fix(ci): authenticate trivy-action's github.com clone #44

Merged
julien merged 1 commits from fix/ci/trivy-github-token into main 2026-05-06 23:43:20 +02:00
Owner

Summary

On cache miss, aquasecurity/trivy-action@master falls back to git clone https://github.com/aquasecurity/trivy to fetch its install script. Our act_runner cache server is currently unreachable from job containers (documented as "Cache server (deferred)" in infra/README.md), so every CI run is a cache miss, every run does the clone, and every clone hits github.com's 60 req/h anonymous rate limit:

Pass GITHUBCOM_TOKEN (same zero-scope github.com PAT used for Renovate) as GITHUB_TOKEN env on the trivy step. The action picks it up automatically and authenticates the clone, lifting the rate limit from 60 → 5 000 req/h.

Test plan

  • scan job goes green on this PR (the trivy step in particular).
  • On push to main post-merge, scan stays green.
  • No regression on the audit / gitleaks sub-steps of scan.

Related

  • The deeper fix (re-enabling the act_runner cache server so trivy gets a real cache hit and skips the clone entirely) is tracked as "Cache server (deferred)" in infra/README.md. Worth doing eventually; this PR is the surgical fix.
  • The @master pin on the trivy-action is also worth replacing with a tagged version (renovate.json will surface bumps once we lift the major-dashboard gate for it). Out of scope for this PR.
## Summary On cache miss, `aquasecurity/trivy-action@master` falls back to `git clone https://github.com/aquasecurity/trivy` to fetch its install script. Our act_runner cache server is currently unreachable from job containers (documented as "Cache server (deferred)" in `infra/README.md`), so every CI run is a cache miss, every run does the clone, and every clone hits github.com's 60 req/h anonymous rate limit: Pass `GITHUBCOM_TOKEN` (same zero-scope github.com PAT used for Renovate) as `GITHUB_TOKEN` env on the trivy step. The action picks it up automatically and authenticates the clone, lifting the rate limit from 60 → 5 000 req/h. ## Test plan - [ ] `scan` job goes green on this PR (the trivy step in particular). - [ ] On `push` to main post-merge, scan stays green. - [ ] No regression on the audit / gitleaks sub-steps of `scan`. ## Related - The deeper fix (re-enabling the act_runner cache server so trivy gets a real cache hit and skips the clone entirely) is tracked as "Cache server (deferred)" in `infra/README.md`. Worth doing eventually; this PR is the surgical fix. - The `@master` pin on the trivy-action is also worth replacing with a tagged version (`renovate.json` will surface bumps once we lift the major-dashboard gate for it). Out of scope for this PR.
julien added 1 commit 2026-05-06 23:42:53 +02:00
fix(ci): authenticate trivy-action's github.com clone
CI / commits (pull_request) Successful in 1m45s
CI / check (pull_request) Successful in 1m54s
CI / a11y (pull_request) Successful in 1m47s
CI / perf (pull_request) Successful in 3m8s
CI / scan (pull_request) Failing after 7m10s
4bd3b4a19f
On cache miss, `aquasecurity/trivy-action@master` falls back to
`git clone https://github.com/aquasecurity/trivy` to fetch its
install script. The act_runner cache server is currently
unreachable from job containers (documented as "Cache server
(deferred)" in infra/README.md), so every run is a cache miss, so
every run hits the github.com anonymous rate limit and fails with:

    fatal: could not read Username for 'https://github.com';:
    terminal prompts disabled

Pass `GITHUBCOM_TOKEN` (the same zero-scope github.com PAT we use
for Renovate) as `GITHUB_TOKEN` env on the step. The action picks
it up automatically and authenticates the clone, lifting the rate
limit from 60 req/h anonymous to 5 000 req/h authenticated.

This unblocks the `scan` job. The cache server fix would also
unblock it (no fall-back clone in the first place), but is a
separate, larger infra change still pending.
julien merged commit 6153c81602 into main 2026-05-06 23:43:20 +02:00
julien deleted branch fix/ci/trivy-github-token 2026-05-06 23:43:22 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#44