fix(ci): use registry tokens for image license scanning (#1255)

.github/scripts/generate-sarif-reports.sh

@@ -6,9 +6,7 @@
 set -eu
 set -o pipefail
 
-declare -A IMAGE_PULL_TOKENS=(
-  ["registry-gitlab.teuto.net"]="${TEUTO_PORTAL_WORKER_PULL_TOKEN}"
-)
+source "$(dirname "$0")/trivy-login-to-registries.sh"
 
 function createSarifReports() {
   local chart="${1?}"
@@ -47,12 +45,6 @@ function generateSarifReport() {
 }
 export -f generateSarifReport
 
-trivy image --download-db-only
-
-for registry in "${!IMAGE_PULL_TOKENS[@]}"; do
-  TRIVY_PASSWORD="${IMAGE_PULL_TOKENS["$registry"]}" trivy registry login --username github-cve-scanning "$registry"
-done
-
 if [[ "$#" == 1 && -d "$1" ]]; then
   createSarifReports "$1"
 else

.github/scripts/scan-for-licenses.sh

@@ -6,6 +6,8 @@
 set -eu
 set -o pipefail
 
+source "$(dirname "$0")/trivy-login-to-registries.sh"
+
 WHITELIST=(
   "AGPL-3.0" # We're not writing software 🤷
   "CC-BY-SA-3.0"

.github/scripts/trivy-login-to-registries.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+if ! (return 0 2>/dev/null); then
+  echo This must be sourced, not executed. >&2
+  exit 1
+fi
+
+declare -A IMAGE_PULL_TOKENS=(
+  ["registry-gitlab.teuto.net"]="${TEUTO_PORTAL_WORKER_PULL_TOKEN?}"
+)
+
+trivy image --download-db-only
+
+for registry in "${!IMAGE_PULL_TOKENS[@]}"; do
+  TRIVY_PASSWORD="${IMAGE_PULL_TOKENS["$registry"]}" trivy registry login --username github-cve-scanning "$registry"
+done

.github/workflows/check-licenses.yaml

@@ -23,7 +23,9 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - run: pip install yq
       - run: /home/linuxbrew/.linuxbrew/bin/brew install trivy
-      - run: |
+      - env:
+          TEUTO_PORTAL_WORKER_PULL_TOKEN: ${{ secrets.TEUTO_PORTAL_WORKER_PULL_TOKEN }}
+        run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           ./.github/scripts/scan-for-licenses.sh ${{ needs.getChangedChart.outputs.chart }}
   check-licenses-list: