From 862d9a2a789099bed23c3f92e1bef8e6454095b0 Mon Sep 17 00:00:00 2001
From: Jakub Stejskal <xstejs24@gmail.com>
Date: Wed, 17 Jun 2026 19:44:21 +0200
Subject: [PATCH 1/7] Add fix for snyk monitor command

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
---
 .../actions/security/snyk-container-scan/action.yml    |  2 +-
 .github/actions/security/snyk-maven-scan/action.yml    |  6 ++++--
 .github/workflows/test-snyk.yml                        | 10 +++++++---
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml
index a6b26b5..aa0197c 100644
--- a/.github/actions/security/snyk-container-scan/action.yml
+++ b/.github/actions/security/snyk-container-scan/action.yml
@@ -89,7 +89,7 @@ runs:
 
     # Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports
     - name: Run Snyk monitor
-      if: ${{ inputs.monitor == 'true' }}
+      if: ${{ inputs.snykMonitor == 'true' }}
       shell: bash
       continue-on-error: true
       run: |
diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml
index 68de261..eef1e92 100644
--- a/.github/actions/security/snyk-maven-scan/action.yml
+++ b/.github/actions/security/snyk-maven-scan/action.yml
@@ -59,11 +59,13 @@ runs:
 
     # Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports
     - name: Run Snyk monitor
-      if: ${{ inputs.monitor == 'true' }}
+      if: ${{ inputs.snykMonitor == 'true' }}
       shell: bash
       continue-on-error: true
       env:
         PROJECT_PREFIX: ${{ inputs.projectPrefix }}
       run: |
         REPO_NAME="${GITHUB_REPOSITORY##*/}"
-        snyk monitor --project-name="${PROJECT_PREFIX}/${REPO_NAME}"
+        snyk monitor \
+          --project-name="${PROJECT_PREFIX}/${REPO_NAME}" \
+          --target-reference="${GITHUB_REF_NAME}"
diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml
index 6352437..4ee7864 100644
--- a/.github/workflows/test-snyk.yml
+++ b/.github/workflows/test-snyk.yml
@@ -6,6 +6,8 @@ on:
     branches:
       - "main"
       - "release-*"
+      # TODO - Revert this
+      - "fix-snyk-uploads"
 
 permissions:
   contents: read
@@ -59,7 +61,7 @@ jobs:
         uses: ./.github/actions/security/snyk-maven-scan
         with:
           # Keep false to avoid uploading testing results to Snyk App
-          snykMonitor: "false"
+          snykMonitor: "true"
           # Keep false to avoid uploading results to GitHub Code Scanning page
           uploadToCodeScanning: "false"
           projectPrefix: test-drain-cleaner
@@ -182,6 +184,8 @@ jobs:
           - kaniko-executor-latest-amd64
           - maven-builder-latest-amd64
           - operator-latest-amd64
+          # TODO - revert this
+          - kafka-build-kafka-4.2.0-amd64
     steps:
       - name: Checkout github-actions
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -204,7 +208,7 @@ jobs:
         with:
           imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz
           image: ${{ matrix.image }}
-          snykMonitor: "false"
+          snykMonitor: "true"
           uploadToCodeScanning: "false"
           projectPrefix: test-operators
         env:
@@ -254,7 +258,7 @@ jobs:
           imageFile: drain-cleaner-container-amd64.tar.gz
           image: drain-cleaner-amd64
           # Keep false to avoid uploading testing results to Snyk App
-          snykMonitor: "false"
+          snykMonitor: "true"
           # Keep false to avoid uploading results to GitHub Code Scanning page
           uploadToCodeScanning: "false"
           projectPrefix: test-drain-cleaner

From a68c93fa58e6d79791c340f47ff87bd277be87c1 Mon Sep 17 00:00:00 2001
From: Jakub Stejskal <xstejs24@gmail.com>
Date: Wed, 17 Jun 2026 20:02:32 +0200
Subject: [PATCH 2/7] Simplify monitor cmd for maven

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
---
 .github/actions/security/snyk-maven-scan/action.yml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml
index eef1e92..452ea52 100644
--- a/.github/actions/security/snyk-maven-scan/action.yml
+++ b/.github/actions/security/snyk-maven-scan/action.yml
@@ -62,10 +62,5 @@ runs:
       if: ${{ inputs.snykMonitor == 'true' }}
       shell: bash
       continue-on-error: true
-      env:
-        PROJECT_PREFIX: ${{ inputs.projectPrefix }}
       run: |
-        REPO_NAME="${GITHUB_REPOSITORY##*/}"
-        snyk monitor \
-          --project-name="${PROJECT_PREFIX}/${REPO_NAME}" \
-          --target-reference="${GITHUB_REF_NAME}"
+        snyk monitor --target-reference="${GITHUB_REF_NAME}"

From 0881a66cd837598a32ec224222a58b5858da189c Mon Sep 17 00:00:00 2001
From: Jakub Stejskal <xstejs24@gmail.com>
Date: Wed, 17 Jun 2026 20:48:00 +0200
Subject: [PATCH 3/7] Add testing branch also to integration workflow

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
---
 .github/workflows/test-integrations.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml
index ffe1a3f..17718fe 100644
--- a/.github/workflows/test-integrations.yml
+++ b/.github/workflows/test-integrations.yml
@@ -8,6 +8,8 @@ on:
     branches:
       - "main"
       - "release-*"
+      # TODO - Revert this
+      - "fix-snyk-uploads"
 
 # Declare default permissions as read only
 permissions:

From e752a8492be8a7f8555f95c639d21c8284a68df9 Mon Sep 17 00:00:00 2001
From: Jakub Stejskal <xstejs24@gmail.com>
Date: Wed, 17 Jun 2026 22:16:29 +0200
Subject: [PATCH 4/7] Handle container target reference

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
---
 .github/actions/security/snyk-container-scan/action.yml | 9 +++++++++
 .github/workflows/test-snyk.yml                         | 1 +
 2 files changed, 10 insertions(+)

diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml
index aa0197c..db99314 100644
--- a/.github/actions/security/snyk-container-scan/action.yml
+++ b/.github/actions/security/snyk-container-scan/action.yml
@@ -15,6 +15,10 @@ inputs:
   projectPrefix:
     description: "Project prefix for Snyk dashboard (e.g., 'strimzi')"
     required: true
+  snykMonitorTargetReference:
+    description: "Value for --target-reference in 'snyk container monitor' (e.g. release version). Defaults to the image tag."
+    required: false
+    default: ""
   uploadToCodeScanning:
     description: "Whether to upload SARIF results to GitHub Code Scanning"
     required: false
@@ -92,10 +96,15 @@ runs:
       if: ${{ inputs.snykMonitor == 'true' }}
       shell: bash
       continue-on-error: true
+      env:
+        TARGET_REFERENCE: ${{ inputs.snykMonitorTargetReference }}
       run: |
         if [ -n "$LOADED_IMAGE" ]; then
           MONITOR_PROJECT="${LOADED_IMAGE%%:*}"
           MONITOR_REVISION="${LOADED_IMAGE##*:}"
+          if [ -n "$TARGET_REFERENCE" ]; then
+            MONITOR_REVISION="$TARGET_REFERENCE"
+          fi
           snyk container monitor "$LOADED_IMAGE" \
             --project-name="$MONITOR_PROJECT" \
             --target-reference="$MONITOR_REVISION"
diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml
index 4ee7864..2fe3901 100644
--- a/.github/workflows/test-snyk.yml
+++ b/.github/workflows/test-snyk.yml
@@ -209,6 +209,7 @@ jobs:
           imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz
           image: ${{ matrix.image }}
           snykMonitor: "true"
+          snykMonitorTargetReference: "latest"
           uploadToCodeScanning: "false"
           projectPrefix: test-operators
         env:

From fe970bfea8ba1ef9d4e8c6ee55f69d598bbbcf99 Mon Sep 17 00:00:00 2001
From: Jakub Stejskal <xstejs24@gmail.com>
Date: Thu, 18 Jun 2026 10:38:39 +0200
Subject: [PATCH 5/7] Add reference param

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
---
 .github/workflows/test-snyk.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml
index 2fe3901..b05fb2d 100644
--- a/.github/workflows/test-snyk.yml
+++ b/.github/workflows/test-snyk.yml
@@ -260,6 +260,7 @@ jobs:
           image: drain-cleaner-amd64
           # Keep false to avoid uploading testing results to Snyk App
           snykMonitor: "true"
+          snykMonitorTargetReference: "latest"
           # Keep false to avoid uploading results to GitHub Code Scanning page
           uploadToCodeScanning: "false"
           projectPrefix: test-drain-cleaner

From 4573ca1f6742d02ef41aa39b931510bd36e1d446 Mon Sep 17 00:00:00 2001
From: Jakub Stejskal <xstejs24@gmail.com>
Date: Thu, 18 Jun 2026 10:39:54 +0200
Subject: [PATCH 6/7] Revert testing changes

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
---
 .github/workflows/test-integrations.yml | 2 --
 .github/workflows/test-snyk.yml         | 8 ++------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml
index 17718fe..ffe1a3f 100644
--- a/.github/workflows/test-integrations.yml
+++ b/.github/workflows/test-integrations.yml
@@ -8,8 +8,6 @@ on:
     branches:
       - "main"
       - "release-*"
-      # TODO - Revert this
-      - "fix-snyk-uploads"
 
 # Declare default permissions as read only
 permissions:
diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml
index b05fb2d..aeb8a88 100644
--- a/.github/workflows/test-snyk.yml
+++ b/.github/workflows/test-snyk.yml
@@ -6,8 +6,6 @@ on:
     branches:
       - "main"
       - "release-*"
-      # TODO - Revert this
-      - "fix-snyk-uploads"
 
 permissions:
   contents: read
@@ -184,8 +182,6 @@ jobs:
           - kaniko-executor-latest-amd64
           - maven-builder-latest-amd64
           - operator-latest-amd64
-          # TODO - revert this
-          - kafka-build-kafka-4.2.0-amd64
     steps:
       - name: Checkout github-actions
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -208,7 +204,7 @@ jobs:
         with:
           imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz
           image: ${{ matrix.image }}
-          snykMonitor: "true"
+          snykMonitor: "false"
           snykMonitorTargetReference: "latest"
           uploadToCodeScanning: "false"
           projectPrefix: test-operators
@@ -259,7 +255,7 @@ jobs:
           imageFile: drain-cleaner-container-amd64.tar.gz
           image: drain-cleaner-amd64
           # Keep false to avoid uploading testing results to Snyk App
-          snykMonitor: "true"
+          snykMonitor: "false"
           snykMonitorTargetReference: "latest"
           # Keep false to avoid uploading results to GitHub Code Scanning page
           uploadToCodeScanning: "false"

From 61f725c1350da067af51bd0d9d5c2151b02abe85 Mon Sep 17 00:00:00 2001
From: Jakub Stejskal <xstejs24@gmail.com>
Date: Thu, 18 Jun 2026 10:41:16 +0200
Subject: [PATCH 7/7] Fix one missing leftover

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
---
 .github/workflows/test-snyk.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml
index aeb8a88..abcce2e 100644
--- a/.github/workflows/test-snyk.yml
+++ b/.github/workflows/test-snyk.yml
@@ -59,7 +59,7 @@ jobs:
         uses: ./.github/actions/security/snyk-maven-scan
         with:
           # Keep false to avoid uploading testing results to Snyk App
-          snykMonitor: "true"
+          snykMonitor: "false"
           # Keep false to avoid uploading results to GitHub Code Scanning page
           uploadToCodeScanning: "false"
           projectPrefix: test-drain-cleaner