Filter some images from signing (#609)

adimoft · web-flow · commit 7cc3ddc76986 · 2026-03-18T10:16:50.000+02:00
diff --git a/.github/workflows/post-merge-admin.yml b/.github/workflows/post-merge-admin.yml
@@ -38,7 +38,14 @@ jobs:
       prefix_tag_separator: "/"
       project_folder: apps/admin
       run_version_dev: true
-      trivy_image_skip: "ghcr.io/dependabot/dependabot-updater-core:latest"
+      trivy_image_skip: |
+        ghcr.io/dependabot/dependabot-updater-core:latest,
+        ghcr.io/github/github-mcp-server:latest,
+        ghcr.io/github/gh-aw-mcpg:latest,
+        ghcr.io/github/gh-aw-firewall/agent:latest,
+        ghcr.io/github/gh-aw-firewall/api-proxy:latest,
+        ghcr.io/github/gh-aw-firewall/squid:latest,
+        debian@sha256:0a5bf4ecacfc050bad0131c8e1401063fd1e8343a418723f6dbd3cd13a7b9e33
     secrets:
       SYS_EMF_GH_TOKEN: ${{ secrets.SYS_EMF_GH_TOKEN }}
       NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
diff --git a/.github/workflows/post-merge-app-orch.yml b/.github/workflows/post-merge-app-orch.yml
@@ -38,7 +38,14 @@ jobs:
       prefix_tag_separator: "/"
       project_folder: apps/app-orch
       run_version_dev: true
-      trivy_image_skip: "ghcr.io/dependabot/dependabot-updater-core:latest"
+      trivy_image_skip: |
+        ghcr.io/dependabot/dependabot-updater-core:latest,
+        ghcr.io/github/github-mcp-server:latest,
+        ghcr.io/github/gh-aw-mcpg:latest,
+        ghcr.io/github/gh-aw-firewall/agent:latest,
+        ghcr.io/github/gh-aw-firewall/api-proxy:latest,
+        ghcr.io/github/gh-aw-firewall/squid:latest,
+        debian@sha256:0a5bf4ecacfc050bad0131c8e1401063fd1e8343a418723f6dbd3cd13a7b9e33
     secrets:
       SYS_EMF_GH_TOKEN: ${{ secrets.SYS_EMF_GH_TOKEN }}
       NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
diff --git a/.github/workflows/post-merge-cluster-orch.yml b/.github/workflows/post-merge-cluster-orch.yml
@@ -38,7 +38,14 @@ jobs:
       prefix_tag_separator: "/"
       project_folder: apps/cluster-orch
       run_version_dev: true
-      trivy_image_skip: "ghcr.io/dependabot/dependabot-updater-core:latest"
+      trivy_image_skip: |
+        ghcr.io/dependabot/dependabot-updater-core:latest,
+        ghcr.io/github/github-mcp-server:latest,
+        ghcr.io/github/gh-aw-mcpg:latest,
+        ghcr.io/github/gh-aw-firewall/agent:latest,
+        ghcr.io/github/gh-aw-firewall/api-proxy:latest,
+        ghcr.io/github/gh-aw-firewall/squid:latest,
+        debian@sha256:0a5bf4ecacfc050bad0131c8e1401063fd1e8343a418723f6dbd3cd13a7b9e33
     secrets:
       SYS_EMF_GH_TOKEN: ${{ secrets.SYS_EMF_GH_TOKEN }}
       NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
diff --git a/.github/workflows/post-merge-infra.yml b/.github/workflows/post-merge-infra.yml
@@ -38,7 +38,14 @@ jobs:
       prefix_tag_separator: "/"
       project_folder: apps/infra
       run_version_dev: true
-      trivy_image_skip: "ghcr.io/dependabot/dependabot-updater-core:latest"
+      trivy_image_skip: |
+        ghcr.io/dependabot/dependabot-updater-core:latest,
+        ghcr.io/github/github-mcp-server:latest,
+        ghcr.io/github/gh-aw-mcpg:latest,
+        ghcr.io/github/gh-aw-firewall/agent:latest,
+        ghcr.io/github/gh-aw-firewall/api-proxy:latest,
+        ghcr.io/github/gh-aw-firewall/squid:latest,
+        debian@sha256:0a5bf4ecacfc050bad0131c8e1401063fd1e8343a418723f6dbd3cd13a7b9e33
     secrets:
       SYS_EMF_GH_TOKEN: ${{ secrets.SYS_EMF_GH_TOKEN }}
       NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
diff --git a/.github/workflows/post-merge-root.yml b/.github/workflows/post-merge-root.yml
@@ -38,7 +38,14 @@ jobs:
       prefix_tag_separator: "/"
       project_folder: apps/root
       run_version_dev: true
-      trivy_image_skip: "ghcr.io/dependabot/dependabot-updater-core:latest"
+      trivy_image_skip: |
+        ghcr.io/dependabot/dependabot-updater-core:latest,
+        ghcr.io/github/github-mcp-server:latest,
+        ghcr.io/github/gh-aw-mcpg:latest,
+        ghcr.io/github/gh-aw-firewall/agent:latest,
+        ghcr.io/github/gh-aw-firewall/api-proxy:latest,
+        ghcr.io/github/gh-aw-firewall/squid:latest,
+        debian@sha256:0a5bf4ecacfc050bad0131c8e1401063fd1e8343a418723f6dbd3cd13a7b9e33
     secrets:
       SYS_EMF_GH_TOKEN: ${{ secrets.SYS_EMF_GH_TOKEN }}
       NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
diff --git a/.github/workflows/post-merge-tests.yml b/.github/workflows/post-merge-tests.yml
@@ -37,7 +37,14 @@ jobs:
       run_version_dev: true
       prefix_tag_separator: "/"
       project_folder: tests
-      trivy_image_skip: "ghcr.io/dependabot/dependabot-updater-core:latest"
+      trivy_image_skip: |
+        ghcr.io/dependabot/dependabot-updater-core:latest,
+        ghcr.io/github/github-mcp-server:latest,
+        ghcr.io/github/gh-aw-mcpg:latest,
+        ghcr.io/github/gh-aw-firewall/agent:latest,
+        ghcr.io/github/gh-aw-firewall/api-proxy:latest,
+        ghcr.io/github/gh-aw-firewall/squid:latest,
+        debian@sha256:0a5bf4ecacfc050bad0131c8e1401063fd1e8343a418723f6dbd3cd13a7b9e33
     secrets:
       SYS_EMF_GH_TOKEN: ${{ secrets.SYS_EMF_GH_TOKEN }}
       NO_AUTH_ECR_PUSH_USERNAME: ${{ secrets.NO_AUTH_ECR_PUSH_USERNAME }}
