Fix trivy CVE DB downloads in zot LaunchAgent

The LaunchAgent's default PATH (/usr/bin:/bin:/usr/sbin:/sbin) doesn't include /usr/local/bin where docker-credential-desktop lives. Trivy's OCI client reads ~/.docker/config.json which specifies credsStore:desktop, then fails to find the credential helper. Add /usr/local/bin to PATH. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bump zot registry to v2.1.15
2026-03-14 09:54:10 -07:00 · 2026-03-14 09:21:59 -07:00
4 changed files with 9 additions and 3 deletions
--- a/ansible/roles/zot/templates/zot.plist.j2
+++ b/ansible/roles/zot/templates/zot.plist.j2
@ -16,6 +16,11 @@
 	<true/>
 	<key>KeepAlive</key>
 	<true/>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>PATH</key>
+		<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+	</dict>
 	<key>StandardOutPath</key>
 	<string>{{ zot_log_dir }}/mcquack.zot.out.log</string>
 	<key>StandardErrorPath</key>
--- a/docs/changelog.d/bump-zot-v2.1.15.infra.md
+++ b/docs/changelog.d/bump-zot-v2.1.15.infra.md
@ -0,0 +1 @@
+Upgrade zot container registry from v2.1.13 to v2.1.15 (CVE-2025-30204, open redirect fix). Fix trivy CVE DB downloads by adding /usr/local/bin to LaunchAgent PATH.
--- a/docs/reference/services/zot.md
+++ b/docs/reference/services/zot.md
@ -1,6 +1,6 @@
 ---
 title: Zot
-modified: 2026-02-21
+modified: 2026-03-14
 tags:
  - service
  - registry
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -269,8 +269,8 @@ services:

  - name: zot
    type: ansible
-    last-reviewed: null
-    current-version: null
+    last-reviewed: 2026-03-14
+    current-version: "v2.1.15"
    upstream-source: https://github.com/project-zot/zot/releases
    notes: Built from source on indri
				`@ -0,0 +1 @@`
				`Upgrade zot container registry from v2.1.13 to v2.1.15 (CVE-2025-30204, open redirect fix). Fix trivy CVE DB downloads by adding /usr/local/bin to LaunchAgent PATH.`