2025-08-31 13:52:10 +01:00
2 changed files with 5 additions and 38 deletions
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@ -17,7 +17,6 @@ concurrency:
  cancel-in-progress: false

 jobs:
-  # Single deploy job since we're just deploying
  deploy:
    environment:
      name: github-pages
@ -31,7 +30,7 @@ jobs:
      - name: Upload artifact
        uses: actions/upload-pages-artifact@v3
        with:
-          path: "."
+          path: "frontend"
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v4
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@ -2,13 +2,7 @@ name: Build and Publish Docker Image

 on:
  push:
-    branches: [ "main", "develop" ]
-    paths: [ "backend/**" ]
-  pull_request:
    branches: ["main"]
-    paths: [ "backend/**" ]
-  release:
-    types: [ published ]

 env:
  REGISTRY: ghcr.io
@ -76,19 +70,13 @@ jobs:
          sbom: true
          provenance: true

-      # Sign the resulting Docker image digest except on PRs.
+      # Sign the resulting Docker image digest.
      # This will only write to the public Rekor transparency log when the Docker
      # repository is public to avoid leaking data. If you would like to publish
      # transparency data even for private images, pass --force to cosign below.
      # https://github.com/sigstore/cosign
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3.1.1
-        with:
-          cosign-release: 'v2.1.1'
-
      - name: Sign the published Docker image
-        if: github.event_name != 'pull_request'
+        if: ${{ github.ref_type == 'tag' }}
        env:
          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
          TAGS: ${{ steps.meta.outputs.tags }}
@ -96,23 +84,3 @@ jobs:
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
-
-  security-scan:
-    runs-on: ubuntu-latest
-    needs: build-and-push
-    if: github.event_name != 'pull_request'
-    permissions:
-      security-events: write
-
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'