From 0399262e0b673894096013b28f63e61635a29448 Mon Sep 17 00:00:00 2001 From: Pier-Jean Malandrino Date: Wed, 29 Apr 2026 11:41:10 +0200 Subject: [PATCH] fix(ci): pin Trivy to latest in release-gate (v0.69.3 was yanked) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit aquasecurity/trivy-action@v0.35.0 defaults to Trivy CLI v0.69.3, but that tag was removed from GitHub releases mid-run on 2026-04-29 — the HIGH step on Security scan — local started failing at setup time: aquasecurity/trivy info checking GitHub for tag 'v0.69.3' aquasecurity/trivy crit unable to find 'v0.69.3' ##[error]Process completed with exit code 1. The CRITICAL step still passed (binary was in cache from a prior run), so this only surfaced as a HIGH-step failure — but the job exit code still propagates and breaks the gate. Following `latest` rather than chasing a specific tag that upstream can yank without notice. Refs #189 --- .github/workflows/release-gate.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release-gate.yml b/.github/workflows/release-gate.yml index 2360092..b6b05de 100644 --- a/.github/workflows/release-gate.yml +++ b/.github/workflows/release-gate.yml @@ -354,6 +354,11 @@ jobs: severity: CRITICAL output: /tmp/trivy-critical-${{ matrix.target }}.txt trivyignores: .trivyignore.yaml + # `latest` instead of the action default — the previously hardcoded + # v0.69.3 was yanked from GitHub releases mid-run (2026-04-29) and + # broke the gate. Following Trivy stable is safer than chasing a + # specific tag that can vanish. + version: latest - name: Run Trivy — HIGH (informational) if: always() @@ -365,6 +370,7 @@ jobs: severity: HIGH output: /tmp/trivy-high-${{ matrix.target }}.txt trivyignores: .trivyignore.yaml + version: latest - name: Annotate HIGH vulnerabilities if: always()