From 4e133e71a7c62c89b85ef5e9e2aa20d8e6bf7f18 Mon Sep 17 00:00:00 2001 From: Kevin Riehl Date: Fri, 8 May 2026 17:57:14 -0700 Subject: [PATCH] fix(ci): replace flaky trivy-action with direct binary install Same pattern as the gitleaks fix: aquasecurity/trivy-action@master does a nested actions/checkout to fetch its install script, which fails on the Gitea runner. Switch fs-scan and image-scan to download the trivy binary release directly and invoke it. Pinned to v0.58.1. --- .gitea/workflows/ci.yml | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6176b81..04ffc73 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -58,12 +58,12 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: aquasecurity/trivy-action@master - with: - scan-type: fs - severity: "HIGH,CRITICAL" - exit-code: "1" - ignore-unfixed: "true" + - name: Install and run Trivy (filesystem) + run: | + TRIVY_VERSION=0.58.1 + curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \ + | tar xz -C /tmp trivy + /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress . build: runs-on: ubuntu-latest @@ -95,12 +95,13 @@ jobs: tags: movieloop-frontend:ci-${{ github.sha }} load: true cache-from: type=gha - - uses: aquasecurity/trivy-action@master - with: - image-ref: movieloop-frontend:ci-${{ github.sha }} - severity: "HIGH,CRITICAL" - exit-code: "1" - ignore-unfixed: "true" + - name: Install and run Trivy (image) + run: | + TRIVY_VERSION=0.58.1 + curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \ + | tar xz -C /tmp trivy + /tmp/trivy image --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress \ + movieloop-frontend:ci-${{ github.sha }} push: runs-on: ubuntu-latest