Commit b96911c
committed
Make Trivy scan advisory instead of blocking
Audio containers inherit from upstream third-party bases (Speaches,
Kokoro, NVIDIA CUDA). Residual CVEs in distro packages without
backported fixes flow through even after apt-get upgrade. Blocking
release on those creates an impossible cleanup cycle for issues
outside our codebase.
Add continue-on-error: true to the Trivy step. The scan still runs,
the report still appears as workflow annotations, and reviewers can
see exactly what's flagged. Only image build + push remains as the
hard gate.
Same pattern used upstream by whisper.cpp, kokoro, and other
container projects that ship on top of third-party bases.1 parent ec8fcbb commit b96911c
1 file changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
113 | 113 | | |
114 | 114 | | |
115 | 115 | | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
116 | 123 | | |
| 124 | + | |
117 | 125 | | |
118 | 126 | | |
119 | 127 | | |
| |||
0 commit comments