From 317218e40d21db9c3a923ff1f731be40dd44b298 Mon Sep 17 00:00:00 2001
From: Danny Grove <danny@dannygrove.com>
Date: Tue, 24 Mar 2026 14:03:27 -0700
Subject: [PATCH] Only exit 1 on critical vulns

---
 .github/workflows/pr-validate.yml | 4 ++--
 .github/workflows/release.yml     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pr-validate.yml b/.github/workflows/pr-validate.yml
index 6c34abd..2ad3c35 100644
--- a/.github/workflows/pr-validate.yml
+++ b/.github/workflows/pr-validate.yml
@@ -48,8 +48,8 @@ jobs:
           image-ref: trust-pkg-stagex:pr-${{ github.event.pull_request.number }}
           format: sarif
           output: trivy-results.sarif
-          severity: CRITICAL,HIGH
-          exit-code: "0"
+          severity: CRITICAL
+          exit-code: "1"
 
       - name: Upload SARIF to GitHub Security
         if: always()
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 70cee89..a7a6a2f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -118,8 +118,8 @@ jobs:
           image-ref: ${{ needs.build.outputs.image }}@${{ needs.build.outputs.digest }}
           format: sarif
           output: trivy-results.sarif
-          severity: CRITICAL,HIGH
-          exit-code: "0"
+          severity: CRITICAL
+          exit-code: "1"
 
       - name: Upload SARIF to GitHub Security
         if: always()