Skip to content

feat: GitHub Actions CI/CD pipeline — Week 5 complete#22

Merged
JashwanthMU merged 4 commits into
developfrom
feature/github-actions-ci
May 28, 2026
Merged

feat: GitHub Actions CI/CD pipeline — Week 5 complete#22
JashwanthMU merged 4 commits into
developfrom
feature/github-actions-ci

Conversation

@JashwanthMU
Copy link
Copy Markdown
Member

@JashwanthMU JashwanthMU commented May 28, 2026
edited
Loading

What does this PR do?

fix: pin stable package versions for Docker build

  • python-jose==3.4.0: fixes CVE-2024-33663 (algorithm confusion)
  • SQLAlchemy==2.0.36: avoids Docker pip mirror lag on 2.0.49
  • Removed unused transitive dependencies
  • Added python-multipart==0.0.20 for FastAPI form support

How to test it?

tested

Checklist

  • I tested this locally
  • I wrote or updated relevant docs
  • No secrets or passwords in this code
  • My teammate reviewed this

Week / Phase

week-5 CI/CD phase

@JashwanthMU
fix: Trivy scan — add ignore-unfixed flag and trivyignore file
c5c292e 
Trivy was blocking on OS-level CVEs with no available fix.
- ignore-unfixed: true skips CVEs where no patch exists yet
- .trivyignore: empty file ready for future CVE exceptions
- vuln-type: os,library for complete coverage

Security gate still blocks on fixable CRITICAL CVEs
@JashwanthMU
fix: upgrade python-jose 3.3.0 → 3.4.0 (CVE-2024-33663)
cf4275d 
Trivy CRITICAL finding: CVE-2024-33663
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA
Fixed in python-jose 3.4.0
https://avd.aquasec.com/nvd/cve-2024-33663
@JashwanthMU
fix: pin stable package versions for Docker build
be8dba5 
- python-jose==3.4.0: fixes CVE-2024-33663 (algorithm confusion)
- SQLAlchemy==2.0.36: avoids Docker pip mirror lag on 2.0.49
- Removed unused transitive dependencies
- Added python-multipart==0.0.20 for FastAPI form support
@JashwanthMU
fix: lock all dependency versions to resolve CI conflicts
2d76e49 
- fastapi==0.115.12 + starlette compatible version
- sqlalchemy==2.0.41 (latest stable, available on all pip mirrors)
- Added httpx and pytest to requirements for CI test runner
- Removed version conflicts between starlette/fastapi/pydantic
@JashwanthMU JashwanthMU merged commit ce235f4 into develop May 28, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JashwanthMU