From ae60cd79b4e4e5d2108bd7a4e35bd4f8e62b299c Mon Sep 17 00:00:00 2001
From: Timo Behrendt <t.behrendt@t00n.de>
Date: Sun, 15 Feb 2026 16:47:24 +0100
Subject: [PATCH] feat: add reusable run-tas workflow

---
 .gitea/workflows/run-tas.yaml | 143 ++++++++++++++++++++++++++++++++++
 1 file changed, 143 insertions(+)
 create mode 100644 .gitea/workflows/run-tas.yaml

diff --git a/.gitea/workflows/run-tas.yaml b/.gitea/workflows/run-tas.yaml
new file mode 100644
index 0000000..0b49ed9
--- /dev/null
+++ b/.gitea/workflows/run-tas.yaml
@@ -0,0 +1,143 @@
+name: Run TAS
+
+on:
+  workflow_call:
+    inputs:
+      scan-config:
+        description: "Scan the configuration files"
+        required: false
+        default: false
+        type: boolean
+      image-scan-files:
+        description: "List of files to scan for images"
+        required: false
+        default: ""
+        type: string
+      pre-pull-images:
+        description: "Pre-pull the images"
+        required: false
+        default: false
+        type: boolean
+      trivy-server:
+        description: "Trivy server to use"
+        required: false
+        default: "https://trivy.gitea.t00n.de"
+        type: string
+      tas-base-url:
+        description: "TAS base URL"
+        required: false
+        default: "https://tas.gitea.t00n.de"
+        type: string
+      repository-name:
+        description: "Repository name"
+        required: true
+        type: string
+      branch-name:
+        description: "Branch name"
+        required: true
+        type: string
+      repository-owner:
+        description: "Repository owner"
+        required: true
+        type: string
+
+jobs:
+  config-scan:
+    runs-on: ubuntu-latest
+    if: inputs.scan-config == true
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.0
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.0
+      - run: |
+          trivy config --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output config-sarif.json .
+        env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+      - uses: https://github.com/christopherHX/gitea-upload-artifact@v4
+        with:
+          name: config-sarif
+          path: config-sarif.json
+
+  image-scan:
+    runs-on: ubuntu-latest
+    if: inputs.image-scan-files != ""
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.0
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.0
+      - name: Get Images From Files
+        id: get-images
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/get-images-from-files@1.4.0
+        with:
+          files: ${{ inputs.image-scan-files }}
+      - name: Pull images
+        if: inputs.pre-pull-images == true
+        run: |
+          set -e
+          images='${{ steps.get-images.outputs.images }}'
+          for img in $(echo "$images" | jq -r '.[]'); do
+            docker pull "$img"
+          done
+      - name: Scan images
+        id: scan
+        run: |
+          set -e
+          images='${{ steps.get-images.outputs.images }}'
+          count=$(echo "$images" | jq 'length')
+          if [ "$count" -eq 0 ]; then
+            echo "No images found"
+            exit 1
+          fi
+          i=0
+          for img in $(echo "$images" | jq -r '.[]'); do
+            trivy image --cache-dir "$TRIVY_CACHE_DIR" --server ${{ inputs.trivy-server }} --exit-code 0 --scanners vuln --format sarif --output "sarif-image-${i}.json" "$img"
+            i=$((i + 1))
+          done
+          {
+            echo "files<<EOF"
+            for j in $(seq 0 $((i - 1))); do echo "  - sarif-image-${j}.json"; done
+            echo "EOF"
+          } >> $GITHUB_OUTPUT
+          echo "count=$i" >> $GITHUB_OUTPUT
+        env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+      - name: Merge image SARIF files
+        if: steps.scan.outputs.count != '0'
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.1-rc-e78ced192dbed9db9a04540a2a27c75924f1d5ea
+        with:
+          files: ${{ steps.scan.outputs.files }}
+          output-file: image-sarif.json
+      - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
+        with:
+          name: image-sarif
+          path: image-sarif.json
+
+  merge-and-upload:
+    runs-on: ubuntu-latest
+    needs: [config-scan, image-scan]
+    if: inputs.scan-config == true || inputs.image-scan-files != ""
+    steps:
+      - name: Download config SARIF
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
+        with:
+          name: config-sarif
+          path: config-sarif-artifact
+      - name: Download image SARIF
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@v4
+        with:
+          name: image-sarif
+          path: image-sarif-artifact
+      - name: Merge SARIF files
+        uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/merge-sarif-files@1.4.1-rc-e78ced192dbed9db9a04540a2a27c75924f1d5ea
+        with:
+          files: |
+            - config-sarif-artifact/config-sarif.json
+            - image-sarif-artifact/image-sarif.json
+          output-file: sarif.json
+      - uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@0.0.2
+        with:
+          tas-base-url: ${{ inputs.tas-base-url }}
+          sarif-file: sarif.json
+          owner: ${{ inputs.repository-owner }}
+          repo: ${{ inputs.repository-name }}
+          branch: ${{ inputs.branch-name }}
-- 
2.49.1