Skip to content

fix: set GH_TOKEN in build workflow and ignore Trivy DS-0002#30

Merged
JAORMX merged 1 commit intomainfrom
fix/ci-build-and-security-scan
Mar 17, 2026
Merged

fix: set GH_TOKEN in build workflow and ignore Trivy DS-0002#30
JAORMX merged 1 commit intomainfrom
fix/ci-build-and-security-scan

Conversation

@JAORMX
Copy link
Contributor

@JAORMX JAORMX commented Mar 17, 2026

Summary

  • Build workflow: task build calls gh release download to fetch go-microvm runtime/firmware artifacts. The gh CLI refuses to run in GitHub Actions without GH_TOKEN set — even for public repos. Added GH_TOKEN: ${{ github.token }} to the Build step.
  • Security scan: Trivy flags DS-0002 (missing non-root USER in Dockerfiles) on all images. These are microVM rootfs images, not traditional containers — isolation comes from the VM boundary (libkrun), not Linux user namespaces. Added .trivyignore to suppress this false positive.

Test plan

  • Verify Main build workflow passes (fetch-runtime/fetch-firmware no longer fail)
  • Verify Security Scan workflow passes (DS-0002 suppressed)
  • Verify Trivy still catches real CRITICAL/HIGH findings (only DS-0002 is ignored)

🤖 Generated with Claude Code

@JAORMX @claude
fix: set GH_TOKEN in build workflow and ignore Trivy DS-0002
5cc84d7 
The build workflow fails because `gh release download` requires
GH_TOKEN to be set in GitHub Actions, even for public repos.

The security scan fails on DS-0002 (missing non-root USER in
Dockerfiles) which is a false positive — these are microVM rootfs
images where isolation comes from the VM boundary, not user namespaces.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@JAORMX JAORMX enabled auto-merge (squash) March 17, 2026 09:12
@JAORMX JAORMX requested review from jhrozek and rdimitrov March 17, 2026 09:12
@JAORMX JAORMX merged commit aa54120 into main Mar 17, 2026
3 checks passed
@JAORMX JAORMX deleted the fix/ci-build-and-security-scan branch March 17, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

@jhrozek jhrozek Awaiting requested review from jhrozek

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JAORMX @rdimitrov