From cbe7aaaaed97b131056a0e867fcc94f41b13267d Mon Sep 17 00:00:00 2001
From: Benjamin Benoist <benjamin.benoist@snowplowanalytics.com>
Date: Fri, 26 Jan 2024 13:12:15 +0100
Subject: [PATCH] Scan -rc releases with Snyk (#857)

---
 .github/workflows/release.yml | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c42310ca2..8ef47eefa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -54,13 +54,13 @@ jobs:
           - nsq
         include:
           - app: kinesis
-            run_snyk: ${{ !contains(github.ref, 'rc') }}
+            final_release: ${{ !contains(github.ref, 'rc') }}
           - app: pubsub
-            run_snyk: ${{ !contains(github.ref, 'rc') }}
+            final_release: ${{ !contains(github.ref, 'rc') }}
           - app: kafka
-            run_snyk: ${{ !contains(github.ref, 'rc') }}
+            final_release: ${{ !contains(github.ref, 'rc') }}
           - app: nsq
-            run_snyk: ${{ !contains(github.ref, 'rc') }}
+            final_release: ${{ !contains(github.ref, 'rc') }}
     steps:
     - uses: actions/checkout@v2
       if: startsWith(github.ref, 'refs/tags/')
@@ -153,18 +153,26 @@ jobs:
         platforms: linux/amd64,linux/arm64/v8
         tags: ${{ steps.distroless-meta.outputs.tags }}
         push: true
-    - name: Build local distroless image, which is needed to run Snyk
-      if: matrix.run_snyk
+    - name: Publish local distroless image, which is needed to run Snyk
       run: sbt "project ${{ matrix.app }}Distroless" docker:publishLocal
     - name: Run Snyk to check for vulnerabilities
       uses: snyk/actions/docker@master
-      if: matrix.run_snyk
+      if: matrix.final_release
       with:
         image: "${{ steps.packageName.outputs.package_name }}:${{ steps.ver.outputs.tag }}-distroless"
         args: "--app-vulns --org=data-processing-new"
         command: monitor
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    - name: Run Snyk to check for vulnerabilities (-rc)
+      uses: snyk/actions/docker@master
+      if: ${{ ! matrix.final_release }}
+      with:
+        image: "${{ steps.packageName.outputs.package_name }}:${{ steps.ver.outputs.tag }}-distroless"
+        args: "--app-vulns --org=data-cap"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   publish_sce:
     if: startsWith(github.ref, 'refs/tags/')