From efc887ee2914812e700e87f1767c7da6f69a0c19 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 13:11:29 -0800 Subject: [PATCH 01/14] Use Trivy for image vulnerability scanning JUnit template copied from Trivy's contrib dir --- .github/trivy-junit.tpl | 75 +++++++++++++++++++++++++++ .github/workflows/docker_security.yml | 65 ++++++++++++++++++----- 2 files changed, 126 insertions(+), 14 deletions(-) create mode 100644 .github/trivy-junit.tpl diff --git a/.github/trivy-junit.tpl b/.github/trivy-junit.tpl new file mode 100644 index 000000000..e4313c124 --- /dev/null +++ b/.github/trivy-junit.tpl @@ -0,0 +1,75 @@ + + +{{- range . -}} +{{- $failures := len .Vulnerabilities }} + + {{- if not (eq .Type "") }} + + + + {{- end -}} + {{ range .Vulnerabilities }} + + {{ escapeXML .Description }} + + {{- end }} + + +{{- $target := .Target }} +{{- if .MisconfSummary }} + +{{- else }} + +{{- end }} + {{- if not (eq .Type "") }} + + + + {{- end -}} + {{ range .Misconfigurations }} + + {{- if (eq .Status "FAIL") }} + + {{- $target }}: + {{- with .CauseMetadata }} + {{- .StartLine }} + {{- if lt .StartLine .EndLine }}:{{ .EndLine }}{{ end }}: Occurrences: + {{- range $i := .Occurrences -}} + via {{ .Filename }}: + {{- .Location.StartLine }} + {{- if lt .Location.StartLine .Location.EndLine }}:{{ .Location.EndLine }}{{ end }} ({{ .Resource }}) + {{- end -}} + Code: + {{- range .Code.Lines }} + {{- if .IsCause }}{{ escapeXML .Content }} {{- end }} + {{- end }} + {{- end }} + {{- escapeXML .Description }} + + {{- end }} + + {{- end }} + + +{{- if .Licenses }} + {{- $licenses := len .Licenses }} + {{ range .Licenses }} + + + + {{- end }} + +{{- end }} + +{{- if .Secrets }} + {{- $secrets := len .Secrets }} + {{ range .Secrets }} + + {{ escapeXML .Match }} + + {{- end }} + +{{- end }} + +{{- end }} + diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml index 9c3eda960..0e3f40eb3 100644 --- a/.github/workflows/docker_security.yml +++ b/.github/workflows/docker_security.yml @@ -40,23 +40,60 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - - name: Login to Docker Hub - uses: docker/login-action@v3 + - name: Scan image with Trivy (SARIF) + if: github.event_name != 'pull_request' + id: trivy-sarif + uses: aquasecurity/trivy-action@0.34.2 with: - username: ${{ vars.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Analyze for critical and high CVEs - id: docker-scout-cves - uses: docker/scout-action@v1 - with: - command: cves,recommendations - image: vecoli:latest - sarif-file: sarif.output.json - summary: true + image-ref: vecoli:latest + format: sarif + output: trivy-results.sarif + vuln-type: os,library + ignore-unfixed: true - name: Upload SARIF result id: upload-sarif + if: github.event_name != 'pull_request' uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: sarif.output.json + sarif_file: trivy-results.sarif + + - name: Scan image with Trivy (JUnit) + id: trivy-junit + if: github.event_name == 'pull_request' + uses: aquasecurity/trivy-action@0.34.2 + with: + image-ref: vecoli:latest + format: template + template: "@.github/trivy-junit.tpl" + output: trivy-junit.xml + vuln-type: os,library + ignore-unfixed: true + + - name: Publish Trivy test report + if: github.event_name == 'pull_request' + uses: ctrf-io/github-test-reporter@v1 + with: + report-path: trivy-junit.xml + summary-report: false + failed-report: true + pull-request: true + update-comment: true + overwrite-comment: true + integrations-config: | + { + "junit-to-ctrf": { + "enabled": true, + "action": "convert", + "options": { + "output": "./ctrf-reports/ctrf-report.json", + "toolname": "junit-to-ctrf", + "useSuiteName": false, + "env": { + "appName": "vEcoli" + } + } + } + } + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 8ca5c18c31728641b37f4f92c9859151243450ff Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 15:07:37 -0800 Subject: [PATCH 02/14] Add GitHub token --- .github/workflows/docker_security.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml index 0e3f40eb3..3fd602d73 100644 --- a/.github/workflows/docker_security.yml +++ b/.github/workflows/docker_security.yml @@ -50,6 +50,7 @@ jobs: output: trivy-results.sarif vuln-type: os,library ignore-unfixed: true + github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF result id: upload-sarif @@ -69,6 +70,7 @@ jobs: output: trivy-junit.xml vuln-type: os,library ignore-unfixed: true + github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Publish Trivy test report if: github.event_name == 'pull_request' From 441870b632b434920731c649f11270883569efa3 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 15:20:57 -0800 Subject: [PATCH 03/14] Separate Trivy scan from PR comment PR comment triggers on workflow_run, which can access write tokens --- .github/workflows/docker_security.yml | 32 ++-------------- .github/workflows/trivy_pr_comment.yml | 53 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 28 deletions(-) create mode 100644 .github/workflows/trivy_pr_comment.yml diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml index 3fd602d73..7eb2c6c45 100644 --- a/.github/workflows/docker_security.yml +++ b/.github/workflows/docker_security.yml @@ -3,7 +3,6 @@ name: Docker Build and Security Scan permissions: contents: read security-events: write - pull-requests: write actions: read on: @@ -50,7 +49,6 @@ jobs: output: trivy-results.sarif vuln-type: os,library ignore-unfixed: true - github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF result id: upload-sarif @@ -70,32 +68,10 @@ jobs: output: trivy-junit.xml vuln-type: os,library ignore-unfixed: true - github-pat: ${{ secrets.GITHUB_TOKEN }} - - name: Publish Trivy test report + - name: Upload Trivy JUnit result if: github.event_name == 'pull_request' - uses: ctrf-io/github-test-reporter@v1 + uses: actions/upload-artifact@v4 with: - report-path: trivy-junit.xml - summary-report: false - failed-report: true - pull-request: true - update-comment: true - overwrite-comment: true - integrations-config: | - { - "junit-to-ctrf": { - "enabled": true, - "action": "convert", - "options": { - "output": "./ctrf-reports/ctrf-report.json", - "toolname": "junit-to-ctrf", - "useSuiteName": false, - "env": { - "appName": "vEcoli" - } - } - } - } - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + name: trivy-pr-report + path: trivy-junit.xml diff --git a/.github/workflows/trivy_pr_comment.yml b/.github/workflows/trivy_pr_comment.yml new file mode 100644 index 000000000..b5fa44c6a --- /dev/null +++ b/.github/workflows/trivy_pr_comment.yml @@ -0,0 +1,53 @@ +name: Trivy PR Comment + +permissions: + contents: read + actions: read + pull-requests: write + +on: + workflow_run: + workflows: ["Docker Build and Security Scan"] + types: [completed] + +jobs: + comment: + if: github.event.workflow_run.event == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Download Trivy PR artifacts + uses: actions/download-artifact@v4 + with: + run-id: ${{ github.event.workflow_run.id }} + name: trivy-pr-report + path: trivy-artifacts + repository: ${{ github.repository }} + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Publish Trivy test report + if: github.event_name == 'pull_request' + uses: ctrf-io/github-test-reporter@v1 + with: + report-path: trivy-artifacts/trivy-junit.xml + summary-report: false + failed-report: true + pull-request: true + update-comment: true + overwrite-comment: true + integrations-config: | + { + "junit-to-ctrf": { + "enabled": true, + "action": "convert", + "options": { + "output": "./ctrf-reports/ctrf-report.json", + "toolname": "junit-to-ctrf", + "useSuiteName": false, + "env": { + "appName": "vEcoli" + } + } + } + } + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From c0f5ea3a9d24fddec83e0d1670cbf67a15796334 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 15:37:09 -0800 Subject: [PATCH 04/14] Remove incorrect gate --- .github/workflows/trivy_pr_comment.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/trivy_pr_comment.yml b/.github/workflows/trivy_pr_comment.yml index b5fa44c6a..692d16c0b 100644 --- a/.github/workflows/trivy_pr_comment.yml +++ b/.github/workflows/trivy_pr_comment.yml @@ -25,7 +25,6 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Publish Trivy test report - if: github.event_name == 'pull_request' uses: ctrf-io/github-test-reporter@v1 with: report-path: trivy-artifacts/trivy-junit.xml From 315f0afd4d76321abbbd0ec7073b71531d705343 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 15:47:58 -0800 Subject: [PATCH 05/14] Get PR number securely --- .github/workflows/trivy_pr_comment.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/trivy_pr_comment.yml b/.github/workflows/trivy_pr_comment.yml index 692d16c0b..f35c7e030 100644 --- a/.github/workflows/trivy_pr_comment.yml +++ b/.github/workflows/trivy_pr_comment.yml @@ -24,13 +24,32 @@ jobs: repository: ${{ github.repository }} github-token: ${{ secrets.GITHUB_TOKEN }} + - name: Determine PR number securely + id: get_pr + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + HEAD_SHA="${{ github.event.workflow_run.head_sha }}" + + PR_NUM=$(gh pr list \ + --state open \ + --json number,headRefOid \ + --jq ".[] | select(.headRefOid==\"${HEAD_SHA}\") | .number") + + if [ -z "$PR_NUM" ]; then + echo "No open PR found for head SHA ${HEAD_SHA}" + exit 1 + fi + + echo "PR_NUMBER=$PR_NUM" >> $GITHUB_ENV + - name: Publish Trivy test report uses: ctrf-io/github-test-reporter@v1 with: report-path: trivy-artifacts/trivy-junit.xml summary-report: false failed-report: true - pull-request: true + pull-request: ${{ env.PR_NUMBER }} update-comment: true overwrite-comment: true integrations-config: | From 71bc7c4e1dc349ace4ada5339f8f32d9b0831307 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 15:55:24 -0800 Subject: [PATCH 06/14] Check out PR code --- .github/workflows/trivy_pr_comment.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/trivy_pr_comment.yml b/.github/workflows/trivy_pr_comment.yml index f35c7e030..d587e616d 100644 --- a/.github/workflows/trivy_pr_comment.yml +++ b/.github/workflows/trivy_pr_comment.yml @@ -15,6 +15,9 @@ jobs: if: github.event.workflow_run.event == 'pull_request' runs-on: ubuntu-latest steps: + - name: Check out PR code + uses: actions/checkout@v6 + - name: Download Trivy PR artifacts uses: actions/download-artifact@v4 with: From b1f3b16ab124b7ac8cafcf3fc9a6667057f2f2a9 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 16:20:59 -0800 Subject: [PATCH 07/14] Just link to Trivy results in PR comment --- .github/workflows/docker_security.yml | 28 +++++++--- .github/workflows/trivy_pr_comment.yml | 74 +++++++++++++------------- 2 files changed, 60 insertions(+), 42 deletions(-) diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml index 7eb2c6c45..9e96ac816 100644 --- a/.github/workflows/docker_security.yml +++ b/.github/workflows/docker_security.yml @@ -59,7 +59,6 @@ jobs: - name: Scan image with Trivy (JUnit) id: trivy-junit - if: github.event_name == 'pull_request' uses: aquasecurity/trivy-action@0.34.2 with: image-ref: vecoli:latest @@ -69,9 +68,26 @@ jobs: vuln-type: os,library ignore-unfixed: true - - name: Upload Trivy JUnit result - if: github.event_name == 'pull_request' - uses: actions/upload-artifact@v4 + - name: Publish Trivy test report (JUnit) + uses: ctrf-io/github-test-reporter@v1 with: - name: trivy-pr-report - path: trivy-junit.xml + report-path: trivy-junit.xml + summary-report: false + failed-report: true + pull-request: false + github-report: false + integrations-config: | + { + "junit-to-ctrf": { + "enabled": true, + "action": "convert", + "options": { + "output": "./ctrf-reports/ctrf-report.json", + "toolname": "junit-to-ctrf", + "useSuiteName": false, + "env": { + "appName": "vEcoli" + } + } + } + } diff --git a/.github/workflows/trivy_pr_comment.yml b/.github/workflows/trivy_pr_comment.yml index d587e616d..2d9531fb0 100644 --- a/.github/workflows/trivy_pr_comment.yml +++ b/.github/workflows/trivy_pr_comment.yml @@ -12,21 +12,9 @@ on: jobs: comment: - if: github.event.workflow_run.event == 'pull_request' + if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }} runs-on: ubuntu-latest steps: - - name: Check out PR code - uses: actions/checkout@v6 - - - name: Download Trivy PR artifacts - uses: actions/download-artifact@v4 - with: - run-id: ${{ github.event.workflow_run.id }} - name: trivy-pr-report - path: trivy-artifacts - repository: ${{ github.repository }} - github-token: ${{ secrets.GITHUB_TOKEN }} - - name: Determine PR number securely id: get_pr env: @@ -46,29 +34,43 @@ jobs: echo "PR_NUMBER=$PR_NUM" >> $GITHUB_ENV - - name: Publish Trivy test report - uses: ctrf-io/github-test-reporter@v1 + - name: Comment PR with Trivy summary link + uses: actions/github-script@v8 with: - report-path: trivy-artifacts/trivy-junit.xml - summary-report: false - failed-report: true - pull-request: ${{ env.PR_NUMBER }} - update-comment: true - overwrite-comment: true - integrations-config: | - { - "junit-to-ctrf": { - "enabled": true, - "action": "convert", - "options": { - "output": "./ctrf-reports/ctrf-report.json", - "toolname": "junit-to-ctrf", - "useSuiteName": false, - "env": { - "appName": "vEcoli" - } - } - } + script: | + const issue_number = Number(process.env.PR_NUMBER); + if (!issue_number) { + core.info('No PR number available.'); + return; + } + const header = '## Trivy scan results'; + const runUrl = context.payload.workflow_run.html_url; + const comment = `${header}\n\nThe Trivy vulnerability report is available in the workflow summary:\n${runUrl}`; + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number, + per_page: 100, + }); + const existing = comments.find((c) => { + if (!c.body) return false; + const isBot = c.user && c.user.type === 'Bot'; + return isBot && c.body.startsWith(header); + }); + if (existing) { + await github.rest.issues.updateComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: existing.id, + body: comment, + }); + } else { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number, + body: comment, + }); } env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ env.PR_NUMBER }} From bbceaeb2b66b2018040c63d94241914917486868 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 16:34:59 -0800 Subject: [PATCH 08/14] Checkout repo --- .github/workflows/trivy_pr_comment.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/trivy_pr_comment.yml b/.github/workflows/trivy_pr_comment.yml index 2d9531fb0..cad1bc687 100644 --- a/.github/workflows/trivy_pr_comment.yml +++ b/.github/workflows/trivy_pr_comment.yml @@ -15,6 +15,9 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }} runs-on: ubuntu-latest steps: + - name: Check out PR code + uses: actions/checkout@v6 + - name: Determine PR number securely id: get_pr env: From 435f981a9e89736b5413432e1f3964a52a202810 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 22:39:34 -0800 Subject: [PATCH 09/14] Try default JUnit template again --- .github/trivy-junit.tpl | 75 --------------------------- .github/workflows/docker_security.yml | 2 +- 2 files changed, 1 insertion(+), 76 deletions(-) delete mode 100644 .github/trivy-junit.tpl diff --git a/.github/trivy-junit.tpl b/.github/trivy-junit.tpl deleted file mode 100644 index e4313c124..000000000 --- a/.github/trivy-junit.tpl +++ /dev/null @@ -1,75 +0,0 @@ - - -{{- range . -}} -{{- $failures := len .Vulnerabilities }} - - {{- if not (eq .Type "") }} - - - - {{- end -}} - {{ range .Vulnerabilities }} - - {{ escapeXML .Description }} - - {{- end }} - - -{{- $target := .Target }} -{{- if .MisconfSummary }} - -{{- else }} - -{{- end }} - {{- if not (eq .Type "") }} - - - - {{- end -}} - {{ range .Misconfigurations }} - - {{- if (eq .Status "FAIL") }} - - {{- $target }}: - {{- with .CauseMetadata }} - {{- .StartLine }} - {{- if lt .StartLine .EndLine }}:{{ .EndLine }}{{ end }}: Occurrences: - {{- range $i := .Occurrences -}} - via {{ .Filename }}: - {{- .Location.StartLine }} - {{- if lt .Location.StartLine .Location.EndLine }}:{{ .Location.EndLine }}{{ end }} ({{ .Resource }}) - {{- end -}} - Code: - {{- range .Code.Lines }} - {{- if .IsCause }}{{ escapeXML .Content }} {{- end }} - {{- end }} - {{- end }} - {{- escapeXML .Description }} - - {{- end }} - - {{- end }} - - -{{- if .Licenses }} - {{- $licenses := len .Licenses }} - {{ range .Licenses }} - - - - {{- end }} - -{{- end }} - -{{- if .Secrets }} - {{- $secrets := len .Secrets }} - {{ range .Secrets }} - - {{ escapeXML .Match }} - - {{- end }} - -{{- end }} - -{{- end }} - diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml index 9e96ac816..71c36b3ac 100644 --- a/.github/workflows/docker_security.yml +++ b/.github/workflows/docker_security.yml @@ -63,7 +63,7 @@ jobs: with: image-ref: vecoli:latest format: template - template: "@.github/trivy-junit.tpl" + template: "@${{ env.HOME }}/.local/bin/trivy-bin/contrib/junit.tpl" output: trivy-junit.xml vuln-type: os,library ignore-unfixed: true From 73623ecdefd3ba9f74f41247821cd7fcc5cee1ef Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 22:56:43 -0800 Subject: [PATCH 10/14] Pin to 0.34.0 to fix template path bug --- .github/workflows/docker_security.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml index 71c36b3ac..a9c936a4f 100644 --- a/.github/workflows/docker_security.yml +++ b/.github/workflows/docker_security.yml @@ -59,11 +59,12 @@ jobs: - name: Scan image with Trivy (JUnit) id: trivy-junit - uses: aquasecurity/trivy-action@0.34.2 + # Pinned to avoid template path bug in >0.34.0: https://github.com/aquasecurity/trivy-action/issues/509 + uses: aquasecurity/trivy-action@0.34.0 with: image-ref: vecoli:latest format: template - template: "@${{ env.HOME }}/.local/bin/trivy-bin/contrib/junit.tpl" + template: "@$HOME/.local/bin/trivy-bin/contrib/junit.tpl" output: trivy-junit.xml vuln-type: os,library ignore-unfixed: true From d4d0e5d8bec6bcdc8a0ad8b70864344a6fc87695 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Wed, 4 Mar 2026 23:24:45 -0800 Subject: [PATCH 11/14] Hardcode runner HOME for now --- .github/workflows/docker_security.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml index a9c936a4f..f2bee7a4f 100644 --- a/.github/workflows/docker_security.yml +++ b/.github/workflows/docker_security.yml @@ -59,12 +59,13 @@ jobs: - name: Scan image with Trivy (JUnit) id: trivy-junit - # Pinned to avoid template path bug in >0.34.0: https://github.com/aquasecurity/trivy-action/issues/509 - uses: aquasecurity/trivy-action@0.34.0 + # Can use $HOME instead of hardcoding once bug is fixed + # https://github.com/aquasecurity/trivy-action/issues/509 + uses: aquasecurity/trivy-action@0.34.2 with: image-ref: vecoli:latest format: template - template: "@$HOME/.local/bin/trivy-bin/contrib/junit.tpl" + template: "@/home/runner/.local/bin/trivy-bin/contrib/junit.tpl" output: trivy-junit.xml vuln-type: os,library ignore-unfixed: true From 64d1d69508776ba960ee2c0daa03dd5a9ef7ee84 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Fri, 6 Mar 2026 17:00:07 -0800 Subject: [PATCH 12/14] Remove checkout step --- .github/workflows/trivy_pr_comment.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/trivy_pr_comment.yml b/.github/workflows/trivy_pr_comment.yml index cad1bc687..04069100d 100644 --- a/.github/workflows/trivy_pr_comment.yml +++ b/.github/workflows/trivy_pr_comment.yml @@ -1,7 +1,6 @@ name: Trivy PR Comment permissions: - contents: read actions: read pull-requests: write @@ -15,13 +14,11 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }} runs-on: ubuntu-latest steps: - - name: Check out PR code - uses: actions/checkout@v6 - - name: Determine PR number securely id: get_pr env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} run: | HEAD_SHA="${{ github.event.workflow_run.head_sha }}" From d76393d6f893991310e75e7c8fcf57f29eab0bd0 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Fri, 6 Mar 2026 17:05:53 -0800 Subject: [PATCH 13/14] Install and scan all extra deps for PRs --- .github/workflows/docker_security.yml | 1 + runscripts/container/Dockerfile | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker_security.yml b/.github/workflows/docker_security.yml index f2bee7a4f..370016a5f 100644 --- a/.github/workflows/docker_security.yml +++ b/.github/workflows/docker_security.yml @@ -36,6 +36,7 @@ jobs: file: runscripts/container/Dockerfile load: true tags: vecoli:latest + build-args: INSTALL_EXTRAS=1 cache-from: type=gha cache-to: type=gha,mode=max diff --git a/runscripts/container/Dockerfile b/runscripts/container/Dockerfile index 515b3c565..489867137 100644 --- a/runscripts/container/Dockerfile +++ b/runscripts/container/Dockerfile @@ -32,11 +32,18 @@ ENV UV_CACHE_DIR=/root/.cache/uv # Silence warning about cache and sync targets being on different filesystems ENV UV_LINK_MODE=copy +# When set to a non-empty value, install all optional dependency groups. +ARG INSTALL_EXTRAS="" + # Install the dependencies only to leverage Docker layer caching RUN --mount=type=cache,target=/root/.cache/uv \ --mount=type=bind,source=uv.lock,target=uv.lock \ --mount=type=bind,source=pyproject.toml,target=pyproject.toml \ - uv sync --frozen --no-install-project + if [ -n "$INSTALL_EXTRAS" ]; then \ + uv sync --frozen --no-install-project --all-extras; \ + else \ + uv sync --frozen --no-install-project; \ + fi # Activate the virtual environment ENV PATH="/vEcoli/.venv/bin:$PATH" @@ -56,7 +63,11 @@ ADD . /vEcoli # Install the project RUN --mount=type=cache,target=/root/.cache/uv \ - uv sync --frozen + if [ -n "$INSTALL_EXTRAS" ]; then \ + uv sync --frozen --all-extras; \ + else \ + uv sync --frozen; \ + fi # Record Docker Image metadata in ENV variables, viewable by `docker inspect` # and accessible to programs in the container. From 61d3606a71aaac32534b48cd5833ab4b3acc0e37 Mon Sep 17 00:00:00 2001 From: Sean Cheah Date: Fri, 6 Mar 2026 17:11:09 -0800 Subject: [PATCH 14/14] Warning to check Trivy report before merging PRs --- .github/workflows/trivy_pr_comment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy_pr_comment.yml b/.github/workflows/trivy_pr_comment.yml index 04069100d..5ef3faa58 100644 --- a/.github/workflows/trivy_pr_comment.yml +++ b/.github/workflows/trivy_pr_comment.yml @@ -45,7 +45,7 @@ jobs: } const header = '## Trivy scan results'; const runUrl = context.payload.workflow_run.html_url; - const comment = `${header}\n\nThe Trivy vulnerability report is available in the workflow summary:\n${runUrl}`; + const comment = `${header}\n\n:warning: **Please review the Trivy vulnerability report before merging.**\n\nThe full report is available in the workflow summary:\n${runUrl}`; const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo,