fix(ci): use ghcr.io for Trivy DB instead of mirror.gcr.io#509
Merged
fix(ci): use ghcr.io for Trivy DB instead of mirror.gcr.io#509
Conversation
mirror.gcr.io returns 404 when downloading the Trivy vulnerability DB, causing CI scans to fail with: FATAL: failed to download artifact from mirror.gcr.io/aquasec/trivy-db:2 Set TRIVY_DB_REPOSITORY and TRIVY_JAVA_DB_REPOSITORY env vars to use the official ghcr.io registry (ghcr.io/aquasecurity/trivy-db:2) in all workflows: security-scan.yml, release.yml, test.yml.
Serph91P
added a commit
that referenced
this pull request
Mar 15, 2026
* ci(deps): bump actions/upload-artifact from 6 to 7 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v6...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump bandit from 1.9.2 to 1.9.4 Bumps [bandit](https://github.com/PyCQA/bandit) from 1.9.2 to 1.9.4. - [Release notes](https://github.com/PyCQA/bandit/releases) - [Commits](PyCQA/bandit@1.9.2...1.9.4) --- updated-dependencies: - dependency-name: bandit dependency-version: 1.9.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump fastapi from 0.133.1 to 0.135.1 Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.133.1 to 0.135.1. - [Release notes](https://github.com/fastapi/fastapi/releases) - [Commits](fastapi/fastapi@0.133.1...0.135.1) --- updated-dependencies: - dependency-name: fastapi dependency-version: 0.135.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump python-dotenv from 1.2.1 to 1.2.2 Bumps [python-dotenv](https://github.com/theskumar/python-dotenv) from 1.2.1 to 1.2.2. - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.2.1...v1.2.2) --- updated-dependencies: - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump vite-plugin-vue-devtools in /app/frontend Bumps [vite-plugin-vue-devtools](https://github.com/vuejs/devtools/tree/HEAD/packages/vite) from 8.0.6 to 8.0.7. - [Release notes](https://github.com/vuejs/devtools/releases) - [Commits](https://github.com/vuejs/devtools/commits/v8.0.7/packages/vite) --- updated-dependencies: - dependency-name: vite-plugin-vue-devtools dependency-version: 8.0.7 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump @vue/tsconfig from 0.8.1 to 0.9.0 in /app/frontend Bumps [@vue/tsconfig](https://github.com/vuejs/tsconfig) from 0.8.1 to 0.9.0. - [Release notes](https://github.com/vuejs/tsconfig/releases) - [Commits](vuejs/tsconfig@v0.8.1...v0.9.0) --- updated-dependencies: - dependency-name: "@vue/tsconfig" dependency-version: 0.9.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump esbuild from 0.27.2 to 0.27.3 in /app/frontend Bumps [esbuild](https://github.com/evanw/esbuild) from 0.27.2 to 0.27.3. - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.2...v0.27.3) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.27.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * fix(deps): resolve serialize-javascript RCE vulnerability (GHSA) Override serialize-javascript to ^7.0.3 to fix code injection via RegExp.flags and Date.prototype.toISOString() (CVE incomplete fix for CVE-2020-7660). Transitive dep chain: vite-plugin-pwa -> workbox-build -> @rollup/plugin-terser -> serialize-javascript. Upstream pins ^0.4.3 which caps at 6.x. Also fixes immutable prototype pollution (npm audit fix). * ci(deps): bump docker/build-push-action from 6 to 7 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump eslint from 10.0.2 to 10.0.3 in /app/frontend Bumps [eslint](https://github.com/eslint/eslint) from 10.0.2 to 10.0.3. - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v10.0.2...v10.0.3) --- updated-dependencies: - dependency-name: eslint dependency-version: 10.0.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * ci(deps): bump docker/login-action from 3 to 4 Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump apprise from 1.9.7 to 1.9.8 Bumps [apprise](https://github.com/caronc/apprise) from 1.9.7 to 1.9.8. - [Release notes](https://github.com/caronc/apprise/releases) - [Commits](caronc/apprise@v1.9.7...v1.9.8) --- updated-dependencies: - dependency-name: apprise dependency-version: 1.9.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump cachetools from 7.0.1 to 7.0.4 Bumps [cachetools](https://github.com/tkem/cachetools) from 7.0.1 to 7.0.4. - [Changelog](https://github.com/tkem/cachetools/blob/master/CHANGELOG.rst) - [Commits](tkem/cachetools@v7.0.1...v7.0.4) --- updated-dependencies: - dependency-name: cachetools dependency-version: 7.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump vue from 3.5.29 to 3.5.30 in /app/frontend Bumps [vue](https://github.com/vuejs/core) from 3.5.29 to 3.5.30. - [Release notes](https://github.com/vuejs/core/releases) - [Changelog](https://github.com/vuejs/core/blob/main/CHANGELOG.md) - [Commits](vuejs/core@v3.5.29...v3.5.30) --- updated-dependencies: - dependency-name: vue dependency-version: 3.5.30 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * ci(deps): bump docker/metadata-action from 5 to 6 Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5 to 6. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@v5...v6) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump sqlalchemy[postgresql] from 2.0.47 to 2.0.48 Bumps [sqlalchemy[postgresql]](https://github.com/sqlalchemy/sqlalchemy) from 2.0.47 to 2.0.48. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy[postgresql] dependency-version: 2.0.48 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump @types/node from 24.10.9 to 25.3.5 in /app/frontend Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.9 to 25.3.5. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.3.5 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * ci(deps): bump docker/setup-buildx-action from 3 to 4 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Feature/glassmorphism unified UI (#507) * feat(frontend): unified glassmorphism UI rework with bug fixes - Create _glass-system.scss unified design system (~450 lines) - CSS custom properties for glass tokens (bg, blur, shadow, border) - Theme-aware variables (dark/light) eliminating manual overrides - Glass surface mixins (subtle/medium/strong variants) - Component classes, button system, form elements, utilities - Fix notification bell click-outside bug - Replace broken querySelector with Vue template refs - Add @click.stop modifier and onUnmounted cleanup - Make bell visible on all screen sizes (was hidden on mobile) - Fix login state refresh bug - LoginView now uses useAuth().login() composable - Replace window.location.href with router.push('/') - Auth state updates reactively via module-level singleton refs - Remove duplicate hamburger menu navigation - Delete mobile menu overlay, hamburger button, related functions - SidebarNav for desktop, BottomNav for mobile (clean separation) - Migrate 13 components to glass system variables - Replace hardcoded rgba/blur/shadow with glass tokens - Remove [data-theme] overrides (glass vars are theme-aware) - Add @supports fallbacks for backdrop-filter - Remove old _glass.scss import from main.scss (dead code) * feat: add .gitignore to exclude cache and project.local.yml * feat: update .gitignore to include .pytest_cache and .serena * fix(ci): use ghcr.io for Trivy DB instead of mirror.gcr.io (#509) mirror.gcr.io returns 404 when downloading the Trivy vulnerability DB, causing CI scans to fail with: FATAL: failed to download artifact from mirror.gcr.io/aquasec/trivy-db:2 Set TRIVY_DB_REPOSITORY and TRIVY_JAVA_DB_REPOSITORY env vars to use the official ghcr.io registry (ghcr.io/aquasecurity/trivy-db:2) in all workflows: security-scan.yml, release.yml, test.yml. * Feature/glassmorphism unified UI (#508) * feat(frontend): unified glassmorphism UI rework with bug fixes - Create _glass-system.scss unified design system (~450 lines) - CSS custom properties for glass tokens (bg, blur, shadow, border) - Theme-aware variables (dark/light) eliminating manual overrides - Glass surface mixins (subtle/medium/strong variants) - Component classes, button system, form elements, utilities - Fix notification bell click-outside bug - Replace broken querySelector with Vue template refs - Add @click.stop modifier and onUnmounted cleanup - Make bell visible on all screen sizes (was hidden on mobile) - Fix login state refresh bug - LoginView now uses useAuth().login() composable - Replace window.location.href with router.push('/') - Auth state updates reactively via module-level singleton refs - Remove duplicate hamburger menu navigation - Delete mobile menu overlay, hamburger button, related functions - SidebarNav for desktop, BottomNav for mobile (clean separation) - Migrate 13 components to glass system variables - Replace hardcoded rgba/blur/shadow with glass tokens - Remove [data-theme] overrides (glass vars are theme-aware) - Add @supports fallbacks for backdrop-filter - Remove old _glass.scss import from main.scss (dead code) * feat: add .gitignore to exclude cache and project.local.yml * feat: update .gitignore to include .pytest_cache and .serena * feat(frontend): expand streamer settings, clean up settings UI - Add codec preferences, max concurrent recordings, and global cleanup policy toggle to streamer settings modal (StreamerDetailView) - Update backend API to handle new per-streamer settings fields (maxStreams, supportedCodecs, useGlobalCleanupPolicy) - Fix saveSettings to call working PUT endpoint directly instead of broken composable endpoint - Hide connection-status block when not connected (TwitchConnectionPanel) - Remove borders from steps-container and benefits-section - Hide duplicate section headers on mobile settings pages - Various glassmorphism UI polish: video controls, chapter seeking, notification panel, force-record visibility, responsive video wrapper, dashboard title cutoff, error overlay mobile fix * Remove outdated ADRs and architecture review documents; implement circuit breaker for Twitch API and Prometheus metrics for observability; enhance security by addressing critical vulnerabilities in authentication and session management; improve error handling and logging practices; and refine overall application architecture for better reliability and performance. * fix: update copyright year in LICENSE file to 2026 * feat: add frontend development guide with quick start, dev scripts, and mock mode instructions * fix(lint): apply ruff formatting to streamers.py and metadata_service.py * chore(deps): upgrade to Vite 8, update all dependencies (#510) - Upgrade Vite from 7.3.1 to 8.0.0 (2x faster builds via Rolldown) - Add overrides for vite-plugin-pwa Vite 8 peer dependency (ref #918) - Convert manualChunks from object to function (Rolldown requirement) - Update @vitejs/plugin-vue 6.0.4 -> 6.0.5 - Update @types/node 25.3.5 -> 25.5.0 - Update esbuild 0.27.3 -> 0.27.4 - Update sass 1.97.3 -> 1.98.0 - Update vite-plugin-vue-devtools 8.0.7 -> 8.1.0 - Update Python cachetools 7.0.4 -> 7.0.5 * fix(recording): prevent ghost recordings from permanently blocking new recordings (#511) Recording 68 for Dhalucard became a ghost recording on March 2 after a PostgreSQL recovery mode outage prevented status updates. This ghost entry blocked all new recordings for 12+ days with DUPLICATE_BLOCK errors. Root causes fixed: - _handle_recording_completion: 'file not found' path never called remove_active_recording, leaving ghost entries in state manager - _handle_recording_error: DB failures in mark_recording_failed caused the entire method to bail before remove_active_recording - stop_recording: EventSub handler's 5s timeout caused CancelledError before remove_active_recording was reached Changes: - Move remove_active_recording to finally blocks in _handle_recording_completion, _handle_recording_error, and stop_recording so cleanup always runs - Add stale recording detection in start_recording: if an 'active' recording has no running process, clean it up instead of blocking - Trigger post-processing for stale recordings that have files on disk - Move post-processing trigger to finally block in stop_recording so it survives handler timeouts --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mirror.gcr.io returns 404 when downloading the Trivy vulnerability DB, causing CI scans to fail with:
FATAL: failed to download artifact from mirror.gcr.io/aquasec/trivy-db:2
Set TRIVY_DB_REPOSITORY and TRIVY_JAVA_DB_REPOSITORY env vars to use the official ghcr.io registry (ghcr.io/aquasecurity/trivy-db:2) in all workflows: security-scan.yml, release.yml, test.yml.