Chore Type
CI / Build change
Description
Currently, CI only runs on PRs and manual dispatch, and the scheduled security scan runs weekly against dev only. This leaves two gaps:
- Upstream breakage goes undetected between PRs — new apt package versions, base image updates, or Python dependency changes can silently break the build.
- Newly published CVEs against the production image are only caught weekly, and the released image on
main is never scanned on a schedule.
Proposed changes
-
Nightly CI on dev: Add a schedule trigger to ci.yml. On schedule events, check out dev explicitly. This runs the full suite nightly: build, image tests, integration tests, project checks, Python security (Bandit + Safety), and Trivy scan. The dependency-review job already auto-skips on non-PR events.
-
Upgrade security-scan.yml from weekly to nightly: Change the cron from Monday 06:00 to nightly. Add a new job that pulls the latest published image from GHCR (ghcr.io/vig-os/devcontainer:latest) and runs Trivy + SBOM against it — covering main without rebuilding.
Acceptance Criteria
Implementation Notes
ci.yml: add schedule cron trigger; in the checkout step, use ref: dev when github.event_name == 'schedule'security-scan.yml: add a scan-latest job that does docker pull ghcr.io/vig-os/devcontainer:latest, saves to tar, then runs the same Trivy steps with a separate SARIF category (container-image-latest)- Suggested cron times: CI at ~04:00 UTC, security-scan at ~05:00 UTC (stagger to reduce runner contention with existing CodeQL at 02:15)
Related Issues
None
Priority
Medium
Changelog Category
No changelog needed
Chore Type
CI / Build change
Description
Currently, CI only runs on PRs and manual dispatch, and the scheduled security scan runs weekly against
devonly. This leaves two gaps:mainis never scanned on a schedule.Proposed changes
Nightly CI on
dev: Add ascheduletrigger toci.yml. On schedule events, check outdevexplicitly. This runs the full suite nightly: build, image tests, integration tests, project checks, Python security (Bandit + Safety), and Trivy scan. Thedependency-reviewjob already auto-skips on non-PR events.Upgrade
security-scan.ymlfrom weekly to nightly: Change the cron from Monday 06:00 to nightly. Add a new job that pulls the latest published image from GHCR (ghcr.io/vig-os/devcontainer:latest) and runs Trivy + SBOM against it — coveringmainwithout rebuilding.Acceptance Criteria
ci.ymlruns nightly againstdev(build + all test suites + Python security + Trivy)security-scan.ymlruns nightly instead of weeklysecurity-scan.ymlscans bothdev(freshly built) andmain(latest from GHCR, no rebuild)Implementation Notes
ci.yml: addschedulecron trigger; in the checkout step, useref: devwhengithub.event_name == 'schedule'security-scan.yml: add ascan-latestjob that doesdocker pull ghcr.io/vig-os/devcontainer:latest, saves to tar, then runs the same Trivy steps with a separate SARIF category (container-image-latest)Related Issues
None
Priority
Medium
Changelog Category
No changelog needed