker images --format or by saving and
reading the image digest) and pass that exact tag/digest into the scan action's
with.image parameter, and/or move the first scan to run after the image build
step so the scan targets the run-specific artifact rather than an
untagged/global name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c32fea99-bdfc-4a48-bc0a-de3cfe3c1331

📥 Commits

Reviewing files that changed from the base of the PR and between fecadcd and a54b239.

📒 Files selected for processing (6)

• .github/actions/docker-build/action.yaml
• .github/actions/docker-prepare/action.yml
• .github/workflows/ci.yml
• .github/workflows/claude.yml
• .github/workflows/notify-release.yml
• .github/workflows/release.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 29: The workflow uses a pinned SHA for docker/login-action ("uses:
docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1") that is
inconsistent with the other workflow; update that "uses:
docker/login-action@..." entry in the release.yml to the same version as CI
(e.g., docker/login-action@v4.0.0) so both workflows reference the identical
action version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cfa0c862-c568-459f-9493-f0ccc1be5a6d

📥 Commits

Reviewing files that changed from the base of the PR and between a54b239 and 643be58.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

[NARSimoes]

@esarafianou @andrleite I think the composites in .github/actions/docker* aren't being used. So, I created this 643be58 to actually scan the images in CI / Release. This is new since previous review so requesting a new one, thanks.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

45-61: The redundant security scans can be consolidated.

Both the :test and :$VERSION tags reference identical Docker image layers (they're multi-platform manifests created from the same parallel AMD64/ARM64 build in build-image-parallel-with-tags). Scanning them separately produces duplicate vulnerability reports. Consider scanning only the versioned tag after build completion:

      - name: Build and push multi-platform images with clean tags
        run: make build-image-parallel-with-tags
        env:
          TAG: ${{ steps.version.outputs.VERSION }}
          DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}

-     - name: Scan docker security :test
-       uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
-       with:
-         image: "mattermost/mattermost-cloud:test"
-         output-format: table
-         only-fixed: true
-         fail-build: false
-         severity-cutoff: critical

      - name: Scan docker security :tag
        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
        with:
          image: "mattermost/mattermost-cloud:${{ steps.version.outputs.VERSION }}"

The fail-build: false setting is intentional (consistent across ci.yml) and provides visibility without blocking releases.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 45 - 61, The two Anchore scan
steps ("Scan docker security :test" and "Scan docker security :tag") are
redundant because they scan identical multi-platform manifests; remove the
":test" scan step and keep only the versioned-tag scan that uses image:
"mattermost/mattermost-cloud:${{ steps.version.outputs.VERSION }}". Ensure the
remaining step runs after the image build step (e.g.,
build-image-parallel-with-tags) so the versioned manifest is available, and
preserve the existing Anchore inputs (output-format, only-fixed, fail-build,
severity-cutoff).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 45-61: The two Anchore scan steps ("Scan docker security :test"
and "Scan docker security :tag") are redundant because they scan identical
multi-platform manifests; remove the ":test" scan step and keep only the
versioned-tag scan that uses image: "mattermost/mattermost-cloud:${{
steps.version.outputs.VERSION }}". Ensure the remaining step runs after the
image build step (e.g., build-image-parallel-with-tags) so the versioned
manifest is available, and preserve the existing Anchore inputs (output-format,
only-fixed, fail-build, severity-cutoff).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cc492c8a-a53c-421b-8a1b-942b23d87402

📥 Commits

Reviewing files that changed from the base of the PR and between 643be58 and 530010e.

📒 Files selected for processing (1)

• .github/workflows/release.yml