From 53d620365a9d5df9cbf8d927290eeb16b5017e46 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 14 Mar 2026 10:00:40 -0700
Subject: [PATCH] Bump zot registry to v2.1.15 (#293)

## Summary
- Upgrade zot OCI registry from v2.1.13 to v2.1.15 on indri
- Addresses CVE-2025-30204 (golang-jwt memory) and open redirect via callback_ui
- No config template changes needed (externalUrl is auto-allowlisted)
- Requires Go 1.25.7 (bump from 1.25.6 via mise)

## Data Safety
- Data directory ~/erichblume/zot is NOT touched during build or deploy
- No schema migrations in v2.1.14 or v2.1.15
- Storage format remains OCI spec 1.1.0

## Deployment Steps
- [ ] SSH to indri: bump Go to 1.25.7 via `mise use go@1.25.7`
- [ ] Fetch and checkout v2.1.15 in ~/code/3rd/zot
- [ ] Build: `mise x -- make binary`
- [ ] Restart LaunchAgent
- [ ] Verify: `curl -s http://localhost:5050/v2/` returns 200
- [ ] Verify: `curl -s https://registry.ops.eblu.me/v2/_catalog` lists repos
- [ ] Verify: `mise run services-check`

Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/293
---
 ansible/roles/zot/templates/zot.plist.j2   | 5 +++++
 docs/changelog.d/bump-zot-v2.1.15.infra.md | 1 +
 docs/reference/services/zot.md             | 2 +-
 service-versions.yaml                      | 4 ++--
 4 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 docs/changelog.d/bump-zot-v2.1.15.infra.md

diff --git a/ansible/roles/zot/templates/zot.plist.j2 b/ansible/roles/zot/templates/zot.plist.j2
index 25b7da1..b777fb8 100644
--- a/ansible/roles/zot/templates/zot.plist.j2
+++ b/ansible/roles/zot/templates/zot.plist.j2
@@ -16,6 +16,11 @@
 	<true/>
 	<key>KeepAlive</key>
 	<true/>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>PATH</key>
+		<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+	</dict>
 	<key>StandardOutPath</key>
 	<string>{{ zot_log_dir }}/mcquack.zot.out.log</string>
 	<key>StandardErrorPath</key>
diff --git a/docs/changelog.d/bump-zot-v2.1.15.infra.md b/docs/changelog.d/bump-zot-v2.1.15.infra.md
new file mode 100644
index 0000000..67e5ccd
--- /dev/null
+++ b/docs/changelog.d/bump-zot-v2.1.15.infra.md
@@ -0,0 +1 @@
+Upgrade zot container registry from v2.1.13 to v2.1.15 (CVE-2025-30204, open redirect fix). Fix trivy CVE DB downloads by adding /usr/local/bin to LaunchAgent PATH.
diff --git a/docs/reference/services/zot.md b/docs/reference/services/zot.md
index c113695..c309557 100644
--- a/docs/reference/services/zot.md
+++ b/docs/reference/services/zot.md
@@ -1,6 +1,6 @@
 ---
 title: Zot
-modified: 2026-02-21
+modified: 2026-03-14
 tags:
   - service
   - registry
diff --git a/service-versions.yaml b/service-versions.yaml
index f060499..7d03295 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -269,8 +269,8 @@ services:
 
   - name: zot
     type: ansible
-    last-reviewed: null
-    current-version: null
+    last-reviewed: 2026-03-14
+    current-version: "v2.1.15"
     upstream-source: https://github.com/project-zot/zot/releases
     notes: Built from source on indri