From 30fa99a71782a16c949f1717d7070f80880237c4 Mon Sep 17 00:00:00 2001
From: Barcode Betty <32+cs_betty@noreply.git.farh.net>
Date: Tue, 23 Jun 2026 02:39:55 +0000
Subject: [PATCH] ci(auth): add Grype scan step; document provenance/sbom OCI
 referrer limitation (CAR-1446)

- Insert anchore/scan-action@v5 step between Build and Push
- severity-cutoff: high, only-fixed: true (matches monorepo pattern)
- Add inline comment on provenance:false/sbom:false explaining OCI distribution
  spec >=1.1 limitation on git.farh.net registry

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .gitea/workflows/ci.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 9a02ee6..fc237e8 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -67,11 +67,28 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
+      - name: Scan Docker image
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
       - name: Push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
+          # CAR-1446: git.farh.net does not support OCI referrers (distribution spec
+          # >=1.1 required for attestation push). Enabling provenance:true/sbom:true
+          # would cause the push to fail on the referrer PUT. The Grype scan step
+          # above is the compensating control — it fails the build on any unfixed
+          # high-severity CVE before the image reaches the registry.
           provenance: false
           sbom: false
           tags: ${{ steps.meta.outputs.tags }}