From 5cc84d76f23088239412457177fe9b4f1de06776 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Tue, 17 Mar 2026 11:11:27 +0200
Subject: [PATCH] fix: set GH_TOKEN in build workflow and ignore Trivy DS-0002
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The build workflow fails because `gh release download` requires
GH_TOKEN to be set in GitHub Actions, even for public repos.

The security scan fails on DS-0002 (missing non-root USER in
Dockerfiles) which is a false positive — these are microVM rootfs
images where isolation comes from the VM boundary, not user namespaces.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build.yml | 2 ++
 .trivyignore                | 4 ++++
 2 files changed, 6 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0596e6e..1e1cdf4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -37,6 +37,8 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: task build
 
       - name: Build init
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..7df3fdf
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,4 @@
+# DS-0002: "Specify at least 1 USER command in Dockerfile with non-root user"
+# Our Dockerfiles in images/ are microVM rootfs images, not traditional containers.
+# Isolation comes from the VM boundary (libkrun), not Linux user namespaces.
+DS-0002