refactor to simplify main pipeline

helm/templates/_workflow-templates.yaml

@@ -0,0 +1,64 @@
+{{- define "template.workflow.security-pipeline.tasks" -}}
+- name: clone
+  template: clone-repo
+  arguments:
+    parameters:
+      - name: repo-url
+        value: {{ `{{workflow.parameters.repo-url}}` | quote }}
+      - name: git-revision
+        value: {{ `{{workflow.parameters.git-revision}}` | quote }}
+- name: scanners
+  dependencies:
+    - clone
+  template: parallel-scanners
+  arguments:
+    parameters:
+      - name: working-dir
+        value: {{ `{{workflow.parameters.working-dir}}` | quote }}
+- name: enforce-policy
+  dependencies:
+    - scanners
+  template: enforce-policy
+  arguments:
+    parameters:
+      - name: fail-on-cvss
+        value: {{ `{{workflow.parameters.fail-on-cvss}}` | quote }}
+{{- if .Values.storage.enabled }}
+- name: upload-storage
+  dependencies:
+    - scanners
+  template: upload-storage
+{{- end }}
+{{- if .Values.defectdojo.enabled }}
+- name: upload-defectdojo
+  dependencies:
+    - scanners
+  template: upload-defectdojo
+{{- end }}
+{{- end }}
+
+{{- define "template.workflow.parallel-scanners.tasks" -}}
+{{- /* Scanner fan-out is data-driven from pipeline.scanners in values.yaml. */ -}}
+{{- range $scanner := .Values.pipeline.scanners }}
+- name: {{ $scanner }}
+  template: scan-{{ $scanner }}
+  arguments:
+    parameters:
+      - name: working-dir
+        value: {{ `{{inputs.parameters.working-dir}}` | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "template.workflow.named-templates" -}}
+{{- /* Keep the main workflow file focused on orchestration; implementations are included here. */ -}}
+{{- range $scanner := .Values.pipeline.scanners }}
+{{ include (printf "template.scan-%s" $scanner) $ }}
+{{- end }}
+{{- if .Values.storage.enabled }}
+{{ include "template.upload-storage" . }}
+{{- end }}
+{{- if .Values.defectdojo.enabled }}
+{{ include "template.upload-defectdojo" . }}
+{{- end }}
+{{ include "template.enforce-policy" . }}
+{{- end }}