Skip to content

fix(reusable-trivy): authenticate the image pull against GHCR#45

Merged
zircote merged 1 commit into
mainfrom
fix/reusable-trivy-ghcr-auth
Jul 3, 2026
Merged

fix(reusable-trivy): authenticate the image pull against GHCR#45
zircote merged 1 commit into
mainfrom
fix/reusable-trivy-ghcr-auth

Conversation

@zircote

@zircote zircote commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

The image job in reusable-trivy.yml declares packages: read permission but never actually authenticates the underlying docker/trivy pull against ghcr.io. That permission grants the job's GITHUB_TOKEN read access to packages; it doesn't log a registry client in.

This was dormant across the org: the image job only runs when a caller passes image-ref, which in turn only happens on a non-PR push with a real container to scan. mif-rs is the first repo where that path actually executed against a real, just-pushed image, and it failed with:

FATAL ... unable to find the specified image "ghcr.io/modeled-information-format/mif-rs/mif-cli@sha256:..." ...
remote error: GET https://ghcr.io/token?... UNAUTHORIZED: authentication required

Confirmed independently that this isn't a token-scope illusion: an unauthenticated docker pull of the same image also 401s.

Fix

Adds a docker/login-action step against ghcr.io using the job's own GITHUB_TOKEN, before the Trivy scan step. Every caller of this reusable publishes to ghcr.io (per this file's own usage comment at the top), so this isn't registry-parsed or conditional.

Test plan

  • actionlint clean
  • YAML validated
  • Verified against a real run once merged (will re-trigger mif-rs's gate-image job on its next push to confirm)

The image job's `permissions: packages: read` grants the job's
GITHUB_TOKEN read access to packages, but that alone doesn't
authenticate the underlying docker/trivy pull - a registry client
still needs an explicit login. Confirmed with a real failure on
mif-rs's first push-triggered Pipeline run: trivy failed with
"unable to find the specified image ... UNAUTHORIZED: authentication
required" trying to pull a private GHCR image this same workflow run
had just pushed.

This was dormant everywhere else in the org: the image job only runs
when a caller passes image-ref, which in turn only happens on a
non-PR push with a real container to scan - mif-rs is the first repo
where that path has actually executed against a real image.

Adds a docker/login-action step against ghcr.io using the job's own
GITHUB_TOKEN before the trivy scan, matching the registry every
caller of this reusable actually publishes to (per this file's own
usage comment).
Copilot AI review requested due to automatic review settings July 2, 2026 22:50

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the shared Trivy reusable workflow to correctly authenticate against GitHub Container Registry (GHCR) before attempting to scan a private image by digest, ensuring packages: read permission is actually exercised via a registry login.

Changes:

  • Added a docker/login-action step to log into ghcr.io using the job’s GITHUB_TOKEN before the Trivy image scan.
  • Documented (in-line) why authentication is required for private GHCR pulls even when packages: read is set.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zircote zircote merged commit 0c79dc1 into main Jul 3, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants