Fix CI stability: resolve Docker Scout write/auth issues and harden PG matrix checkout #35

Merged

nessi merged 6 commits from development into main 2026-02-14 22:12:28 +00:00

Conversation 0 Commits 6 Files Changed 2 +28 -4

nessi commented 2026-02-14 22:08:40 +00:00

Owner

Copy Link

Summary

This PR stabilizes CI security scanning and matrix reliability on the development branch.

Changes Included

1) Docker Scout scan fix (development CVE workflow)

• Fixed Scout runtime error:
  • failed create to sbom folder: mkdir /root/.docker/scout: read-only file system
• Kept Scout running with Docker socket access as root:
  • -u root
  • -v /var/run/docker.sock:/var/run/docker.sock
• Updated Docker auth config mount to be writable:
  • from :ro to writable mount
• Result: Scout can now use local built images and write its internal cache/index data without failing.

2) PostgreSQL compatibility matrix stability improvements

• Reduced matrix concurrency to lower runner pressure:
  • max-parallel: 3
• Optimized checkout for reliability and speed:
  • actions/checkout@v4 with fetch-depth: 1
• Scope applies to PG14–PG18 smoke jobs on main/master/development and PRs.

Why

• Prevent flaky CI behavior in development security scans.
• Avoid intermittent matrix job instability (especially in later PG jobs) under higher parallel load.
• Keep pipeline output actionable and predictable.

Validation

• Scout scan step now progresses past the read-only SBOM/cache path issue.
• Matrix workflow remains functionally identical while being less prone to infra-side checkout failures.

## Summary This PR stabilizes CI security scanning and matrix reliability on the `development` branch. ## Changes Included ### 1) Docker Scout scan fix (development CVE workflow) - Fixed Scout runtime error: - `failed create to sbom folder: mkdir /root/.docker/scout: read-only file system` - Kept Scout running with Docker socket access as root: - `-u root` - `-v /var/run/docker.sock:/var/run/docker.sock` - Updated Docker auth config mount to be writable: - from `:ro` to writable mount - Result: Scout can now use local built images and write its internal cache/index data without failing. ### 2) PostgreSQL compatibility matrix stability improvements - Reduced matrix concurrency to lower runner pressure: - `max-parallel: 3` - Optimized checkout for reliability and speed: - `actions/checkout@v4` with `fetch-depth: 1` - Scope applies to PG14–PG18 smoke jobs on `main/master/development` and PRs. ## Why - Prevent flaky CI behavior in development security scans. - Avoid intermittent matrix job instability (especially in later PG jobs) under higher parallel load. - Keep pipeline output actionable and predictable. ## Validation - Scout scan step now progresses past the read-only SBOM/cache path issue. - Matrix workflow remains functionally identical while being less prone to infra-side checkout failures.

nessi added 6 commits 2026-02-14 22:08:41 +00:00

Update Docker Hub Scout config to use local login credentials ... f4b18b6cf1

Replaced the use of Docker Hub secrets with a mounted local docker configuration file for authentication. Added a check to ensure the login config exists before running scans, preventing unnecessary failures. This change enhances flexibility and aligns with local environment setups.

Make Docker Scout scans non-blocking and update config paths. ... dd3f18bb06

Set `continue-on-error: true` for Docker Scout steps to ensure workflows proceed even if scans fail. Updated volume paths and environment variables for Docker config and credentials to improve scanning compatibility.

Add Docker Scout login fallback and temporary caching. ... 5a7f32541f

This update introduces a fallback mechanism for Docker Scout login when DockerHub credentials are unavailable, ensuring the workflow does not fail. It also replaces direct Docker config usage with temporary caching to improve flexibility and reduce dependency on runner environment setups.

Refactor Docker Scout integration in CVE scan workflow ... af6ea11079

Simplified the Docker Scout configuration logic by removing unnecessary checks and utilizing Docker's standard auth configuration. Updated environment variable usage and volume mounts to streamline the setup process for scanning containers.

Add -u root flag to container CVE scan workflow ... c0077e3dd8

This ensures the container runs with root user privileges, providing better compatibility and avoiding potential permission issues. The change affects the development workflow configuration for container CVE scanning.

Update GitHub Actions workflows for improved functionality ... 328f69ea5e

Removed the read-only flag from Docker volume mounts in the container CVE scan workflow to allow modifications. Added `max-parallel` and `fetch-depth` configurations to the PostgreSQL compatibility matrix workflow for better performance and efficiency.

nessi merged commit 21a8023bf1 into main 2026-02-14 22:12:28 +00:00

nessi referenced this issue from a commit 2026-02-14 22:12:30 +00:00

Merge pull request 'Fix CI stability: resolve Docker Scout write/auth issues and harden PG matrix checkout' (#35) from development into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0

High priority

P1

Medium priority

P2

Low priority

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

nessi

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: nessi/NexaPG#35