ci: fix lint permissions + add Trivy image scan + pip cache#42
Conversation
Updated CI workflow to improve p- Drop contents:write from lint job (was over-privileged for auto-commit) - Switch to ruff format --check (no auto-push) to keep CI read-only - Add cache: pip to both lint and test setup-python steps - Add retention-days: 7 to coverage artifact - Scope docker job permissions explicitly (packages:write, security-events:write) - Add Trivy SARIF image scan after docker push, upload to GitHub Security - Add provenance + sbom attestations to build-pushermissions and steps.
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| Security | 4 high |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR improves CI security by removing over-privileged write permissions and adding Trivy image scanning. However, there are critical issues that block merge:
Critical Issues Requiring Fix:
- Security Risk: Trivy action uses
@masterinstead of a pinned version, allowing arbitrary code execution - Logic Errors: Multiple Docker actions downgraded (v4→v3, v6→v5) while others upgraded, creating version inconsistencies and losing security patches
These downgrades contradict the PR's security improvement goals and must be corrected before merge.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v4 | ||
| uses: docker/setup-buildx-action@v3 |
There was a problem hiding this comment.
🛑 Logic Error: Downgrading from v4 to v3 loses security patches and features from the newer version. This appears to be an unintended regression, especially since other actions are being upgraded (build-push-action v5→v6).
Restore to v4 or provide justification for the downgrade.
| uses: docker/setup-buildx-action@v3 | |
| uses: docker/setup-buildx-action@v4 |
|
|
||
| - name: Log in to GHCR | ||
| uses: docker/login-action@v4 | ||
| uses: docker/login-action@v3 |
There was a problem hiding this comment.
🛑 Logic Error: Downgrading from v4 to v3 loses security patches and features. This regression contradicts the PR's goal of improving security.
Restore to v4 to maintain current security posture.
| uses: docker/login-action@v3 | |
| uses: docker/login-action@v4 |
| - name: Extract metadata | ||
| id: meta | ||
| uses: docker/metadata-action@v6 | ||
| uses: docker/metadata-action@v5 |
There was a problem hiding this comment.
🛑 Logic Error: Downgrading from v6 to v5 loses recent security patches and improvements while simultaneously upgrading build-push-action to v6. This version inconsistency creates an incoherent dependency state.
Restore to v6 for consistent versioning and security fixes.
| uses: docker/metadata-action@v5 | |
| uses: docker/metadata-action@v6 |
| sbom: true | ||
|
|
||
| - name: Trivy image scan | ||
| uses: aquasecurity/trivy-action@master |
There was a problem hiding this comment.
🛑 Security Vulnerability: Using @master creates a critical security and stability risk. The workflow will pull unverified code on every run, potentially introducing breaking changes, malicious code, or untested features.
Pin to a specific SHA or version tag for security and reproducibility.
| uses: aquasecurity/trivy-action@master | |
| uses: aquasecurity/trivy-action@0.28.0 |
There was a problem hiding this comment.
Pull request overview
Updates the CI workflow to reduce token privileges, improve dependency caching, and add container security scanning/reporting as part of the release pipeline.
Changes:
- Make lint formatting read-only by switching to
ruff format --checkand removing auto-commit/push behavior. - Add
pipcaching to lint and test jobs, and set coverage artifact retention to 7 days. - Harden and extend the Docker publish job by scoping permissions and adding Trivy SARIF scanning plus SBOM/provenance generation.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read |
| - name: Trivy image scan | ||
| uses: aquasecurity/trivy-action@master | ||
| with: |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5218b16a66
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Trivy image scan | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: ghcr.io/${{ github.repository }}:latest |
There was a problem hiding this comment.
When two pushes to main are processed concurrently, another run can retag latest between this job's build/push and this scan. The SARIF upload is then attached to the current commit while describing a different image, so alerts can be missed or misattributed; scan steps.build.outputs.digest or the SHA tag instead of the mutable latest tag.
Useful? React with 👍 / 👎.
| permissions: | ||
| contents: read | ||
| packages: write | ||
|
|
||
| security-events: write |
There was a problem hiding this comment.
When this workflow runs in a private/internal repository, the Upload Trivy results step can fail because github/codeql-action/upload-sarif requires actions: read in addition to security-events: write; GitHub's SARIF upload docs mark that permission as "only required for workflows in private repositories". Since this job-level permissions block sets unspecified scopes to none, add actions: read here.
Useful? React with 👍 / 👎.
Updated CI workflow to improve p- Drop contents:write from lint job (was over-privileged for auto-commit)