The ARM64 runner cannot reliably start PostgreSQL containers and apply
migrations within the test timeouts. Exclude the three Testcontainers
collections from pr-checks.yml while keeping all unit tests and SAST
builds. Integration tests remain runnable locally and via dotnet test.
Slow ARM64 runners hit the default timeout while downloading the Trivy
checks bundle and analyzing workflow YAML files. Extend the timeout so
PR checks can complete reliably.
Trivy install keeps failing on the deploy workflow:
- empty TAG: install.sh falls back to 'latest', but the
'latest' GitHub release tag is no longer published.
- pin v0.71.0: pin alone is not durable. The release got
unpublished and install.sh now dies with
'unable to find v0.71.0 - use latest'.
Switch to the official aquasec/trivy Docker image:
- Docker Hub tags are content-addressed and rarely removed,
so the pin is durable.
- The image manifest ships linux/amd64, linux/arm64, linux/ppc64le
and linux/s390x, so the same tag works on the GitHub-hosted
runner and on the ARM64 Pi runner.
- We just need docker pull + docker cp /usr/local/bin/trivy.
- Pinned to 0.70.0 (April 2026) for reasonably current CVE data.
Also normalize .gitignore to plain UTF-8. The working copy had
been re-saved as UTF-16 LE by a Set-Content call without
-Encoding UTF8 (PowerShell 5.1 default on the local Windows box),
so git kept reporting 'Binary files differ' even though the rules
themselves were fine. Re-wrote through the editor to drop the
UTF-16 encoding and added rules for showcase-*.png, *.png.local,
and the test scratch dirs that keep creeping in.
The previous 'curl ... | sh -s -- -b /usr/local/bin' call passed no
positional tag, so the install script fell back to the GitHub 'latest'
tag. aquasecurity/trivy no longer publishes a 'latest' release tag, so
the CI failed at 'Install Trivy' with:
aquasecurity/trivy crit unable to find '' - use 'latest' or see ...
This blocked the entire 3.9.1 hotfix deploy: build-and-push succeeded
(3 fresh 3.9.1 images pushed to git.codeanddice.ru), but scan-images
never ran and deploy was skipped. Production still runs 3.9.0 with the
broken wizard.
Pass 'v0.71.0' as the positional tag; v0.71.0 has Linux-ARM64 and
Linux-AMD64 builds so both the deploy runner (RPi 5) and pr-checks
runner pick the right tarball.
Add a separate GmRelay.DiscordBot worker using NetCord Gateway with startup token validation, PostgreSQL datasource registration, slash-command setup, component interaction service registration, and lifecycle logging.
Wire the Discord service through Aspire AppHost, Docker Compose, PR checks, deploy image build/push/scan/pull steps, README docs, and synchronized version 2.2.0.
Add TDD coverage for project isolation, token validation, startup wiring, runtime wiring, and version synchronization.
Bump version -> 2.2.0
- SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props
scans all C# source during every dotnet build
- HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true
- No extra CI step needed: analyzer runs inside every build job automatically
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- PR checks: filesystem scan with Trivy (vuln, secret, misconfig)
- Deploy pipeline: image scan for bot and web containers before deploy
- Scans entire repository, not filtered file subsets
- Bump version -> 1.14.0
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Enable NuGet lock files so Trivy has dependency targets, fail PR checks when no lock files or language-specific files are detected, and let the installer fetch the latest Trivy release.
Toutsu
Hermes Agent