From c225cbf05c54065e041362a9b2c158cca2214d8f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Apr 2026 12:55:01 +0000 Subject: [PATCH] fix: make Trivy workflow resilient to Docker build failures Agent-Logs-Url: https://github.com/idvoretskyi/dev/sessions/207c0d3b-b9bf-4e7d-82ee-ce65ecdb1de6 Co-authored-by: idvoretskyi <118459+idvoretskyi@users.noreply.github.com> --- .github/workflows/security.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index e2d9f11..7f66bad 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -25,12 +25,15 @@ jobs: persist-credentials: false - name: Build Docker image for scanning + id: build + continue-on-error: true run: | IMAGE_NAME="dev-template:${{ github.sha }}" docker build -t "$IMAGE_NAME" .devcontainer/ echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV - name: Run Trivy vulnerability scanner + if: steps.build.outcome == 'success' uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: '${{ env.IMAGE_NAME }}' @@ -40,13 +43,14 @@ jobs: exit-code: '0' - name: Upload Trivy scan results to GitHub Security tab + if: steps.build.outcome == 'success' uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 - if: always() with: sarif_file: 'trivy-results.sarif' category: 'security-analysis/trivy-image' - name: Generate SBOM + if: steps.build.outcome == 'success' uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0 with: image: '${{ env.IMAGE_NAME }}' @@ -54,6 +58,7 @@ jobs: output-file: 'sbom.spdx.json' - name: Upload SBOM as artifact + if: steps.build.outcome == 'success' uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: sbom-${{ github.sha }}