From edd868934f14d0607a7f26fd258843440c1c044d Mon Sep 17 00:00:00 2001
From: Andras Schmelczer <andras@schmelczer.dev>
Date: Sun, 31 Aug 2025 13:29:09 +0100
Subject: [PATCH] Update CI

---
 .github/workflows/deploy.yaml        |  3 +--
 .github/workflows/docker-publish.yml | 40 +++-------------------------
 2 files changed, 5 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 0408784..f4851b4 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -17,7 +17,6 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
-  # Single deploy job since we're just deploying
   deploy:
     environment:
       name: github-pages
@@ -31,7 +30,7 @@ jobs:
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
-          path: "."
+          path: "frontend"
       - name: Deploy to GitHub Pages
         id: deployment
         uses: actions/deploy-pages@v4
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 91b9609..351e43e 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -2,13 +2,7 @@ name: Build and Publish Docker Image
 
 on:
   push:
-    branches: [ "main", "develop" ]
-    paths: [ "backend/**" ]
-  pull_request:
-    branches: [ "main" ]
-    paths: [ "backend/**" ]
-  release:
-    types: [ published ]
+    branches: ["main"]
 
 env:
   REGISTRY: ghcr.io
@@ -76,19 +70,13 @@ jobs:
           sbom: true
           provenance: true
 
-      # Sign the resulting Docker image digest except on PRs.
+      # Sign the resulting Docker image digest.
       # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
+      # repository is public to avoid leaking data. If you would like to publish
       # transparency data even for private images, pass --force to cosign below.
       # https://github.com/sigstore/cosign
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3.1.1
-        with:
-          cosign-release: 'v2.1.1'
-
       - name: Sign the published Docker image
-        if: github.event_name != 'pull_request'
+        if: ${{ github.ref_type == 'tag' }}
         env:
           # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
           TAGS: ${{ steps.meta.outputs.tags }}
@@ -96,23 +84,3 @@ jobs:
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
-
-  security-scan:
-    runs-on: ubuntu-latest
-    needs: build-and-push
-    if: github.event_name != 'pull_request'
-    permissions:
-      security-events: write
-
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
\ No newline at end of file