fix: set GH_TOKEN in build workflow and ignore Trivy DS-0002 (#30)

JAORMX · claude · web-flow · commit aa54120e3804 · 2026-03-17T11:13:26.000+02:00
The build workflow fails because `gh release download` requires
GH_TOKEN to be set in GitHub Actions, even for public repos.

The security scan fails on DS-0002 (missing non-root USER in
Dockerfiles) which is a false positive — these are microVM rootfs
images where isolation comes from the VM boundary, not user namespaces.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -37,6 +37,8 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: task build
 
       - name: Build init
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,4 @@
+# DS-0002: "Specify at least 1 USER command in Dockerfile with non-root user"
+# Our Dockerfiles in images/ are microVM rootfs images, not traditional containers.
+# Isolation comes from the VM boundary (libkrun), not Linux user namespaces.
+DS-0002
