ci: fix lint permissions + add Trivy image scan + pip cache

[donny-devops]

Updated CI workflow to improve p- Drop contents:write from lint job (was over-privileged for auto-commit)

• Switch to ruff format --check (no auto-push) to keep CI read-only
• Add cache: pip to both lint and test setup-python steps
• Add retention-days: 7 to coverage artifact
• Scope docker job permissions explicitly (packages:write, security-events:write)
• Add Trivy SARIF image scan after docker push, upload to GitHub Security
• Add provenance + sbom attestations to build-pushermissions and steps.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[codacy-production]

Not up to standards ⛔

🔴 Issues 4 high

Alerts:
⚠ 4 issues (≤ 0 issues of at least minor severity)

Results:
4 new issues

Category	Results
Security	4 high

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[amazon-q-developer]

This PR improves CI security by removing over-privileged write permissions and adding Trivy image scanning. However, there are critical issues that block merge:

Critical Issues Requiring Fix:

• Security Risk: Trivy action uses @master instead of a pinned version, allowing arbitrary code execution
• Logic Errors: Multiple Docker actions downgraded (v4→v3, v6→v5) while others upgraded, creating version inconsistencies and losing security patches

These downgrades contradict the PR's security improvement goals and must be corrected before merge.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Logic Error: Downgrading from v4 to v3 loses security patches and features from the newer version. This appears to be an unintended regression, especially since other actions are being upgraded (build-push-action v5→v6).

Restore to v4 or provide justification for the downgrade.

Suggested change

	uses: docker/setup-buildx-action@v3
	uses: docker/setup-buildx-action@v4

[amazon-q-developer]

🛑 Logic Error: Downgrading from v4 to v3 loses security patches and features. This regression contradicts the PR's goal of improving security.

Restore to v4 to maintain current security posture.

Suggested change

	uses: docker/login-action@v3
	uses: docker/login-action@v4

[amazon-q-developer]

🛑 Logic Error: Downgrading from v6 to v5 loses recent security patches and improvements while simultaneously upgrading build-push-action to v6. This version inconsistency creates an incoherent dependency state.

Restore to v6 for consistent versioning and security fixes.

Suggested change

	uses: docker/metadata-action@v5
	uses: docker/metadata-action@v6

[amazon-q-developer]

🛑 Security Vulnerability: Using @master creates a critical security and stability risk. The workflow will pull unverified code on every run, potentially introducing breaking changes, malicious code, or untested features.

Pin to a specific SHA or version tag for security and reproducibility.

Suggested change

	uses: aquasecurity/trivy-action@master
	uses: aquasecurity/trivy-action@0.28.0

[Copilot]

Pull request overview

Updates the CI workflow to reduce token privileges, improve dependency caching, and add container security scanning/reporting as part of the release pipeline.

Changes:

• Make lint formatting read-only by switching to ruff format --check and removing auto-commit/push behavior.
• Add pip caching to lint and test jobs, and set coverage artifact retention to 7 days.
• Harden and extend the Docker publish job by scoping permissions and adding Trivy SARIF scanning plus SBOM/provenance generation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5218b16a66

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Scan the pushed digest instead of latest

When two pushes to main are processed concurrently, another run can retag latest between this job's build/push and this scan. The SARIF upload is then attached to the current commit while describing a different image, so alerts can be missed or misattributed; scan steps.build.outputs.digest or the SHA tag instead of the mutable latest tag.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Grant actions read for SARIF uploads

When this workflow runs in a private/internal repository, the Upload Trivy results step can fail because github/codeql-action/upload-sarif requires actions: read in addition to security-events: write; GitHub's SARIF upload docs mark that permission as "only required for workflows in private repositories". Since this job-level permissions block sets unspecified scopes to none, add actions: read here.

Useful? React with 👍 / 👎.