fix(ci): replace flaky trivy-action with direct binary install

Same pattern as the gitleaks fix: aquasecurity/trivy-action@master does a nested actions/checkout to fetch its install script, which fails on the Gitea runner. Switch fs-scan and image-scan to download the trivy binary release directly and invoke it. Pinned to v0.58.1.
2026-05-08 17:57:14 -07:00
parent 350e65cbea
commit 4e133e71a7
1 changed files with 13 additions and 12 deletions
@@ -58,12 +58,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: aquasecurity/trivy-action@master
+      - name: Install and run Trivy (filesystem)
-        with:
+        run: |
-          scan-type: fs
+          TRIVY_VERSION=0.58.1
-          severity: "HIGH,CRITICAL"
+          curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
-          exit-code: "1"
+            | tar xz -C /tmp trivy
-          ignore-unfixed: "true"
+          /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress .
  build:
    runs-on: ubuntu-latest
@@ -95,12 +95,13 @@ jobs:
          tags: movieloop-frontend:ci-${{ github.sha }}
          load: true
          cache-from: type=gha
-      - uses: aquasecurity/trivy-action@master
+      - name: Install and run Trivy (image)
-        with:
+        run: |
-          image-ref: movieloop-frontend:ci-${{ github.sha }}
+          TRIVY_VERSION=0.58.1
-          severity: "HIGH,CRITICAL"
+          curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
-          exit-code: "1"
+            | tar xz -C /tmp trivy
-          ignore-unfixed: "true"
+          /tmp/trivy image --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress \
            movieloop-frontend:ci-${{ github.sha }}
  push:
    runs-on: ubuntu-latest