aquasecurity/trivy-action@v0.35.0 defaults to Trivy CLI v0.69.3, but
that tag was removed from GitHub releases mid-run on 2026-04-29 — the
HIGH step on Security scan — local started failing at setup time:
aquasecurity/trivy info checking GitHub for tag 'v0.69.3'
aquasecurity/trivy crit unable to find 'v0.69.3'
##[error]Process completed with exit code 1.
The CRITICAL step still passed (binary was in cache from a prior run),
so this only surfaced as a HIGH-step failure — but the job exit code
still propagates and breaks the gate.
Following `latest` rather than chasing a specific tag that upstream
can yank without notice.
Refs #189
The CRITICAL + HIGH Trivy steps in release-gate.yml were invoking
aquasecurity/trivy-action without the `trivyignores` input, so the
.trivyignore.yaml at the repo root (committed in #190 to mitigate
CVE-2026-40393 / Mesa) was silently ignored — the gate kept failing
on a CVE we explicitly chose to defer.
Pass `trivyignores: .trivyignore.yaml` to both Trivy steps so the file
takes effect. The HIGH step also gets it for consistency (it doesn't
fail the gate, but reporting a CVE we ignore as HIGH would be noise).
Refs #189
The Release summary job was downloading ALL artifacts (~780 MB)
including Docker images it never uses. The 648 MB docker-image-local
consistently timed out after 5 retries. Now downloads only the 4
small artifacts actually needed (~2 KB total).