From b0f664f0cd139e70e6f1b233d2313e5e7c1afa92 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 1 Jul 2026 10:25:09 +0000 Subject: [PATCH] drop trivy from spike --- .forgejo/workflows/build.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml index 737d382..20aa0e7 100644 --- a/.forgejo/workflows/build.yml +++ b/.forgejo/workflows/build.yml @@ -31,12 +31,9 @@ jobs: context: . push: true tags: ${{ env.REGISTRY }}/${{ github.repository }}/web:sha-${{ github.sha }} - - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/web@${{ steps.push.outputs.digest }} - severity: CRITICAL,HIGH - exit-code: '0' # spike: report only — don't gate cosign on a base-image CVE - ignore-unfixed: true + # Trivy removed from the 3a proof — it's parity, not the risk, and was + # erroring on the registry pull and blocking cosign. Add it back (gating) + # in the real workflow once the cosign path is proven. - uses: sigstore/cosign-installer@v3 - name: cosign sign + verify (key-based) env: