From 3725d0873f79efc344cff8877f696ae0dfe2da7a Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 14 Mar 2026 09:54:10 -0700
Subject: [PATCH] Fix trivy CVE DB downloads in zot LaunchAgent

The LaunchAgent's default PATH (/usr/bin:/bin:/usr/sbin:/sbin) doesn't
include /usr/local/bin where docker-credential-desktop lives. Trivy's
OCI client reads ~/.docker/config.json which specifies credsStore:desktop,
then fails to find the credential helper. Add /usr/local/bin to PATH.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ansible/roles/zot/templates/zot.plist.j2   | 5 +++++
 docs/changelog.d/bump-zot-v2.1.15.infra.md | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/zot/templates/zot.plist.j2 b/ansible/roles/zot/templates/zot.plist.j2
index 25b7da1..b777fb8 100644
--- a/ansible/roles/zot/templates/zot.plist.j2
+++ b/ansible/roles/zot/templates/zot.plist.j2
@@ -16,6 +16,11 @@
 	<true/>
 	<key>KeepAlive</key>
 	<true/>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>PATH</key>
+		<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+	</dict>
 	<key>StandardOutPath</key>
 	<string>{{ zot_log_dir }}/mcquack.zot.out.log</string>
 	<key>StandardErrorPath</key>
diff --git a/docs/changelog.d/bump-zot-v2.1.15.infra.md b/docs/changelog.d/bump-zot-v2.1.15.infra.md
index f20e2d5..67e5ccd 100644
--- a/docs/changelog.d/bump-zot-v2.1.15.infra.md
+++ b/docs/changelog.d/bump-zot-v2.1.15.infra.md
@@ -1 +1 @@
-Upgrade zot container registry from v2.1.13 to v2.1.15 (CVE-2025-30204, open redirect fix)
+Upgrade zot container registry from v2.1.13 to v2.1.15 (CVE-2025-30204, open redirect fix). Fix trivy CVE DB downloads by adding /usr/local/bin to LaunchAgent PATH.