From a1ca4ea98a0d056a71b6e29a4d33e213b60d48f6 Mon Sep 17 00:00:00 2001
From: daniellim1 <173089175+daniellim1@users.noreply.github.com>
Date: Wed, 2 Jul 2025 08:23:30 -0700
Subject: [PATCH] Create repo_trivy_scan.yml

---
 .github/workflows/repo_trivy_scan.yml | 62 +++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 .github/workflows/repo_trivy_scan.yml

diff --git a/.github/workflows/repo_trivy_scan.yml b/.github/workflows/repo_trivy_scan.yml
new file mode 100644
index 00000000..379ef0d6
--- /dev/null
+++ b/.github/workflows/repo_trivy_scan.yml
@@ -0,0 +1,62 @@
+name: 'Repo Level Trivy Scan'
+
+on:
+  pull_request:
+  schedule:
+    - cron: '0 0 * * *' # Runs daily at midnight UTC
+
+jobs:
+  # JOB 1: Build the Docker image using the custom script and push it to GHCR
+  build:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write # Required to push images to GHCR
+
+    outputs:
+      image-name: ${{ steps.tag-and-push.outputs.image-name }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Download integrations
+        run: go run downloader.go
+
+      - name: Build local Docker image with custom script
+        env:
+          DOCKER_IMAGE: newrelic/infrastructure-bundle
+          DOCKER_IMAGE_TAG: ci
+        run: |
+          DOCKER_PLATFORMS=linux/amd64 ./docker-build.sh . --load
+
+      - name: Tag and Push image to GHCR
+        id: tag-and-push
+        run: |
+          IMAGE_ID=ghcr.io/${{ github.repository }}:${{ github.sha }}
+          docker tag newrelic/infrastructure-bundle:ci $IMAGE_ID
+          docker push $IMAGE_ID
+          echo "image-name=$IMAGE_ID" >> $GITHUB_OUTPUT
+
+
+  # JOB 2: Call the reusable organization workflow
+  scan:
+    name: Trigger Organization Scan
+    needs: build
+    uses: newrelic-csec/.github/.github/workflows/required-trivy-scan.yml@main
+    with:
+      image-name: ${{ needs.build.outputs.image-name }}
+    secrets: inherit