docker-scout: only write result files for file-based formats

Author: crazy-max

.github/actions/docker-scout/action.yml

@@ -17,7 +17,7 @@ inputs:
 
 outputs:
   result-file:
-    description: 'File output result'
+    description: 'Path to result file (only if format is not packages)'
     value: ${{ steps.run.outputs.result-file }}
 
 runs:
@@ -82,6 +82,10 @@ runs:
 
           // TODO: cache binary
 
-          const resultPath = path.join(fs.mkdtempSync(path.join(os.tmpdir(), 'docker-scout-action-')), 'result.txt');
-          core.setOutput('result-file', resultPath);
-          await exec.exec('docker', ['scout', 'cves', inpImage, '--format', inpFormat, `--output`, resultPath]);
+          const resultFile = path.join(fs.mkdtempSync(path.join(process.env.RUNNER_TEMP || os.tmpdir(), 'docker-scout-')), 'result.txt');
+          const args = ['scout', 'cves', inpImage, '--format', inpFormat];
+          if (inpFormat !== 'packages') {
+            args.push('--output', resultFile);
+            core.setOutput('result-file', resultFile);
+          }
+          await exec.exec('docker', args);

.github/workflows/.test.yml

@@ -233,6 +233,8 @@ jobs:
         format:
           - packages
           - sarif
+          - sbom
+          - spdx
     steps:
       -
         name: Checkout
@@ -251,7 +253,8 @@ jobs:
           image: registry://moby/buildkit:master
           format: ${{ matrix.format }}
       -
-        name: Print result
+        name: Check result file
+        if: ${{ matrix.format != 'packages' }}
         run: |
           set -x
           cat ${{ steps.scout.outputs.result-file }}

README.md

@@ -110,7 +110,7 @@ jobs:
           image: alpine:latest
       -
         name: Upload SARIF report
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.scout.outputs.result-file }}
 ```