Trivy reports OS-package CVEs against the package name (libgbm1,
libgl1-mesa-dri, libglx-mesa0, mesa-libgallium) — not against
installed file paths. The previous `paths:` filter silently failed
to match, so the ignore was a no-op and the gate kept failing on a
CVE we explicitly chose to defer.
Trace from the failing run (#25097385670):
Using YAML ignorefile '.trivyignore.yaml':
- id: CVE-2026-40393
...
libgbm1 CVE-2026-40393 CRITICAL affected 25.0.7-2
...
##[error]Process completed with exit code 1.
Removing `paths:` lets the ID-only match apply across all 4 affected
Mesa packages until 2026-06-30.
Refs #189