From 14c191ccb7fa10566e13ee169e676059d9552a2e Mon Sep 17 00:00:00 2001 From: Samuel Bailey Date: Thu, 26 Mar 2026 16:14:04 -0500 Subject: [PATCH 1/2] fix: replace AWS CLI symlink COPY with explicit ln -sf in final stage The AWS CLI installer creates symlinks in /usr/local/bin pointing at /opt/aws-cli/v2/current/bin/{aws,aws_completer}. When these are transferred between multi-stage build layers via COPY, the symlink targets must already exist at copy time or BuildKit may not resolve them correctly across all builder backends. Drop the two COPY lines for the wrapper symlinks and instead run `ln -sf` in the final stage after /opt/aws-cli has been copied, guaranteeing that the symlinks are created against the actual installation directory present in the final image. --- Dockerfile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 65cf959..549406f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -174,8 +174,14 @@ RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg \ # --- Copy binaries from downloader stage --- COPY --from=downloader /opt/aws-cli /opt/aws-cli -COPY --from=downloader /usr/local/bin/aws /usr/local/bin/aws -COPY --from=downloader /usr/local/bin/aws_completer /usr/local/bin/aws_completer +# Re-create the AWS CLI wrapper symlinks in the final stage. +# The installer writes relative symlinks into /usr/local/bin pointing at +# /opt/aws-cli/v2/current/bin/*. Docker COPY preserves symlink targets +# verbatim, so those paths must exist in the final image — which they do +# because we copied /opt/aws-cli above. We still re-create them with ln -sf +# to be explicit and ensure correctness regardless of builder behaviour. +RUN ln -sf /opt/aws-cli/v2/current/bin/aws /usr/local/bin/aws \ + && ln -sf /opt/aws-cli/v2/current/bin/aws_completer /usr/local/bin/aws_completer COPY --from=downloader /opt/google-cloud-sdk /opt/google-cloud-sdk COPY --from=downloader /usr/local/bin/vault /usr/local/bin/vault COPY --from=downloader /usr/local/go /usr/local/go From 8ac5d9ed7060dac3e9800c6412e49baa9ed4cc38 Mon Sep 17 00:00:00 2001 From: Samuel Bailey Date: Thu, 26 Mar 2026 16:14:08 -0500 Subject: [PATCH 2/2] fix: update trivy-action from 0.28.0 to v0.35.0 aquasecurity/trivy-action@0.28.0 is not a valid release tag and fails to resolve in Actions. The latest published release is v0.35.0; bump the pinned version to match. --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1ded6d8..ec5a976 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -102,7 +102,7 @@ jobs: - uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@v0.35.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }} format: sarif