warn on vulnerabilities only for dev builds (#2654)

t-aleksander · web-flow · commit f31f074b7499 · 2026-04-08T15:52:15.000+02:00
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -11,6 +11,11 @@ on:
         description: "List of flavors as key-value pair attributes"
         required: false
         type: string
+      trivy-exit-code:
+        description: "Exit code for Trivy when vulnerabilities are found (0 = warn only, 1 = fail)"
+        required: false
+        type: string
+        default: "1"
 
 env:
   GHCR_REPO: ghcr.io/defguard/defguard
@@ -79,7 +84,7 @@ jobs:
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"
-          exit-code: "1"
+          exit-code: ${{ inputs.trivy-exit-code }}
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH,MEDIUM"
diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
@@ -24,6 +24,7 @@ jobs:
       tags: |
         type=ref,event=branch
         type=sha
+      trivy-exit-code: "0"
 
   trigger-e2e:
     needs: build-current
