ci: add scanners and bump all actions

[NARSimoes]

Summary

• ci: add scanners and bump all actions: follow up from ci: adjust scanner actions #17

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e254d577-3ddd-4075-af71-413887afd0de

📥 Commits

Reviewing files that changed from the base of the PR and between 328acfe and ca81ebb.

📒 Files selected for processing (2)

• .github/workflows/cd.yaml
• .github/workflows/ci.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/ci.yaml
• .github/workflows/cd.yaml

---

📝 Walkthrough

Walkthrough

GitHub Actions workflows updated: actions/checkout pinned commit moved from v3.3.0 to v6.0.2 in both CI and CD; actions/setup-go pinned to v6.3.0 in CI (still using go-version: "1.19"); docker/setup-buildx-action upgraded to v4.0.0 and explicit version input removed; CI build job adds an anchore/scan-action step.

Changes

Cohort / File(s)	Summary
Workflow pin upgrades .github/workflows/cd.yaml, .github/workflows/ci.yaml	actions/checkout updated from v3.3.0 → v6.0.2; actions/setup-go updated from v3.5.0 → v6.3.0 (CI).
Buildx action changes .github/workflows/cd.yaml, .github/workflows/ci.yaml	docker/setup-buildx-action bumped from v2.x → v4.0.0; removed explicit with: version: v0.7.1 configuration in CD and CI.
CI scan step added .github/workflows/ci.yaml	Added anchore/scan-action in build job to scan mattermost/node-rotator with table output, report only fixed issues, not fail the build, and apply critical severity cutoff; replaces prior inline anchore configuration.
Minor workflow adjustments .github/workflows/ci.yaml	Pin updates applied across test, lint, and build jobs to align action versions; go-version: "1.19" retained and caching preserved.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly summarizes the main changes: adding scanners and bumping GitHub Actions versions across CI/CD workflows.
Description check	✅ Passed	The description is related to the changeset, mentioning the addition of scanners and action version bumps, and provides context as a follow-up to PR #17.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nasimoes-ci-bump-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use your project's `golangci-lint` configuration to improve the quality of Go code reviews.

Add a configuration file to your project to customize how CodeRabbit runs golangci-lint.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 71-78: The scan step ci/scan-docker-security is running before the
image build/push and therefore pulls the remote mattermost/node-rotator instead
of scanning the artifact produced by push-image-pr; move or duplicate the
ci/scan-docker-security step so it runs after the push-image-pr step, and change
its image input to the exact tag produced by push-image-pr (the commit SHA tag)
instead of the untagged "mattermost/node-rotator" so anchore/scan-action scans
the newly built artifact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 21df14ba-96bf-4953-a2bf-742db4fd6156

📥 Commits

Reviewing files that changed from the base of the PR and between 275c28b and 1bc4cb7.

📒 Files selected for processing (2)

• .github/workflows/cd.yaml
• .github/workflows/ci.yaml

[esarafianou]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[esarafianou]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.