fix(ci): wire .trivyignore.yaml into release-gate Trivy scans

The CRITICAL + HIGH Trivy steps in release-gate.yml were invoking
aquasecurity/trivy-action without the `trivyignores` input, so the
.trivyignore.yaml at the repo root (committed in #190 to mitigate
CVE-2026-40393 / Mesa) was silently ignored — the gate kept failing
on a CVE we explicitly chose to defer.

Pass `trivyignores: .trivyignore.yaml` to both Trivy steps so the file
takes effect. The HIGH step also gets it for consistency (it doesn't
fail the gate, but reporting a CVE we ignore as HIGH would be noise).

Refs #189
This commit is contained in:
Pier-Jean Malandrino 2026-04-29 09:56:01 +02:00
parent efc27932dd
commit a7fbdf7b1b

View file

@ -353,6 +353,7 @@ jobs:
exit-code: 1
severity: CRITICAL
output: /tmp/trivy-critical-${{ matrix.target }}.txt
trivyignores: .trivyignore.yaml
- name: Run Trivy — HIGH (informational)
if: always()
@ -363,6 +364,7 @@ jobs:
exit-code: 0
severity: HIGH
output: /tmp/trivy-high-${{ matrix.target }}.txt
trivyignores: .trivyignore.yaml
- name: Annotate HIGH vulnerabilities
if: always()