ci: harden release pipeline and pin tooling

Un-neuter grype CVE gate (was || echo, now fails on critical).
Add .grype.yaml with ignore for CVE-2026-41589 (wish SCP —
unreachable, we only import wish/bubbletea).

Pin: grype v0.114.0, git-cliff v2.13.1, govulncheck v1.1.4.
Tag `latest` only on tag push, not workflow_dispatch.
Build path ./cmd/uptop (survives a main.go split).
Add dist/ and uptop to .dockerignore.

This commit is contained in:

Tyler Koenig

2026-06-11 13:03:53 -04:00

parent 92efb8e270

commit d1ab842283

7 changed files with 23 additions and 11 deletions

.dockerignore

View File

@@ -10,3 +10,5 @@ vendor/
 *.local
 .env
 .github/
 dist/
 uptop