AN-662 Publish to GAR rather than JFrog #4846

	name: dsp-appsec-trivy
	on: [pull_request]

	permissions:
	id-token: write

	jobs:
	appsec-trivy:
	# Parse Dockerfile and build, scan image if a "blessed" base image is not used
	name: DSP AppSec Trivy check
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	project:
	- cromiam
	- cromwell-drs-localizer
	- server
	- womtool

	steps:
	- uses: actions/checkout@v2

	# Must come after checkout step or token file will be deleted
	- name: Auth to GCP
	id: 'auth'
	uses: google-github-actions/auth@v2
	with:
	token_format: 'access_token'
	workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
	service_account: 'dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com'
	- uses: sbt/setup-sbt@v1

	# fetch SBT package
	- uses: actions/setup-java@v4
	with:
	distribution: 'temurin'
	java-version: '17'

	# set up SBT cache
	- uses: actions/cache@v4
	with:
	path: \|
	~/.cache
	~/.coursier/cache
	~/.ivy2/cache
	~/.sbt
	key: sbt-${{ matrix.project }}-${{ hashFiles('*/.sbt') }}
	restore-keys: \|
	sbt-${{ matrix.project }}-
	sbt-

	# build the image
	- name: Build
	id: build
	run: \|
	# build sources and store the log
	sbt -no-colors ${{ matrix.project }}/docker \| tee build.log

	# export image name from the log
	image=$(grep 'Tagging image' build.log \| awk '{print $NF}')
	echo "image=${image}" >> $GITHUB_OUTPUT

	# scan the image
	- uses: broadinstitute/dsp-appsec-trivy-action@v1
	with:
	image: ${{ steps.build.outputs.image }}

Provide feedback