refactor(ci): drop aquasecurity/trivy-action, use direct trivy binary#1940
Merged
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned Files
|
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (4)
💤 Files with no reviewable changes (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)
🔇 Additional comments (15)
WalkthroughThis PR replaces aquasecurity/trivy-action with direct trivy CLI invocations across composite actions and workflows. It adds a required trivy-version input, downloads and verifies a pinned Trivy release, installs the trivy binary to /usr/local/bin/trivy, and runs trivy image to produce JSON and SARIF reports (amd64 and optional arm64) using CRITICAL/HIGH severities and the repository ignorefile. Workflows are wired to pass TRIVY_VERSION to the build-scan-image action; the web job installs Trivy and runs JSON evaluation plus an always-run SARIF scan. Zizmor config now ignores cla.yml. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request replaces the aquasecurity/trivy-action with manual Trivy CLI installation and execution within the build-apko-base and build-scan-image composite actions. It introduces a new trivy-version input and adds a manual installation step that includes checksum verification. Feedback was provided regarding a potential permission issue in the installation step, as extracting the Trivy binary to /usr/local/bin on standard GitHub-hosted runners typically requires sudo privileges.
| curl -sfL --retry 5 --retry-delay 5 --retry-all-errors "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -o "/tmp/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | ||
| curl -sfL --retry 5 --retry-delay 5 --retry-all-errors "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_checksums.txt" -o /tmp/trivy_checksums.txt | ||
| (cd /tmp && grep "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" trivy_checksums.txt | sha256sum -c -) | ||
| tar -xzf "/tmp/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -C /usr/local/bin trivy |
Contributor
There was a problem hiding this comment.
The tar command attempts to extract the trivy binary into /usr/local/bin. On standard GitHub-hosted runners (ubuntu-latest), this directory is owned by root and typically requires sudo for write access. Since sudo is used elsewhere in this file (e.g., line 136 for disk cleanup), it should likely be applied here as well to prevent permission denied errors during installation.
sudo tar -xzf "/tmp/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -C /usr/local/bin trivy
Aureliolo
temporarily deployed
to
cloudflare-preview
GitHub Actions
Inactive
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/docker.yml:
- Around line 818-823: The "Install Trivy" job currently extracts the tarball
directly into /usr/local/bin (root-owned) which causes a permission error;
change the step to extract into a temporary directory (e.g., /tmp) and then move
or install the binary into /usr/local/bin using sudo (use the "Install Trivy"
step, extract "/tmp/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" to /tmp, validate
checksums as before, and then run sudo install or sudo mv to place the trivy
binary into /usr/local/bin so the action no longer fails with Permission
denied).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: b1fb9869-8bc0-44cc-8289-a2790fff2e3c
📒 Files selected for processing (4)
.github/.zizmor.yml.github/actions/build-apko-base/action.yml.github/actions/build-scan-image/action.yml.github/workflows/docker.yml
💤 Files with no reviewable changes (1)
- .github/.zizmor.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (19)
- GitHub Check: Build Backend
- GitHub Check: Build Fine-Tune (cpu, fine-tune-cpu)
- GitHub Check: Build Fine-Tune (gpu, fine-tune-gpu)
- GitHub Check: Build Sidecar
- GitHub Check: Dashboard Type Check
- GitHub Check: Dashboard Test
- GitHub Check: Dashboard Build
- GitHub Check: Dashboard Lint
- GitHub Check: Test (Python 3.14)
- GitHub Check: Type Check
- GitHub Check: Runtime Stats Freshness Gate
- GitHub Check: Lint
- GitHub Check: Build Web Assets (melange)
- GitHub Check: Build Sandbox Base (apko)
- GitHub Check: Build Preview
- GitHub Check: Analyze (python)
- GitHub Check: Analyze (javascript-typescript)
- GitHub Check: Analyze (actions)
- GitHub Check: Analyze (go)
🔇 Additional comments (8)
.github/actions/build-scan-image/action.yml (6)
92-94: LGTM!
314-322: LGTM!
327-334: LGTM!
343-351: LGTM!
370-378: LGTM!
387-395: LGTM!.github/actions/build-apko-base/action.yml (1)
121-130: LGTM!.github/workflows/docker.yml (1)
535-535: LGTM!Also applies to: 814-816, 826-841, 951-951, 1014-1014, 1101-1101
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1940 +/- ##
=======================================
Coverage 85.14% 85.14%
=======================================
Files 1846 1846
Lines 107752 107752
Branches 9287 9287
=======================================
Hits 91747 91747
Misses 13757 13757
Partials 2248 2248 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Aureliolo
force-pushed
the
refactor/trivy-direct
branch
from
f276952 to
635ab80
Compare
Aureliolo
temporarily deployed
to
cloudflare-preview
GitHub Actions
Inactive
Aureliolo
temporarily deployed
to
cloudflare-preview
GitHub Actions
Inactive
Aureliolo
pushed a commit
that referenced
this pull request
May 17, 2026
<!-- HIGHLIGHTS_START --> ## Highlights > _AI-generated summary (model: `openai/gpt-4.1-mini` via GitHub Models). Commit-based changelog below._ ### What you'll notice - Frontend WP-6 update with UX polish improves user interface and workflow. - Dashboard and training endpoint improvements enhance observability and dispatch behavior. - Web storybook now supports change detection for more responsive UI interactions. - Git hooks now isolated per worktree for cleaner repository management. - Providers automatically detect native streaming support in Litellm models. ### What's new - Added a new pipeline to convert Pydantic DTOs to TypeScript for better front-end compatibility. ### Under the hood - Refactored settings to three precedence categories, removing YAML tier for simpler configuration. - Completed RootConfig mirror coverage for enhanced configuration consistency. - Adopted API conventions with better query performance and forbidden extra fields for stricter validation. - Improved persistence, layer discipline, and restart safety in core work packages. - CI updated with split test jobs and tightened coverage gates for better test quality. - Switched to direct Trivy binary for security scans, removing previous Trivy action dependency. - Enhanced memory management with per-call processing options and better observability during speech-to-text encoding. - Various dependency updates for Python, infrastructure, and lock files maintain security and stability. - Removed TypeScript DTO type-tightening overlays to simplify type management. - Codebase audit tightened skill sets to prevent false positivity in class detection by 2026. <!-- HIGHLIGHTS_END --> :robot: I have created a release *beep* *boop* --- ## [0.8.5](v0.8.4...v0.8.5) (2026-05-17) ### Features * **codegen:** pydantic-to-typescript DTO pipeline + parity gate (closes [#1889](#1889)) ([#1909](#1909)) ([0265ef5](0265ef5)) * **storybook:** enable changeDetection + trim web/CLAUDE.md ([#1939](#1939)) ([3b1f4c0](3b1f4c0)) * **web,setup:** WP-6 frontend + UX polish ([#1941](#1941)) ([d9ca76d](d9ca76d)) ### Bug Fixes * correct invalid git for-each-ref syntax in post-merge-cleanup skill ([#1946](#1946)) ([69a1649](69a1649)) * dashboard polish, training endpoint dispatch, and observability cleanup ([#1911](#1911)) ([b61e9e8](b61e9e8)) * per-worktree git-hook isolation + hookify gate migration + MSW drift fix ([#1949](#1949)) ([e3f8495](e3f8495)) * **providers:** read supports_native_streaming from litellm model info ([#1942](#1942)) ([60364ca](60364ca)) * security and audit coverage (closes [#1883](#1883)) ([#1904](#1904)) ([d8ebf55](d8ebf55)) ### Performance * **ci:** mypy --num-workers=4 + enable ruff TID255 ([#1944](#1944)) ([484c1d3](484c1d3)) ### Refactoring * **ci:** drop aquasecurity/trivy-action, use direct trivy binary ([#1940](#1940)) ([df1f946](df1f946)) * **memory:** per-call processing_kwargs + observability for ST encode ([#1943](#1943)) ([3aa9d20](3aa9d20)) * Phase 7 follow-up — complete RootConfig mirror coverage (closes [#1907](#1907)) ([#1914](#1914)) ([605500b](605500b)) * **settings:** collapse precedence to three categories; drop YAML tier (closes [#1890](#1890)) ([#1910](#1910)) ([efd54c9](efd54c9)) * WP-3 API conventions + query performance + project-wide extra=forbid ([#1953](#1953)) ([504d579](504d579)), closes [#1918](#1918) * WP-4 settings + cross-cutting (clock seam, contextvars, dispatch, plugin surfaces) ([#1954](#1954)) ([7207d92](7207d92)) * **wp1:** persistence + layer discipline + restart safety ([#1945](#1945)) ([57586fb](57586fb)) ### Documentation * **wp5:** public-facing truth refresh ([#1924](#1924)) ([afb5cc5](afb5cc5)) ### CI/CD * split test job by marker with airtight aggregate coverage gate ([#1948](#1948)) ([0b818d5](0b818d5)), closes [#1938](#1938) [#1937](#1937) ### Maintenance * **codebase-audit:** tighten skill to prevent 2026-05-15 FP classes ([#1923](#1923)) ([9317ed1](9317ed1)) * Lock file maintenance ([#1913](#1913)) ([c08a355](c08a355)) * Lock file maintenance ([#1950](#1950)) ([8940ab1](8940ab1)) * remove TS DTO type-tightening overlays ([#1915](#1915)) ([d296214](d296214)), closes [#1906](#1906) * Update Infrastructure dependencies ([#1928](#1928)) ([d19fae5](d19fae5)) * Update Python dependencies ([#1929](#1929)) ([75cc2c8](75cc2c8)) * **wp7:** hygiene, stubs, test/CI/tooling, doc gaps, boundary patterns doc ([#1926](#1926)) ([c29eb32](c29eb32)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: synthorg-repo-bot[bot] <279117679+synthorg-repo-bot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Drops the
aquasecurity/trivy-action@v0.36.0wrapper from all 7 callsites and replaces each with directtrivy imageshell invocations. The trivy binary is curl-installed + sha256-verified, withTRIVY_VERSION(.github/workflows/docker.yml:47) as the single source of truth.Why
trivy-actioncallsite carried a literalversion: v0.70.0plus a Renovate marker, in addition to the curl-installed copy tracked by theTRIVY_VERSIONenv. Renovate had to keep both in sync.# zizmor: ignore[template-injection]block (on the trivy-actionwith:inbuild-apko-base) AND 1 workflow-level ignore (template-injection: ignore: docker.ymlin.zizmor.yml) gone. The newrun:steps consume their refs viaenv:blocks, which zizmor doesn't flag.Callsites replaced (7)
.github/actions/build-apko-base/action.yml.github/actions/build-scan-image/action.yml.github/actions/build-scan-image/action.yml.github/actions/build-scan-image/action.yml.github/actions/build-scan-image/action.yml.github/workflows/docker.yml.github/workflows/docker.ymlPlumbing
trivy-versioninput on.github/actions/build-scan-image/action.yml(required, no default). Composites don't inherit workflowenv:, so the version is threaded through. Four callers updated indocker.yml:build-backend,build-sandbox,build-sidecar,build-fine-tunematrix.Install Trivystep (curl + sha256 + tar; identical shape to the existing one atbuild-apko-base/action.yml:95-103) added tobuild-scan-imageand todocker.ymlbuild-web.build-apko-basealready had one.--severity CRITICAL,HIGH, same--exit-code 0, same--ignorefile .github/.trivyignore.yaml, same SARIF categories on the downstreamcodeql-action/upload-sarifsteps. The JSON scans still feedscripts/evaluate-scan.sh(CRITICAL = fail, HIGH = warn).Adjacent fix
.github/workflows/docker.ymlReport image size(build-web): switched${{ steps.scan-ref.outputs.ref }}from inline interpolation to anenv:block. This is a pre-existing template-injection finding that the now-removed workflow-level.zizmor.ymlignore had been masking; the env-block pattern matches the new trivy steps. Without this fix the workflow-level ignore would have to be restored.Test plan
uv run pre-commit run actionlint --all-filespassesuv run pre-commit run zizmor --all-filespasses with fewer ignores than before (-1 inline, -1 workflow-level)grep -r "trivy-action" .github/emptygrep -r "version: v0.70.0" .github/empty.github/workflows/docker.yml(backend / sandbox / sidecar / fine-tune / web bases + apps + retag) must complete Trivy JSON, SARIF upload, andevaluate-scan.shsteps successfully on this PR. The PR run is the only way to validate end-to-end since the workflow only fires onpull_request: branches: [main]andpush: branches: [main].Review coverage
Pre-reviewed locally by 3 agents:
docs-consistency: zero drift; no doc namesaquasecurity/trivy-actionor describes the dual-pin pattern.comment-quality-rot: no reviewer citations, no issue back-refs, no migration framing in any new comment.infra-reviewer: template-injection wrap verified across all surviving${{ ... }}interpolations; supply-chain sha256 check isset -e-safe; action SHA pins preserved; compositetrivy-versioninput passed by all 4 callers; no permission broadening; no--no-verify; no secret echoing.One MINOR finding (
infra-reviewer) was addressed in commitf276952e: dropped a redundantenv: TRIVY_VERSION: ${{ env.TRIVY_VERSION }}block on theInstall Trivystep inbuild-web(workflow-level env was already visible).Out of scope
build-apko-base,build-scan-image,docker.ymlbuild-web) into a sharedsetup-trivycomposite. Three 5-line copies are acceptable.# zizmor: ignore[github-app]blocks onowner:lines (tracked separately by Remove zizmor github-app inline ignores once zizmor-action ships v0.5.5+ with bundled zizmor v1.25.2+ #1937).# zizmor: ignore[template-injection]blocks onactions/upload-artifactandgithub/codeql-action/upload-sarif(not on trivy-actionwith:).