Remove badger from Dgraph docker image; add nightly CVE scanner

matthewmcneely · matthewmcneely · commit 0cd040023cc9 · 2026-02-24T13:25:23.000-05:00
diff --git a/.github/workflows/cd-dgraph.yml b/.github/workflows/cd-dgraph.yml
@@ -81,12 +81,6 @@ jobs:
             badger/badger-linux-amd64.tar.gz
             dgraph/dgraph-checksum-linux-amd64.sha256
             dgraph/dgraph-linux-amd64.tar.gz
-      - name: Move Badger Binary into Linux Directory
-        run: |
-          tar -xzf badger/badger-linux-amd64.tar.gz --directory badger
-          [ -d "linux" ] || mkdir linux
-          # linux directory will be added to docker image in build step
-          cp badger/badger-linux-amd64 linux/badger
       - name: Make Dgraph Docker Image
         run: |
           set -e
@@ -181,12 +175,6 @@ jobs:
             badger/badger-linux-arm64.tar.gz
             dgraph/dgraph-checksum-linux-arm64.sha256
             dgraph/dgraph-linux-arm64.tar.gz
-      - name: Move Badger Binary into Linux Directory
-        run: |
-          tar -xzf badger/badger-linux-arm64.tar.gz --directory badger
-          [ -d "linux" ] || mkdir linux
-          # linux directory will be added to docker image in build step
-          cp badger/badger-linux-arm64 linux/badger
       - name: Make Dgraph Docker Image
         run: |
           set -e
diff --git a/.github/workflows/ci-dgraph-nightly-cves.yml b/.github/workflows/ci-dgraph-nightly-cves.yml
@@ -0,0 +1,41 @@
+name: ci-dgraph-nightly-cves
+
+on:
+  schedule:
+    - cron: 0 0 * * * # Run daily at midnight UTC
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: read
+
+jobs:
+  cve-scan:
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 30
+    steps:
+      - name: Checkout main branch
+        uses: actions/checkout@v5
+        with:
+          ref: main
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - name: Build Dgraph
+        run: make dgraph
+
+      - name: Build Docker image
+        run: |
+          mkdir -p linux
+          cp ./dgraph/dgraph ./linux/dgraph
+          docker build -f contrib/Dockerfile -t dgraph/dgraph:nightly-scan .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: dgraph/dgraph:nightly-scan
+          format: table
+          exit-code: 1
+          severity: CRITICAL,HIGH
