enabled enhanced sast scans with automatic issue creation on findings

.gitea/workflows/docker-build.yaml

@@ -1,35 +1,19 @@
 name: Build and Push Docker Image
 
 on:
-  push:
-    branches:
-      - "**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    # permissions:  
-    #   contents: read          # Required to checkout and read repo files
-    #   security-events: write  # Required to upload SARIF files to Security tab
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      # - name: Run Trivy vulnerability scanner in repo mode
-      #   uses: aquasecurity/trivy-action@v0.36.0
-      #   with:
-      #     scan-type: 'fs'
-      #     ignore-unfixed: true
-      #     format: 'sarif'
-      #     output: 'trivy-results.sarif'
-      #     severity: 'CRITICAL,HIGH'
-
-      # - name: Upload Trivy scan results to GitHub Security tab
-      #   uses: github/codeql-action/upload-sarif@v4
-      #   with:
-      #     sarif_file: 'trivy-results.sarif'
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -52,7 +36,8 @@ jobs:
             TAG="test"
           fi
 
-          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "tag=$TAG" >> "$GITEA_OUTPUT"
+          echo "branch=$BRANCH" >> "$GITEA_OUTPUT"
 
       - name: Build and push
         uses: docker/build-push-action@v6
@@ -69,9 +54,9 @@ jobs:
             -d "{
               \"tags\": \"all\",
               \"title\": \"Gitea Build Succeeded\",
-              \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ gitea.ref_name }}\\nImage tag built successfully\"
+              \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ steps.tag.outputs.branch }}\\nImage tag built successfully\"
             }" \
-            http://10.47.0.213:4444/notify/926263506803e21d72e382edd0caf3fb510a9629d860601dfb79506b5758c133
+            ${{ secrets.APPRISE_URL }}
 
       - name: Notify Apprise (failure)
         if: failure()
@@ -81,6 +66,6 @@ jobs:
             -d "{
               \"tags\": \"all\",
               \"title\": \"Gitea Build Failed\",
-              \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ gitea.ref_name }}\\nCheck logs in Gitea\"
+              \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ steps.tag.outputs.branch }}\\nCheck logs in Gitea\"
             }" \
-            http://10.47.0.213:4444/notify/926263506803e21d72e382edd0caf3fb510a9629d860601dfb79506b5758c133
+            ${{ secrets.APPRISE_URL }}