Skip to content

fix(ci): pin Trivy platform when scanning release digests#191

Merged
sunib merged 2 commits into
mainfrom
fix/trivy-release-scan-platform
Jul 3, 2026
Merged

fix(ci): pin Trivy platform when scanning release digests#191
sunib merged 2 commits into
mainfrom
fix/trivy-release-scan-platform

Conversation

@sunib

@sunib sunib commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Problem

The first main run of the plan-PR-1 pipeline (#190) exposed a 100%, release-blocking failure: Scan release image (arm64) fails with

FATAL  ... no child with platform linux/amd64 in index ghcr.io/...@sha256:5b21...

Root cause

build-release-* builds with push-by-digest=true, and buildx wraps the single-platform image in an OCI index (it attaches a provenance attestation manifest). Trivy resolves the digest remotely but, for an index ref, selects the child matching the runner's platform. On the ubuntu-latest (amd64) runner:

  • the amd64 leg passes by coincidence (the index has a linux/amd64 child);
  • the arm64 leg can never pass — its index has no linux/amd64 child.

This falsifies the earlier assumption that a push-by-digest ref "carries no platform-selection step".

Impact

image-scan-release failing → the reusable ci workflow fails → release-please (needs: ci) never runs → no tag, no release, nothing published. It fails safe (no orphaned tag / half-release), but it means a release cannot currently be cut until this lands.

Fix

Pin TRIVY_PLATFORM=linux/${{ matrix.arch }} on both Trivy steps in the image-scan-release matrix so each leg selects the correct child from the index (amd64 is now correct-by-construction, not by runner coincidence). Also corrects the stale comment.

Env var is used rather than an action input so it targets the trivy binary directly, independent of the trivy-action version.

Validation

  • actionlint clean; YAML parses.
  • This is GitHub Actions runtime behavior, so it can only be fully validated by the next main run after merge — watch that Scan release image (arm64) goes green.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes
    • Improved release image vulnerability checks so scans now target the correct architecture-specific image, reducing false results and missed findings.
    • Preserved the existing reporting and gating process while making vulnerability validation more accurate across multi-architecture releases.

Also in this PR: syncs docs/design/release-image-reuse-plan.md to the current handover state (PR 1 merged via #190, PRs 2–5 remaining, this arm64 blocker recorded, §4 cross-arch claim corrected to match the fix).

build-release-* pushes by digest and buildx wraps the single-platform image
in an OCI index (it attaches a provenance attestation manifest). Trivy
resolves the digest remotely but, for an index ref, selects the child
matching the runner's platform — so on the amd64 runner the arm64 leg fails
100% with "no child with platform linux/amd64 in index".

That reds image-scan-release, which fails the reusable ci workflow, which
release-please needs — so it blocks every release (fails safe: no tag, no
half-published release, but nothing ships).

Pin TRIVY_PLATFORM=linux/${matrix.arch} on both Trivy steps so each leg
selects the correct child from the index, and correct the stale comment that
claimed a push-by-digest ref carries no platform-selection step.

Can only be fully validated by a main run (GitHub Actions behavior); actionlint clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Updates the CI workflow's Trivy image scanning steps for release images to explicitly set TRIVY_PLATFORM to the matrix architecture, ensuring correct per-architecture child image selection when scanning OCI index digests, for both the report and gating steps.

Changes

Trivy Platform Pinning

Layer / File(s) Summary
Per-arch platform selection for release image scans
.github/workflows/ci.yml
Both the Trivy report scan step and the critical vulnerability gate step now set TRIVY_PLATFORM: linux/${{ matrix.arch }} to correctly select per-architecture children within an OCI index digest; comments updated accordingly.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning It explains the bug and fix, but it omits required template sections like Type of Change, Testing, Checklist, and Related Issues. Add the missing template sections with selected change type, testing details, checklist items, and any related issue links.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly matches the CI fix for Trivy scanning release digests.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/trivy-release-scan-platform

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)

667-668: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider hoisting TRIVY_PLATFORM to job-level env: to avoid duplication.

The same comment and TRIVY_PLATFORM: linux/${{ matrix.arch }} assignment is repeated on both Trivy steps. Since it's derived solely from matrix.arch, defining it once under the job's env: block would remove the duplication and keep both steps in sync automatically.

Also applies to: 689-690

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 667 - 668, The TRIVY_PLATFORM
assignment is duplicated across the Trivy steps, so move it to the job-level env
for the workflow job that contains the Trivy scan steps. Use the
matrix.arch-derived value once in the job env block so both Trivy steps inherit
it automatically, and remove the repeated TRIVY_PLATFORM entries from the
individual steps.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 661-663: The Docker login step in the CI workflow is interpolating
`secrets.GITHUB_TOKEN` and `github.actor` directly inside the `run` shell block,
which should be moved to step-level `env:` variables instead. Update the
workflow step that runs `docker login` to define `GH_TOKEN` and `GH_ACTOR` in
`env:`, then reference those variables in the `run:` command. Keep the registry
reference as-is and ensure the login command uses the env vars rather than
template expressions in the shell block.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 667-668: The TRIVY_PLATFORM assignment is duplicated across the
Trivy steps, so move it to the job-level env for the workflow job that contains
the Trivy scan steps. Use the matrix.arch-derived value once in the job env
block so both Trivy steps inherit it automatically, and remove the repeated
TRIVY_PLATFORM entries from the individual steps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9416dd38-de3c-41b2-8dd5-f3c39baef48c

📥 Commits

Reviewing files that changed from the base of the PR and between 2b3a949 and a53884c.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/ci.yml
Comment on lines 661 to 663
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow around the referenced lines
sed -n '640,675p' .github/workflows/ci.yml

# Locate the login step and any nearby env usage
rg -n "docker login|GITHUB_TOKEN|github.actor|REGISTRY" .github/workflows/ci.yml

Repository: ConfigButler/gitops-reverser

Length of output: 3920


Hoist the login arguments into env:
Use step env vars for secrets.GITHUB_TOKEN and github.actor, then reference $GH_TOKEN / $GH_ACTOR in run: to avoid the template-injection sink in this shell block.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 662-662: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 661 - 663, The Docker login step in
the CI workflow is interpolating `secrets.GITHUB_TOKEN` and `github.actor`
directly inside the `run` shell block, which should be moved to step-level
`env:` variables instead. Update the workflow step that runs `docker login` to
define `GH_TOKEN` and `GH_ACTOR` in `env:`, then reference those variables in
the `run:` command. Keep the registry reference as-is and ensure the login
command uses the env vars rather than template expressions in the shell block.

Source: Linters/SAST tools

Bring the plan doc to the current handover state: PR 1 merged via #190
(2b3a949), PRs 2-5 remaining with current-tree anchors, and the §4 cross-arch
claim corrected to match the TRIVY_PLATFORM fix in this PR — push-by-digest
builds are OCI indexes, so Trivy must be told which child to scan.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sunib
sunib enabled auto-merge (squash) July 3, 2026 08:50
@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sunib
sunib merged commit 08d557d into main Jul 3, 2026
37 of 39 checks passed
@sunib
sunib deleted the fix/trivy-release-scan-platform branch July 3, 2026 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant