fetch git tags so that goreleaser generates the right binary version

this fixes an issue with trivy where it flags SpiceDB as vulnerable, possibly as of aquasecurity/trivy#6564 include in version 0.51.0. It's flagged because it parses it as version 0.0.1-next as generated by goreleaser, because it does not have the tags available
authzed · May 3, 2024 · b083c0b · b083c0b
1 parent f391921
commit b083c0b
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -42,6 +42,8 @@ jobs:
     runs-on: "buildjet-2vcpu-ubuntu-2204"
     steps:
       - uses: "actions/checkout@v4"
+        with:
+          fetch-depth: 0
       - uses: "authzed/actions/setup-go@main"
       - uses: "docker/login-action@v3"
         with:
@@ -73,4 +75,4 @@ jobs:
       - name: "Obtain container image to scan"
         run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64/metadata.json --raw-output)" >> $GITHUB_ENV'
       - name: "run trivy on release image"
-        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:0.50.4 image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"
+        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"