From f39a97d712185fc18c2db78ad523c5cfa04f5022 Mon Sep 17 00:00:00 2001 From: zircote Date: Tue, 30 Jun 2026 10:28:25 -0400 Subject: [PATCH] ci(trivy): adopt centralized accepted-license policy Bump reusable-trivy.yml to the merged SHA so this repo inherits the org accepted-license allowlist (modeled-information-format/.github#27) and remove the now-redundant per-repo trivy.yaml superseded by the central policy. --- .github/workflows/quality-gates.yml | 2 +- .github/workflows/release.yml | 2 +- trivy.yaml | 8 -------- 3 files changed, 2 insertions(+), 10 deletions(-) delete mode 100644 trivy.yaml diff --git a/.github/workflows/quality-gates.yml b/.github/workflows/quality-gates.yml index aa74bf6..e15b237 100644 --- a/.github/workflows/quality-gates.yml +++ b/.github/workflows/quality-gates.yml @@ -63,7 +63,7 @@ jobs: actions: read packages: read uses: >- - modeled-information-format/.github/.github/workflows/reusable-trivy.yml@5c856f8118976bfd3bb64a8911f69dc9b00b4cad + modeled-information-format/.github/.github/workflows/reusable-trivy.yml@bf1c8e219de5b134c82d51c1b66507cd86e2d711 with: scan-iac: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 801373b..98d4916 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -149,7 +149,7 @@ jobs: needs: [meta] permissions: { contents: read, security-events: write, actions: read, packages: read } uses: >- - modeled-information-format/.github/.github/workflows/reusable-trivy.yml@5c856f8118976bfd3bb64a8911f69dc9b00b4cad + modeled-information-format/.github/.github/workflows/reusable-trivy.yml@bf1c8e219de5b134c82d51c1b66507cd86e2d711 with: { scan-iac: true } gate-shellcheck: needs: [meta] diff --git a/trivy.yaml b/trivy.yaml deleted file mode 100644 index 481a3a9..0000000 --- a/trivy.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# Trivy configuration — auto-loaded from the repo root by the Trivy CLI. Governs -# the filesystem scan run by the `trivy` job in quality-gates.yml (misconfig + -# license). Plugin source trees that vendor dependencies (e.g. an MCP server's -# node_modules) are dependency noise covered by the SCA/OSV gate, so skip them. -scan: - skip-dirs: - - "**/node_modules" - - "**/.venv"