fix(ci): pin Trivy to latest in release-gate (v0.69.3 was yanked)
Some checks failed
Auto-close issues on release branch merge / Close referenced issues (push) Has been cancelled

aquasecurity/trivy-action@v0.35.0 defaults to Trivy CLI v0.69.3, but
that tag was removed from GitHub releases mid-run on 2026-04-29 — the
HIGH step on Security scan — local started failing at setup time:

  aquasecurity/trivy info checking GitHub for tag 'v0.69.3'
  aquasecurity/trivy crit unable to find 'v0.69.3'
  ##[error]Process completed with exit code 1.

The CRITICAL step still passed (binary was in cache from a prior run),
so this only surfaced as a HIGH-step failure — but the job exit code
still propagates and breaks the gate.

Following `latest` rather than chasing a specific tag that upstream
can yank without notice.

Refs #189
This commit is contained in:
Pier-Jean Malandrino 2026-04-29 11:41:10 +02:00
parent 3c6ad129e2
commit 0399262e0b

View file

@ -354,6 +354,11 @@ jobs:
severity: CRITICAL
output: /tmp/trivy-critical-${{ matrix.target }}.txt
trivyignores: .trivyignore.yaml
# `latest` instead of the action default — the previously hardcoded
# v0.69.3 was yanked from GitHub releases mid-run (2026-04-29) and
# broke the gate. Following Trivy stable is safer than chasing a
# specific tag that can vanish.
version: latest
- name: Run Trivy — HIGH (informational)
if: always()
@ -365,6 +370,7 @@ jobs:
severity: HIGH
output: /tmp/trivy-high-${{ matrix.target }}.txt
trivyignores: .trivyignore.yaml
version: latest
- name: Annotate HIGH vulnerabilities
if: always()