From 03bd1389b8729dce2da4878874c5354218ebb638 Mon Sep 17 00:00:00 2001
From: daniellim1 <173089175+daniellim1@users.noreply.github.com>
Date: Tue, 23 Sep 2025 09:12:58 -0700
Subject: [PATCH 1/3] Create repo_level_scan.yml

added repo level scan for python agent
---
 .github/workflows/repo_level_scan.yml | 65 +++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 .github/workflows/repo_level_scan.yml

diff --git a/.github/workflows/repo_level_scan.yml b/.github/workflows/repo_level_scan.yml
new file mode 100644
index 0000000000..1dbebf57f0
--- /dev/null
+++ b/.github/workflows/repo_level_scan.yml
@@ -0,0 +1,65 @@
+name: 'Repo Level Trivy Scan'
+
+on:
+  pull_request:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  # Job 1: Build the Docker image for the Python agent and push it to GHCR
+  build:
+    name: 'Build and Push Docker Image'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    outputs:
+      image-name: ${{ steps.set-image-name.outputs.image-name }}
+
+    steps:
+      - name: 'Checkout code'
+        uses: actions/checkout@v4
+
+      - name: 'Set up Python'
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      
+      - name: 'Install dependencies from setup.py'
+        run: |
+          python -m pip install --upgrade pip
+          pip install .
+
+      - name: 'Log in to GitHub Container Registry'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: 'Build and push Docker image'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
+          # locate Dockerfile
+          file: ./.github/containers/Dockerfile
+
+      - name: 'Set image name output'
+        id: set-image-name
+        run: echo "image-name=ghcr.io/${{ github.repository }}:${{ github.sha }}" >> $GITHUB_OUTPUT
+
+  # Job 2: Call the reusable organization workflow
+  scan:
+    name: 'Trigger Organization Scan'
+    needs: build
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    uses: newrelic-trivy/.github/.github/workflows/org-level-trivy-scan.yml@main
+    with:
+      image-name: ${{ needs.build.outputs.image-name }}
+    secrets: inherit

From 029158d0ba17ac997bfe3b523e546364f0729124 Mon Sep 17 00:00:00 2001
From: daniellim1 <173089175+daniellim1@users.noreply.github.com>
Date: Tue, 23 Sep 2025 09:28:13 -0700
Subject: [PATCH 2/3] Update repo_level_scan.yml

updated repo level scan for python agent
---
 .github/workflows/repo_level_scan.yml | 21 ++++-----------------
 1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/repo_level_scan.yml b/.github/workflows/repo_level_scan.yml
index 1dbebf57f0..773ca070eb 100644
--- a/.github/workflows/repo_level_scan.yml
+++ b/.github/workflows/repo_level_scan.yml
@@ -2,11 +2,8 @@ name: 'Repo Level Trivy Scan'
 
 on:
   pull_request:
-  schedule:
-    - cron: '0 0 * * *'
 
 jobs:
-  # Job 1: Build the Docker image for the Python agent and push it to GHCR
   build:
     name: 'Build and Push Docker Image'
     runs-on: ubuntu-latest
@@ -21,16 +18,6 @@ jobs:
       - name: 'Checkout code'
         uses: actions/checkout@v4
 
-      - name: 'Set up Python'
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.11'
-      
-      - name: 'Install dependencies from setup.py'
-        run: |
-          python -m pip install --upgrade pip
-          pip install .
-
       - name: 'Log in to GitHub Container Registry'
         uses: docker/login-action@v3
         with:
@@ -41,17 +28,17 @@ jobs:
       - name: 'Build and push Docker image'
         uses: docker/build-push-action@v6
         with:
-          context: .
+          # --- FIX: The build context is now the correct directory ---
+          context: ./.github/containers
+          # The file path is also updated to be explicit
+          file: ./.github/containers/Dockerfile
           push: true
           tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
-          # locate Dockerfile
-          file: ./.github/containers/Dockerfile
 
       - name: 'Set image name output'
         id: set-image-name
         run: echo "image-name=ghcr.io/${{ github.repository }}:${{ github.sha }}" >> $GITHUB_OUTPUT
 
-  # Job 2: Call the reusable organization workflow
   scan:
     name: 'Trigger Organization Scan'
     needs: build

From 780e95976da39375712dc35d3b9718bf8ef12ad0 Mon Sep 17 00:00:00 2001
From: daniellim1 <173089175+daniellim1@users.noreply.github.com>
Date: Wed, 24 Sep 2025 08:58:04 -0700
Subject: [PATCH 3/3] Update repo_level_scan.yml

updating permissions for reading actions
---
 .github/workflows/repo_level_scan.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/repo_level_scan.yml b/.github/workflows/repo_level_scan.yml
index 773ca070eb..13a8522621 100644
--- a/.github/workflows/repo_level_scan.yml
+++ b/.github/workflows/repo_level_scan.yml
@@ -43,6 +43,7 @@ jobs:
     name: 'Trigger Organization Scan'
     needs: build
     permissions:
+      actions: read
       contents: read
       packages: read
       security-events: write