[WIP] Add trivy scanning to release workflows.

.github/workflows/release.yaml

@@ -7,6 +7,9 @@ on:
 
 name: Create Release
 
+# Don't run multiple releases concurrently.
+concurrency: release
+
 jobs:
   build:
     name: Release OCI image
@@ -21,6 +24,29 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - uses: distroless/actions/apko-snapshot@main
+      id: apko-snapshot
       with:
         config: .apko.yaml
         base-tag: ghcr.io/${{ github.repository }}
+
+    - uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ steps.apko-snapshot.outputs.digest }}
+        format: 'table'
+        exit-code: '1'
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
+    # Post to slack when things fail.
+    - if: ${{ failure() }}
+      uses: rtCamp/[email protected]
+      env:
+        SLACK_ICON: http://github.com/chainguardian.png?size=48
+        SLACK_USERNAME: chainguardian
+        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        SLACK_CHANNEL: distroless
+        SLACK_COLOR: '#8E1600'
+        MSG_MINIMAL: 'true'
+        SLACK_TITLE: Releasing ${{ github.repository }} failed.
+        SLACK_MESSAGE: |
+          For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}