fix(ci): pin Trivy to latest in release-gate (v0.69.3 was yanked)
aquasecurity/trivy-action@v0.35.0 defaults to Trivy CLI v0.69.3, but that tag was removed from GitHub releases mid-run on 2026-04-29 — the HIGH step on Security scan — local started failing at setup time: aquasecurity/trivy info checking GitHub for tag 'v0.69.3' aquasecurity/trivy crit unable to find 'v0.69.3' ##[error]Process completed with exit code 1. The CRITICAL step still passed (binary was in cache from a prior run), so this only surfaced as a HIGH-step failure — but the job exit code still propagates and breaks the gate. Following `latest` rather than chasing a specific tag that upstream can yank without notice. Refs #189
This commit is contained in:
parent
628027d861
commit
7577a98415
1 changed files with 6 additions and 0 deletions
6
.github/workflows/release-gate.yml
vendored
6
.github/workflows/release-gate.yml
vendored
|
|
@ -354,6 +354,11 @@ jobs:
|
|||
severity: CRITICAL
|
||||
output: /tmp/trivy-critical-${{ matrix.target }}.txt
|
||||
trivyignores: .trivyignore.yaml
|
||||
# `latest` instead of the action default — the previously hardcoded
|
||||
# v0.69.3 was yanked from GitHub releases mid-run (2026-04-29) and
|
||||
# broke the gate. Following Trivy stable is safer than chasing a
|
||||
# specific tag that can vanish.
|
||||
version: latest
|
||||
|
||||
- name: Run Trivy — HIGH (informational)
|
||||
if: always()
|
||||
|
|
@ -365,6 +370,7 @@ jobs:
|
|||
severity: HIGH
|
||||
output: /tmp/trivy-high-${{ matrix.target }}.txt
|
||||
trivyignores: .trivyignore.yaml
|
||||
version: latest
|
||||
|
||||
- name: Annotate HIGH vulnerabilities
|
||||
if: always()
|
||||
|
|
|
|||
Loading…
Reference in a new issue