From a94686bb7864b8e4213371a79e3b759c330c54aa Mon Sep 17 00:00:00 2001
From: Manuel Raynaud <manu@raynaud.io>
Date: Mon, 31 Mar 2025 18:56:01 +0200
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=A5(ci)=20force=20ci=20to=20fails?=
 =?UTF-8?q?=20if=20trivy=20fails?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If trivy fails we must stop the CI to avoid publishing images with
security issues.
---
 .github/workflows/docker-hub.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
index 196a3f0e9..84b23c7e0 100644
--- a/.github/workflows/docker-hub.yml
+++ b/.github/workflows/docker-hub.yml
@@ -11,6 +11,7 @@ on:
   pull_request:
     branches:
       - 'main'
+      - 'ci/trivy-fails'
 
 env:
   DOCKER_USER: 1001:127
@@ -38,7 +39,6 @@ jobs:
         with:
           docker-build-args: '--target backend-production -f Dockerfile'
           docker-image-name: 'docker.io/lasuite/impress-backend:${{ github.sha }}'
-        continue-on-error: true
       -
         name: Build and push
         uses: docker/build-push-action@v6
@@ -72,7 +72,6 @@ jobs:
         with:
           docker-build-args: '-f src/frontend/Dockerfile --target frontend-production'
           docker-image-name: 'docker.io/lasuite/impress-frontend:${{ github.sha }}'
-        continue-on-error: true
       -
         name: Build and push
         uses: docker/build-push-action@v6
@@ -106,8 +105,7 @@ jobs:
         uses: numerique-gouv/action-trivy-cache@main
         with:
           docker-build-args: '-f src/frontend/servers/y-provider/Dockerfile --target y-provider'
-          docker-image-name: 'docker.io/lasuite/impress-frontend:${{ github.sha }}'
-        continue-on-error: true
+          docker-image-name: 'docker.io/lasuite/impress-y-provider:${{ github.sha }}'
       -
         name: Build and push
         uses: docker/build-push-action@v6

From 4337772393b2ae414004c36a265348e3c82b9ae3 Mon Sep 17 00:00:00 2001
From: Manuel Raynaud <manu@raynaud.io>
Date: Mon, 31 Mar 2025 20:25:00 +0200
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=A5(y-provider)=20remove=20npm=20i?=
 =?UTF-8?q?n=20docker=20image?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We use yarn and not npm, we remove npm because it has a dependencie with
cross-spawn which has a CVE.
---
 src/frontend/servers/y-provider/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/frontend/servers/y-provider/Dockerfile b/src/frontend/servers/y-provider/Dockerfile
index 7ed5a2e70..2e16bdd5d 100644
--- a/src/frontend/servers/y-provider/Dockerfile
+++ b/src/frontend/servers/y-provider/Dockerfile
@@ -31,6 +31,9 @@ COPY --from=y-provider-builder \
 
 RUN NODE_ENV=production yarn install --frozen-lockfile
 
+# Remove npm, contains CVE related to cross-spawn and we don't use it.
+RUN rm -rf /usr/local/bin/npm /usr/local/lib/node_modules/npm
+
 # Un-privileged user running the application
 ARG DOCKER_USER
 USER ${DOCKER_USER}