diff --git a/.github/workflows/release-gate.yml b/.github/workflows/release-gate.yml index 2360092..b6b05de 100644 --- a/.github/workflows/release-gate.yml +++ b/.github/workflows/release-gate.yml @@ -354,6 +354,11 @@ jobs: severity: CRITICAL output: /tmp/trivy-critical-${{ matrix.target }}.txt trivyignores: .trivyignore.yaml + # `latest` instead of the action default — the previously hardcoded + # v0.69.3 was yanked from GitHub releases mid-run (2026-04-29) and + # broke the gate. Following Trivy stable is safer than chasing a + # specific tag that can vanish. + version: latest - name: Run Trivy — HIGH (informational) if: always() @@ -365,6 +370,7 @@ jobs: severity: HIGH output: /tmp/trivy-high-${{ matrix.target }}.txt trivyignores: .trivyignore.yaml + version: latest - name: Annotate HIGH vulnerabilities if: always()