Remove CVE checks (see readme)

Signed-off-by: Timo Reichl <[email protected]>

.github/workflows/build-scan-push-tag.yml → .github/workflows/build-push-tag.yml

@@ -1,4 +1,4 @@
-name: Reusable workflow for building and scanning images
+name: Reusable workflow for building and pushing images
 
 on:
   workflow_call:
@@ -35,57 +35,6 @@ jobs:
             docker-compose build ${docker_base_image_type}
           done
 
-      - name: Trivy CVE scan - base
-        if: ${{ inputs.push }}
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: "${{ env.REGISTRY_IMAGE }}:base"
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
-      - name: Dockle scan - base
-        if: ${{ inputs.push }}
-        uses: erzz/[email protected]
-        with:
-          image: "${{ env.REGISTRY_IMAGE }}:base"
-          exit-code: '1'
-          dockle-version: '0.4.5'
-
-      - name: Trivy CVE scan - hlds
-        if: ${{ inputs.push }}
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: "${{ env.REGISTRY_IMAGE }}:hlds"
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
-      - name: Dockle scan - hlds
-        if: ${{ inputs.push }}
-        uses: erzz/[email protected]
-        with:
-          image: "${{ env.REGISTRY_IMAGE }}:hlds"
-          exit-code: '1'
-          dockle-version: '0.4.5'
-
-      - name: Trivy CVE scan - srcds
-        if: ${{ inputs.push }}
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: "${{ env.REGISTRY_IMAGE }}:srcds"
-          format: 'table'
-          exit-code: '1'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
-      - name: Dockle scan - srcds
-        if: ${{ inputs.push }}
-        uses: erzz/[email protected]
-        with:
-          image: "${{ env.REGISTRY_IMAGE }}:srcds"
-          exit-code: '1'
-          dockle-version: '0.4.5'
-
       - name: Log in to GHCR
         if: ${{ inputs.push || inputs.tag }}
         uses: docker/login-action@v2

.github/workflows/docker-build.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   build-scan:
-    uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main
+    uses: thetredev/steamcmd/.github/workflows/build-push-tag.yml@main
     with:
       push: false
       tag: false

.github/workflows/docker-latest.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   push:
-    uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main
+    uses: thetredev/steamcmd/.github/workflows/build-push-tag.yml@main
     with:
       push: true
       tag: false

.github/workflows/docker-tag.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   tag:
-    uses: thetredev/steamcmd/.github/workflows/build-scan-push-tag.yml@main
+    uses: thetredev/steamcmd/.github/workflows/build-push-tag.yml@main
     with:
       push: false
       tag: true

README.md

@@ -105,7 +105,7 @@ The GitHub Actions workflows are setup in the following way:
 - Pushes to the `main` branch lead to the image tags `ghcr.io/thetredev/steamcmd:<image>-latest`, where `<image>` is one of the following: `base`, `hlds` or `srcds` (see *the supported game server images* above)
 - Pushes of tags lead to retagging the `ghcr.io/thetredev/steamcmd:<image>-latest` images to `ghcr.io/thetredev/steamcmd:<image>-<tag>`
 
-All image builds are scanned for CVEs and only pushed as `latest` or the given tag if no CVEs are found. The scans can be viewed publicly [from within the Actions tab](https://github.com/thetredev/steamcmd/actions) at job **build**.
+All image builds used to be scanned for CVEs and only pushed as `latest` or the given tag if no CVEs are found. These scans have been removed and/or disabled since we're relying on official Steam Runtime images now (commit [a64d5003ac8d84eccc6326bc8270eef1105745e0](https://github.com/thetredev/steamcmd/tree/a64d5003ac8d84eccc6326bc8270eef1105745e0)) and we simply trust Valve to make the base images as secure as possible.
 
 ## Known bugs
 See the [project issues](https://github.com/thetredev/steamcmd/issues).