Disable Docker Scout PR comment to prevent accidental @mentions (#269)

IhorMasechko · web-flow · commit 9d28dd3e6736 · 2026-04-09T12:47:11.000+02:00
We disabled Docker Scout auto-comments in CI by setting write-comment:
false in the security-scan job.
This prevents scoped package names like @apostrophecms/... from being
parsed as GitHub mentions and notifying unrelated users.
Security scanning is still active and results are still uploaded via
SARIF.
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -60,6 +60,7 @@ jobs:
           image: apostrophe-cms:test
           sarif-file: docker-scan-results.sarif
           only-severities: critical,high
+          write-comment: false
 
       - name: Upload scan results
         uses: github/codeql-action/upload-sarif@v3
