chore: create reusable workflow for security scans

.github/actions/generate-sbom/action.yml

@@ -22,7 +22,10 @@ outputs:
     value: ${{ inputs.output-file }}
   artifact-url:
     description: 'The URL to the uploaded artifact'
-    value: ${{ steps.upload.outputs.artifact_url }}
+    value: ${{ steps.upload.outputs.artifact-url }}
+  artifact-id:
+    description: 'The ID of the uploaded artifact'
+    value: ${{ steps.upload.outputs.artifact-id }}
 
 runs:
   using: composite

.github/workflows/_security-scan.yml

@@ -0,0 +1,66 @@
+name: Security Scan
+
+on:
+  workflow_call:
+    inputs:
+      images:
+        description: "A comma-separated list of images to scan.  E.G. '[\"docker.io/library/alpine:3.14.0\", \"docker.io/library/alpine:3.13.6\"]'"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  generate-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Set matrix
+        id: set-matrix
+        env:
+          IMAGES: ${{ inputs.images }}
+        run: |
+          echo "matrix=$IMAGES" >> $GITHUB_OUTPUT
+
+  generate-sbom:
+    runs-on: ubuntu-latest
+    outputs:
+      sbom-file: ${{ steps.generate-sbom.outputs.output-file }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Pull Image
+        shell: bash
+        run: |
+          docker pull ${{ inputs.image-ref }}
+
+      - name: Generate SBOM
+        id: generate-sbom
+        uses: ./.github/actions/generate-sbom
+        with:
+          image-ref: ${{ inputs.image-ref }}
+          output-file: sbom.json
+          artifact-name: sbom
+
+  scan-sbom:
+    runs-on: ubuntu-latest
+    needs: generate-sbom
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download SBOM
+        uses: actions/download-artifact@v2
+        with:
+          name: sbom
+          path: .
+
+      - name: Scan SBOM
+        uses: ./.github/actions/scan-sbom
+        with:
+          sbom-file: ${{ needs.generate-sbom.outputs.sbom-file }}
+          artifact-name: scan-results

.github/workflows/build.yml

@@ -14,6 +14,10 @@ on:
 env:
   IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build-base:
     runs-on: ubuntu-latest
@@ -133,6 +137,8 @@ jobs:
       contents: read
       packages: write
       id-token: write
+    outputs:
+      images: ${{ steps.generate-outputs.outputs.images }}
     env:
       IMAGE_NAME: eternal-linux/main/${{ matrix.fedora-edition }}
       FEDORA_VERSION: ${{ matrix.fedora-version }}
@@ -225,20 +231,24 @@ jobs:
           private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }}
           private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }}
 
-      - name: Generate SBOM
-        id: generate-sbom
-        uses: ./.github/actions/generate-sbom
-        if: github.event_name != 'pull_request'
-        with:
-          image-ref: ${{ steps.push.outputs.registry-path }}
-          artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-sbom
+      - name: Generate file containing outputs
+        env:
+          DIGEST: ${{ steps.push.outputs.digest }}
+          IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
+          IMAGE_NAME: ${{ env.IMAGE_NAME }}
+          FEDORA_VERSION: ${{ matrix.fedora-version }}
+          FEDORA_EDITION: ${{ matrix.fedora-edition }}
+        run: 
+          echo "${IMAGE_REGISTRY}@${DIGEST}" > "${IMAGE_NAME}-${FEDORA_EDITION}-${FEDORA_VERSION}-nvidia"
 
-      - name: Scan SBOM
-        uses: ./.github/actions/scan-sbom
-        if: github.event_name != 'pull_request'
+      - name: Upload outputs
+        uses: actions/upload-artifact@v4
         with:
-          sbom-file: ${{ steps.generate-sbom.outputs.output-file }}
-          artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-scan
+          name: output-build-nvidia-${{ env.IMAGE_NAME }}-${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}
+          retention-days: 1
+          if-no-files-found: error
+          path: |
+            ${{ env.IMAGE_NAME }}-${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia.txt
 
   check:
     needs: [build-base, build-nvidia]
@@ -248,6 +258,32 @@ jobs:
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
+      - name: Download artifacts
+        id: download-artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: output-build-*
+          merge-multiple: true
+
+      - name: Create output
+        id: generate-outputs
+        env:
+          JOBS: ${{ toJson(needs) }}
+          ARTIFACT_PATH: ${{ steps.download-artifacts.outputs.download-path }}
+        run: |
+          # Initialize the array
+          images=()
+
+          # Populate the array with each line from each file in the artifacts directory
+          for file in $ARTIFACT_PATH/*; do
+              while IFS= read -r line; do
+                images+=("$line")
+              done < "$file"
+          done
+
+          # Create the GITHUB_OUTPUT in the format '["image1", "image2", ...]'
+          echo "images=$(printf '%s\n' "${images[@]}" | jq -R -s -c 'split("\n") | .[:-1]')" >> $GITHUB_OUTPUT
+
       - name: Check Job Status
         uses: ./.github/actions/check-jobs-success
         with: