diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml index 737d382..20aa0e7 100644 --- a/.forgejo/workflows/build.yml +++ b/.forgejo/workflows/build.yml @@ -31,12 +31,9 @@ jobs: context: . push: true tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }} - - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }} - severity: CRITICAL,HIGH - exit-code: '0' # spike: report only — don't gate cosign on a base-image CVE - ignore-unfixed: true + # Trivy removed from the 3a proof — it's parity, not the risk, and was + # erroring on the registry pull and blocking cosign. Add it back (gating) + # in the real workflow once the cosign path is proven. - uses: sigstore/cosign-installer@v3 - name: cosign sign + verify (key-based) env: