Replace vulnerable inherited gosu helper in postgrest-db image#7
Merged
Conversation
Copilot
AI
changed the title
[WIP] Fix failing GitHub Actions job 'publish'
Replace vulnerable inherited gosu helper in postgrest-db image
Jul 8, 2026
marcvolkert
requested changes
Jul 8, 2026
marcvolkert
left a comment
Owner
There was a problem hiding this comment.
Just remove trivy for the moment.
Contributor
Author
Addressed in 0972bd9. |
There was a problem hiding this comment.
Pull request overview
This PR modifies the publish-postgrest-db GitHub Actions workflow for building and publishing the postgrest-db container image. Based on the diff provided, the change removes the pre-publish Trivy image vulnerability gate (rather than replacing the inherited gosu binary as described in the PR description).
Changes:
- Removed the “Build image for vulnerability scan” step that locally built/loaded the image for scanning.
- Removed the “Scan image with Trivy” step that blocked publishing on HIGH/CRITICAL findings.
Comments suppressed due to low confidence (1)
.github/workflows/publish-postgrest-db.yml:58
- The Trivy vulnerability gate was removed entirely, which changes the workflow from “block publish on HIGH/CRITICAL findings” to “always publish.” This also contradicts the PR description (which says the fix is to replace inherited
gosu, not to bypass scanning). If the intent is to keep a security gate, reintroduce the scan step (or an equivalent pre-push image scan).
- name: Build and push image
uses: docker/build-push-action@v6
with:
context: ./postgrest-tandem/image
file: ./postgrest-tandem/image/Containerfile
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
publishworkflow was failing in the Trivy gate, not during push. The publishedpostgrest-dbimage inherited a vulnerablegosubinary frompostgres:16, causing the release job to fail before publishing.Root cause
usr/local/bin/gosufrom the upstream base image.Image change
gosuwith a minimal shell wrapper backed bysetpriv.gosu <user> <command>still drops to the target user before exec.Container build update
Targeted coverage
postgres.