Fix Trivy CI failure and remove repo bloat

[Copilot]

Security Scan workflow fails because it references Dockerfile.production which doesn't exist. Root also accumulated loose scripts, generated reports, and data dumps that shouldn't be tracked.

CI fix

• security.yml: Dockerfile.production → Dockerfile in the Trivy image build step

Bloat removal

• git rm 12 files: loose root Python scripts (analyze_comments.py, fetch_comments.py, verify_enhancements.py), generated JSON reports, data dumps (comments_*.json), dashboard_test.html, IMPLEMENTATION_COMPLETE.md

.gitignore hardening

• Added patterns for generated reports, loose root scripts, .coverage, .egg-info/

Test alignment

• test_cloud_run_deployment.py referenced the non-existent Dockerfile.production throughout — updated to Dockerfile and fixed assertions to match actual user (uvai), port config (ENV PORT), and entry point (youtube_extension.backend.main:app)

Original prompt

can you debug and run action on findings
ii dont want to be included in any git work
but i need this working but its become bloat

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
event-relay-web	Error		Feb 6, 2026 8:54pm
v0-uvai	Error		Feb 6, 2026 8:54pm

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[Copilot]

Pull request overview

This PR fixes the Security Scan workflow’s Trivy build step to use the repo’s actual Dockerfile (instead of a non-existent Dockerfile.production) and removes several tracked, generated/bloat files while hardening .gitignore. It also updates Cloud Run deployment tests to match the current Dockerfile conventions.

Changes:

• Fix Trivy image build in .github/workflows/security.yml to use Dockerfile.
• Remove tracked repo-bloat artifacts (generated reports/data dumps and loose root scripts) and add .gitignore patterns to prevent reintroducing them.
• Update tests/unit/test_cloud_run_deployment.py to reference Dockerfile and align assertions with current Dockerfile user/entrypoint/port conventions.

Reviewed changes

Copilot reviewed 13 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/security.yml	Updates Trivy build step to use Dockerfile so the workflow no longer references a missing file.
.gitignore	Adds ignore patterns for generated reports/data dumps and loose root scripts; adds patterns intended to ignore coverage and egg-info artifacts.
tests/unit/test_cloud_run_deployment.py	Replaces Dockerfile.production references with Dockerfile and updates assertions for entrypoint/user/port handling.
.coverage	Adds a generated coverage DB artifact (should not be committed).
verify_enhancements.py	Removes a loose root script (repo bloat cleanup).
fetch_comments.py	Removes a loose root script (repo bloat cleanup).
analyze_comments.py	Removes a loose root script (repo bloat cleanup).
dashboard_test.html	Removes a generated HTML artifact (repo bloat cleanup).
transcript_action_result.json	Removes a generated JSON output artifact (repo bloat cleanup).
autonomous_processing_report_20260204_111240.json	Removes a generated report artifact (repo bloat cleanup).
autonomous_processing_report_20260204_111255.json	Removes a generated report artifact (repo bloat cleanup).
autonomous_processing_report_20260204_111329.json	Removes a generated report artifact (repo bloat cleanup).
CREDENTIALS_REPORT.json	Removes a generated report artifact (repo bloat cleanup).
IMPLEMENTATION_COMPLETE.md	Removes a tracked implementation-summary artifact (repo bloat cleanup).
src/agents/tasks/IMPLEMENTATION_COMPLETE.md	Removes a tracked implementation-summary artifact (repo bloat cleanup).

Comments suppressed due to low confidence (1)

tests/unit/test_cloud_run_deployment.py:6

• Import of 'pytest' is not used.

import pytest

[Copilot]

Test name test_dockerfile_production_exists no longer matches what’s being asserted (it now checks Dockerfile, not Dockerfile.production). Rename the test to avoid confusion and keep intent aligned with behavior.

Suggested change

	def test_dockerfile_production_exists(self):
	def test_dockerfile_exists(self):

[Copilot]

TestApplicationEntryPoint.test_uvai_api_main_exports_app still asserts that src/uvai/api/main.py contains from youtube_extension.backend.main_v2 import app or an app = FastAPI definition, but the module currently re-exports app from youtube_extension.backend.main. Update that assertion to match the actual wrapper, otherwise this test will fail even though the Dockerfile entry point is correct.

Suggested change

	assert "youtube_extension.backend.main:app" in content, \
	"Dockerfile must use youtube_extension.backend.main:app as entry point"
	assert "uvai.api.main:app" in content, \
	"Dockerfile must use uvai.api.main:app as entry point"

[sentry]

Bug: Deployment scripts deploy-cloud-run.sh and one-click-deploy.sh reference the deleted Dockerfile.production, which will cause production deployments to fail.
_{Severity: CRITICAL}

Suggested Fix

Update scripts/deployment/deploy-cloud-run.sh and scripts/deployment/one-click-deploy.sh to use Dockerfile instead of the non-existent Dockerfile.production. Also, remove any remaining references to Dockerfile.production in test files like tests/unit/test_security_fixes.py and documentation.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/security.yml#L88

Potential issue: The PR removed `Dockerfile.production` but failed to update all
references to it. The deployment scripts `scripts/deployment/deploy-cloud-run.sh` (line
244) and `scripts/deployment/one-click-deploy.sh` (line 90) still attempt to build an
image using `docker build -f Dockerfile.production`. Since this file no longer exists,
any attempt to run these scripts for a production deployment will fail immediately with
a "path not found" error, blocking all Cloud Run deployments. While some tests and CI
workflows were updated, these critical deployment scripts were overlooked.

_{Did we get this right? 👍 / 👎 to inform future reviews.}