Revert "ci: add trivy image scanning prior to release image push"

[muhammad-tahir-nawaz]

Reverts #22

[github-actions]

Trivy Scan Results

Vulnerabilities Found

Report Summary

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│   -    │  -   │        -        │    -    │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

[greptile-apps]

Greptile Summary

This PR reverts the Trivy image-scanning step added in #22 from the deployment pipeline, and separately adds PR-comment reporting for Trivy filesystem scan results and Go test results in trivy-go-tests.yaml.

• deployment.yaml: Collapses the previous build-locally → scan-image → push sequence back into a single build-and-push step, removing the image-layer vulnerability gate before images reach the registry.
• trivy-go-tests.yaml: Adds pull-requests: write permission and two new steps that post Trivy scan and Go test results as PR comments; however, Go tests are run twice (doubling CI time and risking inconsistent results), and the PR-comment steps will error when the workflow is invoked via workflow_call without an underlying pull request event.

Confidence Score: 2/5

Merging removes the only image-level vulnerability gate from the deployment pipeline and introduces two correctness bugs in the PR-reporting workflow.

The deployment workflow now pushes Docker images directly to the GCP registry and deploys them without any image-layer vulnerability scan; the only remaining Trivy check is a source-filesystem scan on PRs, which does not cover the built image. Additionally, the Go test step in trivy-go-tests.yaml runs the full test suite twice — once to collect comment output and once to check for failures — which is both wasteful and opens a window for flaky-test inconsistency. The PR-comment steps will also hard-fail whenever the workflow is invoked via workflow_call without a pull-request event context.

deployment.yaml needs the most attention due to the removal of the image scan gate; trivy-go-tests.yaml needs review of the dual test-run logic and the unconditional PR-comment step.

Important Files Changed

Filename	Overview
.github/workflows/deployment.yaml	Reverts Trivy image scan gate — images now push directly to the registry without vulnerability scanning before deployment
.github/workflows/trivy-go-tests.yaml	Adds PR commenting for Trivy and Go test results, but Go tests are executed twice and the PR-comment step will fail when triggered via workflow_call without a PR context

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push to branch] --> B[deployment.yaml]
    B --> C[Authenticate GCP]
    C --> D[Configure Docker]
    D --> E[Download .env artifact]
    E --> F["Build AND Push image\n(push: true)"]
    F --> G{deploy_type?}
    G -->|gke| H[GKE rollout restart]
    G -->|cloudrun-service| I[Cloud Run deploy]
    G -->|cloudrun-job| J[Cloud Run job update]

    PR[Pull Request] --> K[trivy-go-tests.yaml]
    K --> L[Trivy FS scan]
    L --> M["Comment scan results on PR\n(if: always)"]
    M --> N{run_go_tests?}
    N -->|true| O["go test run 1\n(for PR comment)"]
    O --> P["go test run 2\n(for failure check)"]
    P --> Q{failures?}
    Q -->|yes| R[exit 1]
    Q -->|no| S[Pass]

    style F fill:#f96,stroke:#c00
    style O fill:#fa0,stroke:#c80
    style P fill:#fa0,stroke:#c80

Loading

_{Reviews (1): Last reviewed commit: "Revert "Merge pull request #22 from wana..." | Re-trigger Greptile}

[greptile-apps]

Go tests are run twice in this step — once to generate output for the PR comment and again to check for failures. This doubles CI time, and if a flaky test changes result between the two runs, the comment and the failure gate can disagree. The first run's exit status is also masked by the pipe, so a compilation failure or panic would still let the comment post before the second run catches the issue.

Suggested change

	# Run Go tests and check for failures in real-time
	go test -v ${{ inputs.test_path }} | grep -E '^(--- PASS|--- FAIL)' | sed -E 's/^(--- PASS: )(.*)/\|\2\|Pass\|/; s/^(--- FAIL: )(.*)/\|\2\|Fail\|/' >> comment_go_tests.md
	# Post test results to PR
	gh pr comment ${{ github.event.pull_request.number }} --body-file comment_go_tests.md
	# Check for failed tests and exit if any test fails
	if go test -v ${{ inputs.test_path }} | grep -q '^--- FAIL'; then
	echo "There are failed tests. Failing the job."
	exit 1
	fi
	# Run Go tests once, capture output, and check for failures
	set -o pipefail
	go test -v ${{ inputs.test_path }} | tee /tmp/go-test-output.txt; TEST_EXIT=${PIPESTATUS[0]}
	grep -E '^(--- PASS|--- FAIL)' /tmp/go-test-output.txt | \
	sed -E 's/^(--- PASS: )(.*)/\|\2\|Pass\|/; s/^(--- FAIL: )(.*)/\|\2\|Fail\|/' >> comment_go_tests.md
	# Post test results to PR
	gh pr comment ${{ github.event.pull_request.number }} --body-file comment_go_tests.md
	# Fail the job if tests failed
	if [ "$TEST_EXIT" -ne 0 ]; then
	echo "There are failed tests. Failing the job."
	exit 1
	fi

[greptile-apps]

PR comment step fails on workflow_call without a PR context

When this workflow is invoked via workflow_call from a caller that was not triggered by a pull_request event (e.g., a push-triggered deployment workflow), github.event.pull_request.number evaluates to an empty string. The gh pr comment "" --body-file ... call will then fail with a usage error. Because the step has if: always(), it runs unconditionally — meaning any non-PR invocation will produce a failed step here.

[greptile-apps]

Image pushed to registry without vulnerability scanning

This revert collapses the previous three-step sequence (build locally → scan with Trivy → push) into a single build-and-push step. As a result, Docker images are now pushed to the GCP registry and immediately deployed to GKE / Cloud Run without any image-layer vulnerability gate. The filesystem scan in trivy-go-tests.yaml runs against source files on pull requests, but it does not cover the final built image and does not run in this deployment pipeline. Any critical or high CVE introduced into a base image or installed dependency layer would reach production undetected.

[Copilot]

Pull request overview

This PR reverts the previous change that introduced Trivy image scanning in the deployment pipeline before pushing images, restoring a direct build-and-push flow. It also introduces new PR-commenting behavior in the Trivy/Go test workflow (including elevated PR write permissions), which appears outside the stated revert scope.

Changes:

• Remove Trivy image vulnerability scanning from the deployment workflow and switch back to building + pushing the image directly.
• Add PR commenting steps for Trivy FS scan output and Go unit test results in the trivy-go-tests workflow.
• Grant pull-requests: write permission to support PR commenting.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/trivy-go-tests.yaml	Adds PR-commenting steps for Trivy and Go tests; introduces pull-requests: write permission.
.github/workflows/deployment.yaml	Removes Trivy image scanning and simplifies to build-and-push via docker/build-push-action.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.