Skip to content

ci: fix lint permissions + add Trivy image scan + pip cache #42

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
donny-devops merged 1 commit into from
Jun 21, 2026
Merged

ci: fix lint permissions + add Trivy image scan + pip cache #42

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 32 additions & 24 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,15 @@
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

permissions:
contents: read
Comment on lines +12 to +13

jobs:
lint:
name: Lint (ruff)
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GITHUB_TOKEN }}

- uses: actions/setup-python@v5
with:
Expand All @@ -31,18 +29,13 @@
- name: Lint with ruff
run: ruff check . --output-format=github

- name: Format with ruff
run: |
ruff format .
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
git diff --quiet || git commit -am "style: auto-format with ruff" && git push
- name: Format check with ruff
run: ruff format --check .

test:
name: Test (pytest + PostgreSQL)
runs-on: ubuntu-latest
needs: lint

services:
postgres:
image: postgres:16-alpine
Expand All @@ -57,13 +50,12 @@
--health-retries 5
ports:
- 5432:5432

env:
DATABASE_URL: postgresql://testuser:testpass@localhost:5432/testdb
SECRET_KEY: test-secret

steps:
- uses: actions/checkout@v4

- uses: actions/setup-python@v5
with:
python-version: "3.12"
Expand All @@ -75,57 +67,73 @@
pip install -r requirements.txt

- name: Run migrations
run: |
flask db upgrade
run: flask db upgrade
env:
FLASK_APP: "app:create_app()"

- name: Run pytest
run: |
pytest --cov=app --cov-report=xml --cov-fail-under=85 -v
run: pytest --cov=app --cov-report=xml --cov-fail-under=85 -v

- name: Upload coverage
uses: actions/upload-artifact@v4
with:
name: coverage-report
path: coverage.xml
retention-days: 7

docker:
name: Build & Push Docker Image
runs-on: ubuntu-latest
needs: test
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
permissions:
contents: read
packages: write

security-events: write
Comment on lines 88 to +91

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Grant actions read for SARIF uploads

When this workflow runs in a private/internal repository, the Upload Trivy results step can fail because github/codeql-action/upload-sarif requires actions: read in addition to security-events: write; GitHub's SARIF upload docs mark that permission as "only required for workflows in private repositories". Since this job-level permissions block sets unspecified scopes to none, add actions: read here.

Useful? React with 👍 / 👎.

if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@v3

Check warning on line 97 in .github/workflows/ci.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/ci.yml#L97 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

@amazon-q-developer amazon-q-developer Bot Jun 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Downgrading from v4 to v3 loses security patches and features from the newer version. This appears to be an unintended regression, especially since other actions are being upgraded (build-push-action v5→v6).

Restore to v4 or provide justification for the downgrade.

Suggested change
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@v4


- name: Log in to GHCR
uses: docker/login-action@v4
uses: docker/login-action@v3

Check warning on line 100 in .github/workflows/ci.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/ci.yml#L100 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

@amazon-q-developer amazon-q-developer Bot Jun 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Downgrading from v4 to v3 loses security patches and features. This regression contradicts the PR's goal of improving security.

Restore to v4 to maintain current security posture.

Suggested change
uses: docker/login-action@v3
uses: docker/login-action@v4

with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata
id: meta
uses: docker/metadata-action@v6
uses: docker/metadata-action@v5

Check warning on line 108 in .github/workflows/ci.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/ci.yml#L108 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

@amazon-q-developer amazon-q-developer Bot Jun 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Logic Error: Downgrading from v6 to v5 loses recent security patches and improvements while simultaneously upgrading build-push-action to v6. This version inconsistency creates an incoherent dependency state.

Restore to v6 for consistent versioning and security fixes.

Suggested change
uses: docker/metadata-action@v5
uses: docker/metadata-action@v6

with:
images: ghcr.io/${{ github.repository }}
tags: |
type=sha,prefix=sha-
type=raw,value=latest

- name: Build and push
uses: docker/build-push-action@v5
id: build
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: true
sbom: true

- name: Trivy image scan
uses: aquasecurity/trivy-action@master

Check warning on line 128 in .github/workflows/ci.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/ci.yml#L128 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

@amazon-q-developer amazon-q-developer Bot Jun 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Security Vulnerability: Using @master creates a critical security and stability risk. The workflow will pull unverified code on every run, potentially introducing breaking changes, malicious code, or untested features.

Pin to a specific SHA or version tag for security and reproducibility.

Suggested change
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.28.0

with:
Comment on lines +127 to +129
image-ref: ghcr.io/${{ github.repository }}:latest

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Scan the pushed digest instead of latest

When two pushes to main are processed concurrently, another run can retag latest between this job's build/push and this scan. The SARIF upload is then attached to the current commit while describing a different image, so alerts can be missed or misattributed; scan steps.build.outputs.digest or the SHA tag instead of the mutable latest tag.

Useful? React with 👍 / 👎.

format: sarif
output: trivy.sarif
severity: HIGH,CRITICAL
exit-code: '0'

- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy.sarif
Loading