Skip to content

Revert "ci: add trivy image scanning prior to release image push" #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
muhammad-tahir-nawaz merged 1 commit into from
Jun 8, 2026
Merged

Revert "ci: add trivy image scanning prior to release image push" #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 2 additions & 18 deletions .github/workflows/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,34 +132,18 @@ jobs:
name: env-file
path: ${{ inputs.docker_context }}

- name: Build Docker image
- name: Build and push Docker image
if: ${{ inputs.deploy_type != 'release-only' }}
id: build
uses: docker/build-push-action@v4
with:
context: ${{ inputs.docker_context }}
file: ${{ inputs.docker_context }}/${{ inputs.dockerfile_path }}
push: false
load: true
push: true
tags: ${{ secrets.GCP_REGISTRY }}/${{ secrets.GCP_PROJECT }}/${{ inputs.image_path }}:latest
build-args: |
GH_ACCESS_TOKEN=${{ secrets.GH_ACCESS_TOKEN }}
Comment on lines +135 to 145

@greptile-apps greptile-apps Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Image pushed to registry without vulnerability scanning

This revert collapses the previous three-step sequence (build locally → scan with Trivy → push) into a single build-and-push step. As a result, Docker images are now pushed to the GCP registry and immediately deployed to GKE / Cloud Run without any image-layer vulnerability gate. The filesystem scan in trivy-go-tests.yaml runs against source files on pull requests, but it does not cover the final built image and does not run in this deployment pipeline. Any critical or high CVE introduced into a base image or installed dependency layer would reach production undetected.


- name: Run Trivy vulnerability scanner on image
if: ${{ inputs.deploy_type != 'release-only' }}
uses: aquasecurity/trivy-action@0.35.0
with:
scan-type: 'image'
image-ref: ${{ secrets.GCP_REGISTRY }}/${{ secrets.GCP_PROJECT }}/${{ inputs.image_path }}:latest
ignore-unfixed: true
format: 'table'
severity: 'CRITICAL,HIGH'
exit-code: '1'

- name: Push Docker image
if: ${{ inputs.deploy_type != 'release-only' }}
run: docker push ${{ secrets.GCP_REGISTRY }}/${{ secrets.GCP_PROJECT }}/${{ inputs.image_path }}:latest

# --- GKE deploy ---
- name: Get GKE Credentials
if: ${{ inputs.deploy_type == 'gke' }}
Expand Down
39 changes: 37 additions & 2 deletions .github/workflows/trivy-go-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ on:

permissions:
contents: read
pull-requests: write

Comment on lines 31 to 34
jobs:
trivy-scan-and-test:
Expand Down Expand Up @@ -69,7 +70,41 @@ jobs:
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
exit-code: '1'

- name: Run Go Unit Tests
- name: Comment Trivy Results on the Pull Request
if: always()
run: |
echo '### Trivy Scan Results' > comment_trivy.md
if [ -s trivy-results.txt ]; then
echo '#### Vulnerabilities Found' >> comment_trivy.md
echo '```' >> comment_trivy.md
cat trivy-results.txt >> comment_trivy.md
echo '```' >> comment_trivy.md
else
echo '#### No vulnerabilities found :white_check_mark:' >> comment_trivy.md
fi

gh pr comment ${{ github.event.pull_request.number }} --body-file comment_trivy.md
Comment on lines +73 to +86
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Comment on lines +73 to +88

@greptile-apps greptile-apps Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 PR comment step fails on workflow_call without a PR context

When this workflow is invoked via workflow_call from a caller that was not triggered by a pull_request event (e.g., a push-triggered deployment workflow), github.event.pull_request.number evaluates to an empty string. The gh pr comment "" --body-file ... call will then fail with a usage error. Because the step has if: always(), it runs unconditionally — meaning any non-PR invocation will produce a failed step here.


- name: Run Go Unit Tests and Comment Results
if: ${{ inputs.run_go_tests }}
working-directory: ${{ inputs.working_directory }}
run: go test -v ${{ inputs.test_path }}
run: |
echo '### Go Unit Test Results' > comment_go_tests.md
echo '| Test Name | Status |' >> comment_go_tests.md
echo '| --------- | ------ |' >> comment_go_tests.md

# Run Go tests and check for failures in real-time
go test -v ${{ inputs.test_path }} | grep -E '^(--- PASS|--- FAIL)' | sed -E 's/^(--- PASS: )(.*)/\|\2\|Pass\|/; s/^(--- FAIL: )(.*)/\|\2\|Fail\|/' >> comment_go_tests.md

# Post test results to PR
gh pr comment ${{ github.event.pull_request.number }} --body-file comment_go_tests.md

# Check for failed tests and exit if any test fails
if go test -v ${{ inputs.test_path }} | grep -q '^--- FAIL'; then
echo "There are failed tests. Failing the job."
exit 1
fi
Comment on lines +98 to +108

@greptile-apps greptile-apps Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Go tests are run twice in this step — once to generate output for the PR comment and again to check for failures. This doubles CI time, and if a flaky test changes result between the two runs, the comment and the failure gate can disagree. The first run's exit status is also masked by the pipe, so a compilation failure or panic would still let the comment post before the second run catches the issue.

Suggested change
# Run Go tests and check for failures in real-time
go test -v ${{ inputs.test_path }} | grep -E '^(--- PASS|--- FAIL)' | sed -E 's/^(--- PASS: )(.*)/\|\2\|Pass\|/; s/^(--- FAIL: )(.*)/\|\2\|Fail\|/' >> comment_go_tests.md
# Post test results to PR
gh pr comment ${{ github.event.pull_request.number }} --body-file comment_go_tests.md
# Check for failed tests and exit if any test fails
if go test -v ${{ inputs.test_path }} | grep -q '^--- FAIL'; then
echo "There are failed tests. Failing the job."
exit 1
fi
# Run Go tests once, capture output, and check for failures
set -o pipefail
go test -v ${{ inputs.test_path }} | tee /tmp/go-test-output.txt; TEST_EXIT=${PIPESTATUS[0]}
grep -E '^(--- PASS|--- FAIL)' /tmp/go-test-output.txt | \
sed -E 's/^(--- PASS: )(.*)/\|\2\|Pass\|/; s/^(--- FAIL: )(.*)/\|\2\|Fail\|/' >> comment_go_tests.md
# Post test results to PR
gh pr comment ${{ github.event.pull_request.number }} --body-file comment_go_tests.md
# Fail the job if tests failed
if [ "$TEST_EXIT" -ne 0 ]; then
echo "There are failed tests. Failing the job."
exit 1
fi

Comment on lines +98 to +108
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Loading