From ac14405af34d76b83074aa429acf5b1de7cef3ee Mon Sep 17 00:00:00 2001
From: devitway <devitway@gmail.com>
Date: Tue, 24 Feb 2026 10:53:28 +0000
Subject: [PATCH] ci: restore scan gate on release, block on HIGH/CRITICAL CVE

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 465b768..7d53d76 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -127,7 +127,7 @@ jobs:
           format: sarif
           output: trivy-image-${{ matrix.name }}.sarif
           severity: HIGH,CRITICAL
-          exit-code: 0  # warn only; change to 1 to block on vulnerabilities
+          exit-code: 1  # block release on HIGH/CRITICAL vulnerabilities
 
       - name: Upload Trivy image results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v4
@@ -139,7 +139,7 @@ jobs:
   release:
     name: GitHub Release
     runs-on: ubuntu-latest
-    needs: build
+    needs: [build, scan]
     permissions:
       contents: write
       packages: read  # to pull image for SBOM generation