fix: reduce DEB matrix and improve Trivy SARIF upload handling

SckyzO · SckyzO · commit 4cfe4cd38fd8 · 2026-02-11T07:11:28.000+01:00
**Problem 1: Matrix Size Limit (CRITICAL)**
GitHub Actions limits matrix strategies to 256 jobs maximum.
The DEB matrix was generating ~260 jobs and failing:
- 34 exporters × 4 distros × 2 archs = ~272 jobs ❌

**Problem 2: Trivy SARIF Upload Errors**
Upload step was failing with "Path does not exist" even with
continue-on-error, generating 70 error annotations in UI.

**Solutions:**

1. **Reduced DEB distributions** (Line 97)
   - Before: ubuntu-22.04, ubuntu-24.04, debian-12, debian-13 (4 distros)
   - After: ubuntu-22.04, ubuntu-24.04 (2 Ubuntu LTS only)
   - Result: ~34 × 2 × 2 = ~136 jobs ✅ (safe margin under 256)
   - Note: Debian support can be added back when we implement
     distribution-specific matrix splitting

2. **Check SARIF file existence before upload** (Line 264)
   - Added check-sarif step to verify file exists
   - Only upload if file is present
   - Prevents "Path does not exist" errors in UI
   - Cleaner logs with warning message when skipped

**Testing:**
Next full-build run should:
- ✅ Create DEB jobs successfully (under 256 limit)
- ✅ No SARIF upload errors if files are missing
diff --git a/.github/workflows/full-build.yml b/.github/workflows/full-build.yml
@@ -94,7 +94,9 @@ jobs:
           deb_combinations = []
 
           rpm_dists = ['el8', 'el9', 'el10']
-          deb_dists = ['ubuntu-22.04', 'ubuntu-24.04', 'debian-12', 'debian-13']
+          # Limit DEB distributions to stay under GitHub's 256 matrix job limit
+          # With ~34 exporters × 2 distros × 2 archs = ~136 jobs (safe margin)
+          deb_dists = ['ubuntu-22.04', 'ubuntu-24.04']
 
           for exporter in exporters:
               manifest_path = f'exporters/{exporter}/manifest.yaml'
@@ -259,13 +261,23 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM'
         continue-on-error: true
 
-      - name: Upload Trivy Results
+      - name: Check SARIF File
+        id: check-sarif
         if: steps.check.outputs.enabled == 'true'
+        run: |
+          if [ -f "trivy-${{ matrix.exporter }}.sarif" ]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "⚠️  SARIF file not found, skipping upload"
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Upload Trivy Results
+        if: steps.check.outputs.enabled == 'true' && steps.check-sarif.outputs.exists == 'true'
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-${{ matrix.exporter }}.sarif'
           category: 'trivy-${{ matrix.exporter }}'
-        continue-on-error: true
 
       - name: 🧪 Container Smoke Test
         if: steps.check.outputs.enabled == 'true'
