Skip to content

chore: applly image scan#27

Merged
muhammad-tahir-nawaz merged 1 commit into
mainfrom
ci/reapply-image-scan
Jun 16, 2026
Merged

chore: applly image scan#27
muhammad-tahir-nawaz merged 1 commit into
mainfrom
ci/reapply-image-scan

Conversation

@muhammad-tahir-nawaz

@muhammad-tahir-nawaz muhammad-tahir-nawaz commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Why

QA Report

  • No QA report required

Integration Tests

  • No integration tests required

Added

Edited

Dependencies

@muhammad-tahir-nawaz muhammad-tahir-nawaz self-assigned this Jun 16, 2026
@muhammad-tahir-nawaz muhammad-tahir-nawaz merged commit 1c718c2 into main Jun 16, 2026
3 checks passed
@muhammad-tahir-nawaz muhammad-tahir-nawaz deleted the ci/reapply-image-scan branch June 16, 2026 04:57
@greptile-apps

greptile-apps Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Greptile Summary

This PR removes the optional env_artifact_name input and the corresponding "Download .env artifact" step from the shared trivy-go-tests.yaml reusable workflow, effectively preventing callers from supplying runtime environment variables to Go tests via a pre-uploaded artifact.

  • Removed input: env_artifact_name — a string input that allowed callers to name a previously-uploaded artifact containing a .env file, which would be downloaded into the working directory before Go tests ran.
  • Removed step: "Download .env artifact" — the conditional step that consumed that input; it only ran when run_go_tests was true and the input was non-empty, so callers that never used it are unaffected.

Confidence Score: 3/5

The change removes a shared workflow capability that callers in other repositories may still rely on; merging without verifying downstream consumers risks silently broken Go test runs.

The deleted step was the only mechanism for callers to inject runtime environment variables (e.g. AUTH0_*) into Go tests. Because env_artifact_name was optional with a default of '', GitHub Actions will not surface an error if a caller still passes it — the input is simply ignored and tests proceed without the expected env file. Any repo that currently uses this feature will see test failures with no clear signal at the workflow-call site. The change is safe only if no caller in the organisation currently passes env_artifact_name, which should be confirmed before merging.

.github/workflows/trivy-go-tests.yaml — verify no org-wide caller passes env_artifact_name before this is merged.

Important Files Changed

Filename Overview
.github/workflows/trivy-go-tests.yaml Removes the optional env_artifact_name input and the corresponding "Download .env artifact" step, which breaks any caller that passes this input to supply runtime environment variables for Go tests.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Caller as Caller Workflow
    participant W as trivy-go-tests.yaml
    participant Trivy as Trivy Action
    participant Go as Go Toolchain

    Caller->>W: workflow_call (run_go_tests, working_directory, test_path)
    W->>W: Checkout Code
    W->>Go: Set up env / go mod download / go mod tidy (if run_go_tests)
    W->>Trivy: Run Trivy vulnerability scanner (fs scan)
    Note over W: REMOVED: Download .env artifact step
    Note over W: REMOVED: env_artifact_name input
    W->>Go: go test (if run_go_tests) — env vars no longer pre-loaded
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Caller as Caller Workflow
    participant W as trivy-go-tests.yaml
    participant Trivy as Trivy Action
    participant Go as Go Toolchain

    Caller->>W: workflow_call (run_go_tests, working_directory, test_path)
    W->>W: Checkout Code
    W->>Go: Set up env / go mod download / go mod tidy (if run_go_tests)
    W->>Trivy: Run Trivy vulnerability scanner (fs scan)
    Note over W: REMOVED: Download .env artifact step
    Note over W: REMOVED: env_artifact_name input
    W->>Go: go test (if run_go_tests) — env vars no longer pre-loaded
Loading

Comments Outside Diff (1)

  1. .github/workflows/trivy-go-tests.yaml, line 72-75 (link)

    P1 Breaking removal of .env artifact download for callers

    The env_artifact_name input and the "Download .env artifact" step have been removed from this shared reusable workflow. Any repository in the org that currently calls this workflow and passes env_artifact_name (to provide runtime env vars such as AUTH0_*) will now run Go tests without those variables — causing test failures with no obvious error at the workflow-call site (GitHub Actions silently ignores unrecognised inputs). Before merging, confirm that no caller in the organisation currently depends on this input; if any do, they will need to be migrated to an alternative env-loading strategy first.

Reviews (1): Last reviewed commit: "chore: applly image scan" | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@muhammad-tahir-nawaz muhammad-tahir-nawaz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@muhammad-tahir-nawaz