fix it

anthony-nhs · anthony-nhs · commit 4fc4b74ddccc · 2026-04-15T08:43:50.000Z
diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml
@@ -11,9 +11,6 @@ name: build_all_images
       NO_CACHE:
         required: true
         type: boolean
-      pinned_image:
-        type: string
-        required: true
 permissions: {}
 jobs:
   discover_folders:
@@ -39,40 +36,33 @@ jobs:
           } >> "$GITHUB_OUTPUT"
 
   build_tool_images:
+    # build common tool images with a lower scoped github token as it uses a 3rd party docker image with github cli installed to verify attestation of tflint binary.
+    # token needs attestation read so it can verify attestation of tflint binary
     runs-on: ubuntu-22.04
-    container:
-      image: ${{ inputs.pinned_image }}
-      options: --user 1001:1001 --group-add 128
-    defaults:
-      run:
-        shell: bash
     permissions:
       contents: read
       attestations: read
     steps:
-      - name: copy .tool-versions
-        run: |
-          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
           persist-credentials: false
       - name: build_grype
-        run:
+        run: |
           make build-grype
           docker save "local_grype:latest" -o grype_image.tar
       - name: build_syft
-        run:
+        run: |
           make build-syft
           docker save "local_syft:latest" -o syft_image.tar
       - name: build_grant
-        run:
+        run: |
           make build-grant
           docker save "local_grant:latest" -o grant_image.tar
 
       - name: build_tflint
-        run:
+        run: |
           make build-tflint
           docker save "local_tflint:latest" -o tflint_image.tar
 
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -176,7 +176,6 @@ jobs:
           BASE_FOLDER: "${{ inputs.base_folder }}"
           NO_CACHE: '${{ inputs.NO_CACHE }}'
           BUILDX_NO_DEFAULT_ATTESTATIONS: "1"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Check docker vulnerabilities - json output
         run: |
           make scan-image-json
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -50,4 +50,3 @@ jobs:
       docker_tag: 'ci-${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: false
       NO_CACHE: false
-      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -95,4 +95,3 @@ jobs:
       docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}'
       tag_latest: false
       NO_CACHE: false
-      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -53,4 +53,3 @@ jobs:
       docker_tag: '${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: true
       NO_CACHE: false
-      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
