Add input to the wordsmith-web workflow PR

<org>/wordsmith-web/.github/workflows/call-trivy.yml

1. Change the <org> to yours

jobs:
  scan:
    name: Scan
    uses: <org>/actions/.github/workflows/reusable-trivy.yml@<pr-branch-name>
    with:
      image: 'ghcr.io/<org>/wordsmith-web:latest'

2. Commit that and watch the Action run in the wordsmith-web repo

3. We now have a working reusable workflow

But we’re only scanning latest

A CVE scan is more valuable if it’s scanning each PR commit

1. We’ll need to ensure our Docker Build creates a unique image tag for each PR commit

2. Also, we’ll need to wait for Docker Build to finish before trying to scan

• We’ll enhance the Docker Build in today’s Homework!

Bret’s Reusable Workflow Conventions

• Store all reusable workflows in a single repo
  • actions, gha-reusable, or reusable-workflows are all fine names
• Standardize naming of "calling" versus "callable" workflow files
  • Called/callable reusable workflows: reusable-*.yml
  • Calling workflows: call-*.yml
• Permissions should be set in both calling --> reusable
  • Reusable workflow (at workflow level) sets required permissions to run
  • Calling workflow (at job level) sets permissions it gives to reusable
• Don’t mix workflow_call with push or pull_request events in the same file
• Reusable workflow repos should have a local calling workflow to test it
  • This may mean adding a sample Dockerfile and other file types as test data
• Reusable workflow repos- should have a ./template/ full of calling workflow examples
• Example of these conventions bretfisher/docker-build-workflow