fix: lowercase image names before Trivy scans to resolve image-ref parse error

[Copilot]

📋 Pull Request Description

🔀 Merge Strategy

This repository uses a DUAL merge strategy:

• Feature branches → develop: Squash merge (one clean commit per feature)
• develop → main: Regular merge (preserves shared history, no back-sync needed)

Why this approach?

• ✅ Clean integration branch - squash merging features into develop keeps one commit per feature/fix
• ✅ No back-sync required - regular merging develop → main preserves commit ancestry
• ✅ Easier rollbacks - each squashed commit on develop represents a complete, logical change
• ✅ Better release notes - automated changelog generation from squashed commits on develop
• ✅ Simplified workflow - no post-merge back-sync step eliminates an entire class of errors
• ✅ Reduced noise - no "fix typo" or "address review comments" commits on develop
• ✅ Consistent Dependabot - auto-merge uses squash strategy for PRs targeting develop

How to Create a PR (Recommended):

# Create PR using a markdown file for detailed description
gh pr create --base develop --fill-first --body-file .github/pull_request_template.md

# Or for quick PRs with inline body:
gh pr create --base develop --title "feat: your feature title" --body "Description here"

# For promotion PRs (develop → main):
gh pr create --base main --head develop --title "chore: promote develop to main" --body-file PR_DESCRIPTION.md

How to Merge (Recommended):

# Feature branch → develop (SQUASH merge):
gh pr merge <PR_NUMBER> --squash --delete-branch --body "<brief summary>"

# develop → main (REGULAR merge — do NOT squash):
gh pr merge <PR_NUMBER> --merge --body "Promote develop to main"

# Via GitHub Web UI:
# Feature → develop: Click "Squash and merge"
# develop → main:    Click "Merge pull request" (NOT squash)

⚠️ Pre-Submission Checklist

Branch Sync Requirements:

• I have pulled the latest changes from main branch: git pull origin main
• I have pulled the latest changes from develop branch: git pull origin develop
• I have rebased my feature branch on the target branch (if applicable)
• My branch is up-to-date with no merge conflicts

Quick sync commands:

# Fetch all remote branches
git fetch --all

# Update local main branch
git checkout main
git pull origin main

# Update local develop branch
git checkout develop
git pull origin develop

# Return to your feature branch and rebase (if needed)
git checkout <your-feature-branch>
git rebase develop  # or 'main' depending on your target branch

ℹ️ No back-sync needed! Because develop → main uses a regular merge (not squash), both branches share the same commit history. There is no divergence after merging.

Summary

IMAGE_NAME: ${{ github.repository }} evaluates to GrammaTonic/github-runner (mixed case). Trivy rejects this in image-ref because the OCI spec mandates lowercase image names — causing all container security scan and SBOM jobs to fail. docker/metadata-action handles lowercasing during builds transparently, but the Trivy steps reference the env var directly with no transformation.

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)

🔄 Changes Made

Files Modified

• .github/workflows/ci-cd.yml — Added Set lowercase image names step in all 4 jobs that pass image refs directly to Trivy

Key Changes

1. security-container-scan — lowercase IMAGE_NAME before Trivy scan
2. security-chrome-scan — lowercase IMAGE_CHROME_NAME before Trivy scan
3. security-chrome-go-scan — lowercase IMAGE_CHROME_GO_NAME before Trivy scan
4. sbom-vuln-validation — lowercase all three image name vars before SBOM generation and vuln scans

Each affected job now has this step inserted after docker login and before the first Trivy invocation:

- name: Set lowercase image names
  run: |
    echo "IMAGE_NAME=$(echo '${{ env.IMAGE_NAME }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
    echo "IMAGE_CHROME_NAME=$(echo '${{ env.IMAGE_CHROME_NAME }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
    echo "IMAGE_CHROME_GO_NAME=$(echo '${{ env.IMAGE_CHROME_GO_NAME }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV

🧪 Testing

Testing Performed

• Manual testing completed

Test Coverage

• New tests added for new functionality
• Existing tests updated
• All tests are passing

Manual Testing Steps

1. Triggered the failing CI run (job 71008853705) for reference — confirmed fatal: could not parse reference: ghcr.io/GrammaTonic/github-runner
2. Verified built images are already stored lowercase in GHCR (docker/metadata-action lowercases at push time)
3. Confirmed the added step resolves the case mismatch before Trivy receives the ref

📸 Screenshots/Demos

Failure log (before fix):

FATAL Fatal error  run error: image scan error: scan error: unable to initialize a scan service:
unable to initialize artifact: unable to initialize container image: failed to parse the image name:
could not parse reference: ghcr.io/GrammaTonic/github-runner
##[error]Process completed with exit code 1.
##[error]Path does not exist: trivy-container-results.sarif

🔒 Security Considerations

• No new security vulnerabilities introduced
• Secrets/tokens handled appropriately
• Container security best practices followed

📚 Documentation

• Code comments added/updated

🚀 Deployment Notes

• No deployment changes required

✅ Checklist

• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

🤖 AI Review Request

/cc @copilot

---

Note for Reviewers:

• Please review the code for functionality, security, and maintainability
• Check that documentation is updated appropriately
• Verify that tests are comprehensive and passing
• Consider the impact on existing workflows and deployments