add image scanning on pull_request

Signed-off-by: zhzhuang-zju <[email protected]>

.github/workflows/ci-image-scanning.yaml

@@ -1,6 +1,11 @@
 name: image-scanning
 on:
-  push: 
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
 jobs:
   use-trivy-to-scan-image:
     name: image-scanning
@@ -24,27 +29,38 @@ jobs:
     steps:
       - name: checkout code
         uses: actions/checkout@v3
+        with:
+          # Number of commits to fetch. 0 indicates all history for all branches and tags.
+          # We need to guess version via git tags.
+          fetch-depth: 0
+      - name: install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.20.11
       - name: Build an image from Dockerfile
         run: |
           export VERSION="latest"
           export REGISTRY="docker.io/karmada"
           make image-${{ matrix.target }}
       - name: Run Trivy vulnerability scanner
+        if: ${{ github.event_name == 'push' }}
         uses: aquasecurity/[email protected]
         with:
           image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
           format: 'sarif'
           ignore-unfixed: true
           vuln-type: 'os,library'
           output: 'trivy-results.sarif'
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: ${{ github.event_name == 'push' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
       - name: display scan results
+        if: ${{ github.event_name == 'pull_request' }}
         uses: aquasecurity/[email protected]
         with:
           image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
           format: 'table'
           ignore-unfixed: true
           vuln-type: 'os,library'
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: 'trivy-results.sarif'