Skip to content

ci(trivy): adopt centralized accepted-license policy#10

Merged
zircote merged 1 commit into
mainfrom
ci/trivy-central-license
Jun 30, 2026
Merged

ci(trivy): adopt centralized accepted-license policy#10
zircote merged 1 commit into
mainfrom
ci/trivy-central-license

Conversation

@zircote

@zircote zircote commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Adopt the centralized Trivy accepted-license policy from reusable-trivy.yml.

The reusable now writes the org accepted-license allowlist to $RUNNER_TEMP/trivy.yaml and passes it via trivy-config, so the license scanner stops surfacing every transitive dependency license as its own code-scanning alert. This bumps the reusable-trivy.yml pin to the merged SHA so this repo inherits that policy.

The per-repo trivy.yaml is removed because the central policy supersedes it (it folds the same skip-dirs and the accepted-license list into one source of truth). trivy --config replaces, rather than merges with, an auto-loaded repo config, so keeping a local one would just shadow the central policy.

CVE gating via OSV-Scanner is unchanged; GPL/AGPL and forbidden licenses remain flagged.

Part of modeled-information-format/.github#27

Bump reusable-trivy.yml to the merged SHA so this repo inherits the org
accepted-license allowlist (modeled-information-format/.github#27) and remove the
now-redundant per-repo trivy.yaml superseded by the central policy.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s Trivy gate to use a centralized, organization-managed accepted-license policy provided by the reusable-trivy.yml workflow, and removes the now-redundant per-repo Trivy config to avoid shadowing the centralized policy.

Changes:

  • Remove the repository-root trivy.yaml config that was previously auto-loaded by Trivy.
  • Update the SHA pin for modeled-information-format/.github’s reusable-trivy.yml in both release and quality gate workflows to inherit the centralized policy.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
trivy.yaml Removes local Trivy config so the centralized policy provided by the reusable workflow is the single source of truth.
.github/workflows/release.yml Bumps the pinned reusable Trivy workflow SHA used during release gating.
.github/workflows/quality-gates.yml Bumps the pinned reusable Trivy workflow SHA used for the main CI quality gates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zircote zircote merged commit 37d930d into main Jun 30, 2026
23 checks passed
@zircote zircote deleted the ci/trivy-central-license branch June 30, 2026 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

2 participants