chore: pin GitHub Actions to commit SHAs and update to latest version… #45

	name: ImageSecurity

	on:
	pull_request:
	types:
	- opened
	- reopened
	- synchronize
	- ready_for_review
	paths:
	- Dockerfile
	- Dockerfile.alpine
	- go.mod
	- go.sum
	- .github/workflows/image-security.yaml
	- .github/workflows/docker.yaml
	push:
	branches:
	- main
	paths:
	- Dockerfile
	- Dockerfile.alpine
	- go.mod
	- go.sum
	- .github/workflows/image-security.yaml
	- .github/workflows/docker.yaml
	workflow_dispatch:

	permissions:
	contents: read

	concurrency:
	group: image-security-${{ github.event.pull_request.number \|\| github.ref }}
	cancel-in-progress: true

	jobs:
	scan-production-images:
	name: Scan ${{ matrix.name }}
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	include:
	- name: Ubuntu Image
	dockerfile: Dockerfile
	tag: dagu-ci:ubuntu
	- name: Alpine Image
	dockerfile: Dockerfile.alpine
	tag: dagu-ci:alpine

	steps:
	- name: Check out code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

	- name: Build image locally
	uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
	with:
	context: .
	file: ${{ matrix.dockerfile }}
	load: true
	provenance: false
	tags: ${{ matrix.tag }}

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
	with:
	scan-type: image
	image-ref: ${{ matrix.tag }}
	format: table
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: os,library
	severity: HIGH,CRITICAL

Provide feedback