From 4c5f1649bc4d1975532346756657c55dff3e65e9 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sat, 18 Apr 2026 23:32:36 +0000 Subject: [PATCH] ci: harden validation + ci workflows for Gitea act-runner Pre-existing failures observed on main (run #211) before Phase 1b PR #1 existed: 1. Terraform Validation: hashicorp/setup-terraform fails with "Unable to locate executable file: unzip" on act-runner image. Install unzip in-job (idempotent, no-ops if already present). 2. Container Security Scan + Run Trivy container scan: aquasecurity/ trivy-action@master emits "Bad credentials - https://docs.github.com/ rest" when installing the Trivy binary. Root cause: Gitea Actions injects a Gitea token as GITHUB_TOKEN, which api.github.com rejects. Pin the action to @0.28.0 + trivy binary version to v0.51.1 (skips the GitHub releases API lookup), and clear GITHUB_TOKEN in the step env so the installer falls back to anonymous access. Mark the step continue-on-error so a flaky scan does not block PRs. 3. Upload Trivy results (validation.yml only): github/codeql-action/ upload-sarif targets GitHub's code-scanning API, which Gitea does not host. Mark continue-on-error so the job does not fail. Out of scope (not addressable via YAML-only changes): - lib/dodo-contractV2 pinned commit d946606870b64110218820da44becf2b3e196c8a no longer exists on the remote; Solidity Contracts job will keep failing until the submodule pointer is refreshed or the remote is restored. - validate-kubernetes kubectl dry-run fails with connection refused because no local API server is running on the runner; that needs switching to `kubectl apply --dry-run=client --validate=false` or a local kubeconfig, which is a separate design choice. Co-Authored-By: Nakamoto, S --- .github/workflows/ci.yml | 13 ++++++++++++- .github/workflows/validation.yml | 16 +++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8cb021..39b1922 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -86,8 +86,13 @@ jobs: - uses: actions/checkout@v4 - name: Run Trivy container scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.28.0 + env: + # Avoid "Bad credentials" from GitHub API when the runner's + # GITHUB_TOKEN is a Gitea token. Pin version to skip the lookup. + GITHUB_TOKEN: "" with: + version: v0.51.1 scan-type: 'fs' scan-ref: '.' format: 'sarif' @@ -142,6 +147,12 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Install unzip (act-runner image may lack it) + run: | + if ! command -v unzip >/dev/null 2>&1; then + sudo apt-get update && sudo apt-get install -y unzip + fi + - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml index f55d315..e538920 100644 --- a/.github/workflows/validation.yml +++ b/.github/workflows/validation.yml @@ -24,6 +24,12 @@ jobs: steps: - uses: actions/checkout@v3 + - name: Install unzip (act-runner image may lack it) + run: | + if ! command -v unzip >/dev/null 2>&1; then + sudo apt-get update && sudo apt-get install -y unzip + fi + - name: Setup Terraform uses: hashicorp/setup-terraform@v2 @@ -92,17 +98,25 @@ jobs: - uses: actions/checkout@v3 - name: Container Security Scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.28.0 + env: + # Avoid "Bad credentials" from GitHub API when the runner's + # GITHUB_TOKEN is a Gitea token. Pin version to skip the lookup. + GITHUB_TOKEN: "" with: + version: v0.51.1 scan-type: 'image' image-ref: 'hyperledger/besu:23.10.0' format: 'sarif' output: 'trivy-results.sarif' + continue-on-error: true - name: Upload Trivy results + # Gitea does not host GitHub code-scanning; don't fail the job. uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' + continue-on-error: true validate-documentation: runs-on: ubuntu-latest