molecule-ai/molecule-ci
49
0
Fork 0
Code Issues 8 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat(ci): add trivy_skip_dirs and trivy_skip_files inputs to publish-template-image #27

Closed
core-be wants to merge 9 commits from feat/trivy-skip-dirs-files-39 into main
pull from: feat/trivy-skip-dirs-files-39
merge into: molecule-ai:main
Conversation 1 Commits 9 Files Changed 2
+123 -5
core-be commented 2026-06-01 03:37:19 +00:00
Member
Copy Link
Copy Source
No description provided.
core-be added 9 commits 2026-06-01 03:37:20 +00:00
docs(readme): add publish-template-image.yml section c90b0095d3 
The README documents the four validator workflows but omits
publish-template-image.yml — which is arguably the most consequential
workflow in this repo (it's the GHCR publish gate that would have
caught the 2026-04-27 RuntimeCapabilities outage if it had existed
then, and is what the runtime-publish cascade fans out to today).

Adds:
- Caller-side usage example matching the validator-section format
- Trigger table (push/dispatch/cascade) verified against the workflow's
  consumers in the template repos
- Inputs table (runtime_name, runtime_version) verified against the
  workflow's on.workflow_call.inputs block
- Pipeline order: lint → static import smoke → boot smoke → push,
  with the load-bearing detail that GHCR push only happens after
  all three gates pass
- Smoke timeout calibration explainer (90s inner / 120s outer) with
  link to PR #33 and the wedge-coverage rationale, so future readers
  don't lower the timeouts and silently blind the gate
- Cross-link to molecule-core/workspace/smoke_mode.py and to
  publish-runtime.yml for the cascade trigger

Doc-only. No workflow or code changes.
Merge pull request #34 from Molecule-AI/docs/readme-add-publish-template-image-section fc63cb41b3 
docs(readme): add publish-template-image.yml workflow section
feat(ci): add Trivy HIGH/CRITICAL gate before image push (RFC #388 PR-2) c542493572 
Belt-and-suspenders security gate inserted between boot-smoke and
push-to-GHCR. Fails the publish on any HIGH or CRITICAL CVE in either
the OS layer (apt deps) or the Python layer (pip deps). Image never
reaches :latest if vulnerable, so no fresh workspace provision can
pick up a known-bad layer.

Why pre-push: same logic as boot-smoke — anything that fails here
never poisons :latest. Catching post-push leaves a window where
every fresh provision pulls the vulnerable image.

Why HIGH+CRITICAL only with ignore-unfixed=true: medium/low findings
are too noisy in practice (~hundreds per Ubuntu base, mostly
operationally non-actionable until the next Canonical respin).
Promoting those to gate would drown signal in noise. Once
Dockerfiles digest-pin their base image (RFC #388 PR-2 second
half), this becomes the matched pair: pin avoids surprise base-bumps;
Trivy catches if the pinned digest itself accumulates fixable vulns.

Applies to all 4 supported template repos automatically since they
all consume this reusable workflow (claude-code, hermes, openclaw,
codex per PR #2536 prune set).

Refs: https://github.com/Molecule-AI/molecule-controlplane/issues/388

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request #35 from Molecule-AI/feat/trivy-image-scan 792a8aaba8 
feat(ci): add Trivy HIGH/CRITICAL gate before image push (RFC #388 PR-2)
fix(publish): bump trivy-action 0.28.0 → 0.36.0 (0.28.0 yanked from registry) dc60485c04 
aquasecurity/trivy-action@0.28.0 was removed from the GitHub Actions
registry. Every workspace template's publish-image run is now red:

  Unable to resolve action `aquasecurity/trivy-action@0.28.0`,
  unable to find version `0.28.0`

Pin to 0.36.0 (current latest, matches the GHA marketplace listing).
Same step config — only the version tag changes. Validated via:

  python3 -c "import yaml; yaml.safe_load(open('publish-template-image.yml'))"

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request #36 from Molecule-AI/fix/trivy-action-pin-bump 7c1242b7df 
fix(publish): bump trivy-action 0.28.0 → 0.36.0 (0.28.0 yanked from registry)
fix(publish): trivy-action tag needs v prefix — bump 0.36.0 → v0.36.0 c4a4083f45 
aquasecurity/trivy-action moved to v-prefixed tags. The non-v 0.36.0
doesn't exist (only v0.36.0 + a legacy non-v 0.35.0). Followup to #36
which used the non-v form and still failed:

  Unable to resolve action `aquasecurity/trivy-action@0.36.0`,
  unable to find version `0.36.0`

Verified: `gh api repos/aquasecurity/trivy-action/tags` returns
v0.36.0, v0.35.0, v0.34.0, etc.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request #37 from Molecule-AI/fix/trivy-action-v-prefix b8ca507fb8 
fix(publish): trivy-action tag needs v prefix — bump 0.36.0 → v0.36.0
feat(ci): add trivy_skip_dirs and trivy_skip_files inputs to publish-template-image b12f1617ba 
Adds per-template skip-dirs/skip-files inputs to the reusable
publish-template-image workflow, forwarded to the Trivy action.

This avoids the maintenance burden of large .trivyignore files
(110 CVEs in template-hermes) by letting callers exclude paths
that carry upstream-bundled binary distributions.

Fixes #39
claude-ceo-assistant commented 2026-06-11 20:25:47 +00:00
Owner
Copy Link
Copy Source

Triaged + closed to clear backlog: CI-pending 10+ days, no activity. Reopen if still wanted.

Triaged + closed to clear backlog: CI-pending 10+ days, no activity. Reopen if still wanted.

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
merge-queue
PR is in the merge queue — do not merge manually
 tier:medium
Multi-file CI infra change; affects downstream callers
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
agent-dev-a agent-dev-b agent-pm agent-researcher agent-reviewer agent-reviewer-1 agent-reviewer-cr2 app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) godwin hongming hongming-ceo-delegated hongming-codex-laptop hongming-kimi-laptop hongming-pc2 hongming-personal infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) molecule-code-reviewer plugin-dev (Molecule AI · plugin-dev) pm release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: molecule-ai/molecule-ci#27
Delete Branch "feat/trivy-skip-dirs-files-39"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?