From 578f35a3346bf0df9ae27e17b92ad8c095b1d98b Mon Sep 17 00:00:00 2001 From: zircote Date: Thu, 2 Jul 2026 18:50:11 -0400 Subject: [PATCH] fix(reusable-trivy): authenticate the image pull against GHCR The image job's `permissions: packages: read` grants the job's GITHUB_TOKEN read access to packages, but that alone doesn't authenticate the underlying docker/trivy pull - a registry client still needs an explicit login. Confirmed with a real failure on mif-rs's first push-triggered Pipeline run: trivy failed with "unable to find the specified image ... UNAUTHORIZED: authentication required" trying to pull a private GHCR image this same workflow run had just pushed. This was dormant everywhere else in the org: the image job only runs when a caller passes image-ref, which in turn only happens on a non-PR push with a real container to scan - mif-rs is the first repo where that path has actually executed against a real image. Adds a docker/login-action step against ghcr.io using the job's own GITHUB_TOKEN before the trivy scan, matching the registry every caller of this reusable actually publishes to (per this file's own usage comment). --- .github/workflows/reusable-trivy.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/reusable-trivy.yml b/.github/workflows/reusable-trivy.yml index c654c0a..3423ff4 100644 --- a/.github/workflows/reusable-trivy.yml +++ b/.github/workflows/reusable-trivy.yml @@ -158,6 +158,20 @@ jobs: actions: read packages: read steps: + # image-ref is a ghcr.io reference by digest (see the usage comment at + # the top of this file). `permissions: packages: read` alone does not + # authenticate the docker/trivy pull for a private package - confirmed + # by a real failure (unauthorized pulling a same-run-pushed private + # GHCR image) before this step existed. Every caller of this reusable + # publishes to ghcr.io, so logging in here (not conditionally, not + # registry-parsed from image-ref) covers every real usage. + - name: Log in to GHCR for the image pull + uses: docker/login-action@c99871dec2022cc055c062a10cc1a1310835ceb4 # v4.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Trivy image vulnerability scan uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: