Attempt to fix permissions for trivy scan on main (#867)

JohnGarbutt · web-flow · commit ef9ca2a88e6f · 2025-12-11T14:44:49.000Z
While the scan works on PRs, we have permssions related
failures for the run on the main branch, this attempts to fix that.

Similarly, this moves to always scan the image on main, as a way
to double check there are no new blocking CVEs more regularly than
just when the image is bumped.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -19,6 +19,8 @@ permissions:
   # To report GitHub Actions status checks
   statuses: write
   id-token: write
+  # upload trivy scan results
+  security-events: write
 
 on:
   push:
@@ -143,6 +145,6 @@ jobs:
     name: Trivy scan image for vulnerabilities
     needs: files_changed
     if: |
-      needs.files_changed.outputs.trivyscan == 'true'
+      needs.files_changed.outputs.trivyscan == 'true' || github.event_name != 'pull_request'
     uses: ./.github/workflows/trivyscan.yml
     secrets: inherit
diff --git a/.github/workflows/trivyscan.yml b/.github/workflows/trivyscan.yml
@@ -14,6 +14,8 @@ permissions:
   packages: write
   # To report GitHub Actions status checks
   statuses: write
+  # upload trivy scan results
+  security-events: write
 
 jobs:
   scan:
