Commit graph

10 commits

Author SHA1 Message Date
Pier-Jean Malandrino
7577a98415 fix(ci): pin Trivy to latest in release-gate (v0.69.3 was yanked)
Some checks failed
Release Docker Images / Build & push — local (push) Has been cancelled
Release Docker Images / Build & push — remote (push) Has been cancelled
aquasecurity/trivy-action@v0.35.0 defaults to Trivy CLI v0.69.3, but
that tag was removed from GitHub releases mid-run on 2026-04-29 — the
HIGH step on Security scan — local started failing at setup time:

  aquasecurity/trivy info checking GitHub for tag 'v0.69.3'
  aquasecurity/trivy crit unable to find 'v0.69.3'
  ##[error]Process completed with exit code 1.

The CRITICAL step still passed (binary was in cache from a prior run),
so this only surfaced as a HIGH-step failure — but the job exit code
still propagates and breaks the gate.

Following `latest` rather than chasing a specific tag that upstream
can yank without notice.

Refs #189
2026-04-29 14:00:00 +02:00
Pier-Jean Malandrino
a7fbdf7b1b fix(ci): wire .trivyignore.yaml into release-gate Trivy scans
The CRITICAL + HIGH Trivy steps in release-gate.yml were invoking
aquasecurity/trivy-action without the `trivyignores` input, so the
.trivyignore.yaml at the repo root (committed in #190 to mitigate
CVE-2026-40393 / Mesa) was silently ignored — the gate kept failing
on a CVE we explicitly chose to defer.

Pass `trivyignores: .trivyignore.yaml` to both Trivy steps so the file
takes effect. The HIGH step also gets it for consistency (it doesn't
fail the gate, but reporting a CVE we ignore as HIGH would be noise).

Refs #189
2026-04-29 14:00:00 +02:00
Pier-Jean Malandrino
19fa3e31a8 fix(ci): download only required artifacts in release summary
The Release summary job was downloading ALL artifacts (~780 MB)
including Docker images it never uses. The 648 MB docker-image-local
consistently timed out after 5 retries. Now downloads only the 4
small artifacts actually needed (~2 KB total).
2026-04-10 09:58:33 +02:00
Pier-Jean Malandrino
ce6661ddcf fix(ci): pin GitHub Actions to Node 24-compatible versions
checkout v4 → v4.3.1, upload-artifact v4 → v4.6.2,
download-artifact v4 → v4.3.0 — fixes artifact download failures
caused by Node.js 20 deprecation on GitHub runners.
2026-04-10 09:41:25 +02:00
Pier-Jean Malandrino
527bf0b6cd revert: restore @critical tag for e2e UI tests in release-gate 2026-04-10 08:40:51 +02:00
Pier-Jean Malandrino
81d4c445e1 fix(ci): use @ui tag instead of @critical for e2e UI tests 2026-04-09 17:23:59 +02:00
Pier-Jean Malandrino
0e5e088438 fix(ci): fix Trivy action version (v0.35.0) 2026-04-09 13:36:49 +02:00
Pier-Jean Malandrino
2aa56d8ca2 fix(ci): fix audit-checks crash (set -e + grep exit code + ANSI in output) 2026-04-09 13:25:15 +02:00
Pier-Jean Malandrino
3c9d09c4e2 ci: remove duplicate push trigger from release-gate 2026-04-09 13:22:25 +02:00
Pier-Jean Malandrino
941028e705 ci: add release-gate pipeline, fix CI duplication, add OSS playbook docs
- Add release-gate.yml: 11-job pipeline (lint, tests, Docker build/smoke,
  Trivy scan, dep audit, audit checks, e2e API+UI, PR summary comment)
- Fix CI double-trigger on release branches (push + PR)
- Add CODE_OF_CONDUCT.md, SECURITY.md, PR template
- Add docs: git-workflow, architecture (ADR), release, operations, community
- Add profiles/fastapi-vue for automated audit checks
- Add docs/PROCESSES.md: index of 19 available processes
2026-04-09 13:20:43 +02:00