Skip to content

ci: consolidate fix/dont_block_on_trivy onto main (Trivy stays blocking)#29

Merged
geekbrother merged 8 commits into
mainfrom
ci/enable-trivy-blocking
Jul 13, 2026
Merged

ci: consolidate fix/dont_block_on_trivy onto main (Trivy stays blocking)#29
geekbrother merged 8 commits into
mainfrom
ci/enable-trivy-blocking

Conversation

@geekbrother

Copy link
Copy Markdown
Member

Why

Consolidates the fix/dont_block_on_trivy integration branch onto main with Trivy IaC scanning left blocking. That branch has been serving two purposes at once: it carries several real CI improvements and a temporary exit-code: '0' hack that made the Trivy IaC scan non-blocking. Consumers (e.g. WalletConnect/pay-core) pin to it to get the improvements and inherit the non-blocking scan as a side effect.

This PR lands the improvements on main and drops only the non-blocking hack, so main ends up with everything and Trivy stays enforced (ci-check-infra.yml exit-code: '1', unchanged from main).

What's included (net diff vs main)

File Change Source commit
ci-check-app.yml Migrate app-check Rust caching to Swatinem/rust-cache; opt-in mold linker for test jobs 8e45e9e6, 5721318b
release-app.yml Build the release image once, push per-env (no double compile) 88181667
ci.yml Wiring for the above
ci-check-infra.yml No net change — the exit-code 1→0 commit (aa7ad636) is reverted here, so Trivy stays blocking revert of aa7ad636

Also incorporates already-merged fixes that were on the branch: cargo-deny plural check licenses (f8aafb94).

Coordordination

  • Pairs with WalletConnect/pay-core PR #1126, which adds a repo-root .trivyignore suppressing the 7 HIGH IaC findings (all dev-only / documented false positives) so pay-core's terraform/ passes the now-blocking scan. Verified locally: trivy config terraform --severity HIGH,CRITICAL --skip-dirs .terraform --exit-code 1 → exit 0.
  • Merge order: this PR first, then pay-core #1126 (which repoints pay-core's reusable-workflow pins from @fix/dont_block_on_trivy / @ci/swatinem-rust-cache to @main).
  • Note for maintainers: open PR ci(cd): opt-in re-run-safe freshness guard on the apply steps #27 (ci/deploy-freshness-guard) is stacked on fix/dont_block_on_trivy; after this lands on main, retarget it to main. Once consumers are off fix/dont_block_on_trivy, that branch can be deleted.

Draft pending review of the bundled improvements and confirmation of the merge order with pay-core #1126.

geekbrother and others added 8 commits March 25, 2026 22:07
Replace the per-job hand-rolled actions/cache (restore + "clean target
if Cargo.lock changed" + save), keyed only on Cargo.lock, with
Swatinem/rust-cache in clippy / tests / tests-suites / unused-deps.

- Each job uses a Swatinem shared-key (clippy, tests, tests-suites,
  unused-deps) and maps the existing knobs: prefix-key <-
  rust-cache-prefix, save-if <- rust-cache-save. Swatinem keys on
  rustc + Cargo.lock + workspace and prunes stale workspace artifacts
  before saving, fixing the immutable-cache staleness of a
  Cargo.lock-only key.
- Formatting job no longer caches anything: `cargo fmt -- --check`
  does not compile, so restoring/saving ~/.cargo + target/ was pure
  waste.
- sccache steps removed: no persistent backend was ever configured
  (the object store was not cached), so it gave no cross-run benefit
  and disabled incremental compilation, fighting the target/ cache.
  The `use-sccache` input is kept (deprecated, no-op) so existing
  callers and ci.yml don't break.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mold is a linker, so it only helps jobs that link a binary — tests and
tests-suites, not clippy (check-only) or formatting (no compile). Add a
`use-mold` input (default false) and, when enabled, install mold+clang and set
RUSTFLAGS before the Swatinem cache step (so the linker flags are part of the
cache key) in those two jobs only.

Opt-in by default because this is a shared workflow: mold cannot read ThinLTO
bitcode objects without the LLVM plugin, so `cargo test --release` / LTO test
builds would fail at link time. Plumb the matching `rust-use-mold` input
through ci.yml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
release-app.yml previously published via a parallel matrix over publish-envs,
with each env (Staging, Prod) running build-publish.yml — a full Docker
compile. Because the legs ran in parallel they couldn't share the gha layer
cache, so the identical image was compiled twice (~2x the slowest build).

Restructure into build-once / push-per-env (same pattern as pay-core's canary
image):
- `build`: compiles the image once on the configurable run-label runner and
  exports it to a tarball artifact (gha layer cache retained).
- `publish` (matrix per env): downloads the tarball, docker load, then tags +
  pushes to that env's ECR (its own role) and GHCR. No compile — runs on
  ubuntu-latest. Env config is injected at runtime in ECS, so the image is
  identical across envs.

build-publish.yml is left in place for any direct callers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci: Swatinem caching + opt-in mold + build-once release image
cargo-deny-action@v2 bundles cargo-deny 0.20.2, which dropped the
singular `license` alias for the check subcommand. The Licenses job
invoked `cargo deny check license`, which now fails to parse before
deny.toml is ever read:

    error: invalid value 'license' for '[WHICH]...'

Use the plural `licenses` value that 0.20.x expects. Unblocks every PR
whose CI schedules the Licenses job (e.g. WalletConnect/pay-core).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fix(ci): use plural `check licenses` for cargo-deny
@geekbrother geekbrother self-assigned this Jul 13, 2026
@geekbrother geekbrother requested a review from chris13524 July 13, 2026 14:14
@geekbrother geekbrother marked this pull request as ready for review July 13, 2026 14:16
@geekbrother geekbrother merged commit f8a3f8b into main Jul 13, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants