fix(ci): use lowercase owner in Trivy image-ref so staging scan can run#1050
Merged
Conversation
…an run
The Deploy Staging workflow fails on every push to main at the Trivy scan:
FATAL run error: image scan error: ... failed to parse the image name:
could not parse reference:
ghcr.io/LabsCrypt/remitlend-backend:staging-<sha>
The images are built and pushed with ${{ env.OWNER_LC }} (lowercase, as OCI
requires), but the two Trivy steps referenced the image via
${{ github.repository_owner }}, which is "LabsCrypt" with capitals. OCI image
references must be lowercase, so Trivy could not parse the reference and exited
1; the CRITICAL step was then skipped and the upload-sarif step failed with
"Path does not exist: trivy-results.sarif".
Point both Trivy image-ref values at ${{ env.OWNER_LC }} so they match the
pushed tags and the scan can actually run.
This was referenced Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Deploy Staging workflow (the remaining red check on
main) fails on every push at the Trivy scan:The images are built and pushed with
${{ env.OWNER_LC }}(lowercase, as OCI requires), but the two Trivy steps referenced the image via${{ github.repository_owner }}=LabsCrypt(capitals). OCI image references must be lowercase, so Trivy can't parse the reference, exits 1, the CRITICAL step is skipped, and the upload step fails withPath does not exist: trivy-results.sarif.Fix
Point both Trivy
image-refvalues at${{ env.OWNER_LC }}so they match the pushed tags and the scan can actually run.Note on verification
This workflow only triggers on
pushtomain, so it can't run on this PR — it'll first execute on the post-merge run onmain. The change is isolated to the Deploy Staging workflow and cannot affect the PR-gating RemitLend CI job.