fix(ci): restore pipeline (scorecard pin, setup-go cache, container-scan context, Trivy CVE allow-list)#33
Merged
Conversation
added 5 commits
May 16, 2026 19:06
Session: 2026-05-16-ci-pipeline-remediation Branch: fix/ci-pipeline-remediation Intake gate complete (all 9 fields). 4 distinct CI failures evidenced from GitHub Actions API run/job IDs: - CI-A scorecard.yml unresolvable action version - CI-B ci.yml setup-go cache collision with golangci-lint-action - CI-C1 container-scan.yml Dockerfile build context (5 services) - CI-C2 admin-ui pnpm lockfile drift - CI-D Trivy CVE gate (seed-job, jaeger-auth) Owner decisions locked: - Trivy: allow-list with documented CVEs + expiry - pnpm: regenerate lockfile, keep --frozen-lockfile - Scope: all workflows + lockfile in one session Next: dispatch 5 IMPLEMENTERS in parallel.
Chunk CI-A of 2026-05-16-ci-pipeline-remediation. Scorecard workflow was using ossf/scorecard-action@v2, a floating major tag that the action does NOT publish. Every run failed at "Set up job" with: "Unable to resolve action 'ossf/scorecard-action@v2', unable to find version 'v2'". Pinned to commit SHA 4eaacf0543bb3f2c246792bd56e8cdeffafb205a (= v2.4.3, latest stable per GitHub releases API on 2026-05-16). SHA pin also satisfies the OpenSSF Scorecard "pinned-dependencies" check. Evidence: GitHub Actions run 25965785316 / job 76328940486. Verification: YAML parses; SHA → commit verified via GitHub API. Out-of-scope follow-ups (left untouched per chunk scope): - actions/checkout@v4 (line 24) is still floating-major. - github/codeql-action/upload-sarif@v3 (line 37) is still floating-major.
Chunk CI-B of 2026-05-16-ci-pipeline-remediation. actions/setup-go and golangci/golangci-lint-action@v6 were both extracting the Go toolchain cache, causing dozens of: /usr/bin/tar: ...golang.org/toolchain.../...: Cannot open: File exists setup-go now passes `cache: false` in the Lint Go job; golangci-lint-action manages its own cache. The test-go-unit job is left unchanged (no collision there — it does not invoke golangci-lint-action). Evidence: GitHub Actions run 25965858777 / job 76329132482. Verification: surgical edit (one line added under Lint Go's setup-go step); YAML parses.
Chunks CI-C1 and CI-D of 2026-05-16-ci-pipeline-remediation.
CI-C1 — build context
Six service Dockerfiles COPY siblings (mintkey-models/, go.work,
internal/, peer go.mod files); their builds need repo-root context.
The matrix now carries a `dockerfile:` field per service, and the
build step uses `--file "${{ matrix.dockerfile }}"` with the matching
`context:` (`.` for sibling-COPY services, subdirectory for the
self-contained ones).
Sibling-COPY (context: .): admin-api, mcp-server, broker,
vault-adapter, proxy-plugin, kong-syncer
Self-contained: admin-ui, seed-job, mock-backend,
jaeger-auth
Evidence: GitHub Actions run 25965858776 / jobs 76329132598
(admin-api), 76329132601 (mcp-server), 76329132602 (vault-adapter),
76329132594 (proxy-plugin).
Verification: local `docker build -f admin-api/Dockerfile -t test .`
from repo root succeeds; vault-adapter ditto.
CI-D — Trivy CVE allow-list
HIGH/CRITICAL CVEs in seed-job (Debian 13 base) and jaeger-auth
(Alpine 3.19 + oauth2-proxy v7.6.0) tripped the Trivy gate.
Approach: per-CVE allow-list in `.trivyignore`, each entry
documenting (a) package, (b) Mintkey-specific mitigation/justification,
(c) 2026-08-16 expiry (3 months). NO blanket severity downgrade;
NO exit-code relaxation; SARIF still uploaded to the Security tab.
33 unique CVE IDs total: 3 seed-job + 30 jaeger-auth (1 Alpine OS,
5 oauth2-proxy app, 24 bundled Go stdlib/third-party). The
oauth2-proxy bypass cluster is mitigated by Kong header stripping +
internal-only exposure; upgrade tracked separately (MINTKEY-412).
Workflow tweak: `trivyignores: .trivyignore` added to trivy-action's
`with:` block (trivy-action@master could otherwise drift on
auto-detection).
Evidence: GitHub Actions run 25965858776 / jobs 76329132592
(seed-job), 76329132597 (jaeger-auth).
Verification: local `trivy image --severity HIGH,CRITICAL --ignorefile
.trivyignore --exit-code 1 mintkey-{seed-job,jaeger-auth}:scan`
exits 0 for both.
Also: gitignore `**/.pnpm-store/` (local pnpm content-addressable
cache created by `pnpm install`; never to be committed).
PASS_ALL per fresh REVIEWER. 3 atomic chunks committed; CI-C2 verified needing no changes (pnpm v11 overrides validation differs from v9). 33 CVEs documented in .trivyignore with 2026-08-16 expiry.
14 tasks
…ents Late-discovered cascade from CI-B. Once the setup-go cache:false fix let golangci-lint actually RUN end-to-end, type-check uncovered: package requires newer Go version go1.25 (application built with go1.24) Several transitive deps in the existing go.mod graph require Go 1.25+. CI was pinned to "1.22"; Dockerfiles already use golang:1.26-alpine. Aligning ci.yml to 1.26 matches the production base image. Same change as the cascade fix already on fix/dependabot-vulns-2026-05-16 (PR #34); landing it here keeps the two PRs consistent. No other change in this commit.
12 tasks
ciprianiacobescu
pushed a commit
that referenced
this pull request
May 16, 2026
…p-review license config PR #35 CI exposed 3 actionable defects after the initial Wave 1+2 landed: 1. Python jobs (Lint Python / Architecture / Python Unit / Schema Gates) uv sync now succeeds but tool spawn fails: `pytest`, `ruff`, `mypy` not in pyproject.toml deps. Added [dependency-groups] with dev tools to both admin-api/ and mcp-server/. [tool.uv] default-groups = ["dev"] ensures CI's `uv sync` (without --frozen) installs dev tools by default; the existing CI commands (uv run ruff/mypy/pytest) work unchanged. uv.lock regenerated for both. 2. Playwright (chromium) pnpm v9 in CI rejected admin-ui/pnpm-workspace.yaml with: ERROR packages field missing or empty The file was created in PR #34 to hold pnpm v11 overrides; v11 is permissive about missing `packages:`, v9 is not. Added `packages: ["."]` so both versions accept the file. Local pnpm 11 reverification: `pnpm install --frozen-lockfile` exits 0. 3. Dependency Review "message": "You cannot specify both allow-licenses and deny-licenses" actions/dependency-review-action rejects both keys at once. Kept `allow-licenses` (positive allowlist of 8 permissive licenses) and dropped the redundant `deny-licenses` block. Allow-list is strictly safer than deny-list (anything not on the list is rejected by default). NOT addressed in this commit (deferred): - container-scan Trivy failures on seed-job + jaeger-auth: new HIGH/ CRITICAL CVEs published since PR #33's .trivyignore was generated. This is operational CVE-drift maintenance; allow-list refresh needs its own session (or, better, base-image upgrade to eliminate the CVEs at the source).
ciprianiacobescu
added a commit
that referenced
this pull request
May 16, 2026
…ets volume Revert PR #33 REL-3 USER directive for seed-job (one-shot init container; running as root for init operations is the canonical pattern). chmod logic in main.py preserved for downstream consumer permissions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restores CI from chronic red to green. 4 distinct workflow defects fixed:
scorecard.yml"Set up job" failure:ossf/scorecard-action@v2is not a real tagv2.4.3ci.ymlLint Gotar: Cannot open: File existstoolchain collisioncache: falseon setup-go in lint-go (golangci-lint-action manages its own cache)container-scan.ymlbuild failures:COPY mintkey-models/...: not foundfor 6 servicesdockerfile:path per service; build uses repo-root context where Dockerfiles COPY siblingscontainer-scan.ymlTrivy gate fail on seed-job & jaeger-auth.trivyignorewith 33 individually-justified CVEs + 2026-08-16 expiry;trivyignores: .trivyignorepassed to trivy-actionBuilt and verified locally:
docker build -f admin-api/Dockerfile -t test .→ successdocker build -f services/vault-adapter/Dockerfile -t test .→ successcd admin-ui && pnpm install --frozen-lockfile→ exit 0docker build --no-cache -f admin-ui/Dockerfile -t test admin-ui/→ success (pnpm v11.1.2 via corepack).trivyignorefor both flagged images → exit 0Session:
team/remediation/2026-05-16-ci-pipeline-remediation/.Orchestrator pattern: 5 IMPLEMENTERs in parallel, 1 fresh REVIEWER (Opus) returned
PASS_ALL.Change Type
Required Provenance
team/remediation/2026-05-16-ci-pipeline-remediation/team/remediation/2026-05-16-ci-pipeline-remediation/ISSUE_INTAKE.md(all 9 fields)team/remediation/2026-05-16-ci-pipeline-remediation/01-orchestrator-chunks.mdPASS_ALL(logged in99-report.md)Issue Definition
dependency-reviewstatus check unblocks Dependabot merges.25965785316/76328940486,25965858777/76329132482,25965858776/{76329132590,76329132592,76329132594,76329132597,76329132598,76329132601,76329132602}..github/workflows/{scorecard,ci,container-scan}.yml,.trivyignore(new),.gitignore(pnpm-store).Verification
--frozen-lockfileAgent/Automation Rules
--no-verifyusedCo-Authored-Bytrailer