fix(ci): authenticate trivy-action's github.com clone #44
Reference in New Issue
Block a user
Delete Branch "fix/ci/trivy-github-token"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
On cache miss,
aquasecurity/trivy-action@masterfalls back togit clone https://github.com/aquasecurity/trivyto fetch its install script. Our act_runner cache server is currently unreachable from job containers (documented as "Cache server (deferred)" ininfra/README.md), so every CI run is a cache miss, every run does the clone, and every clone hits github.com's 60 req/h anonymous rate limit:Pass
GITHUBCOM_TOKEN(same zero-scope github.com PAT used for Renovate) asGITHUB_TOKENenv on the trivy step. The action picks it up automatically and authenticates the clone, lifting the rate limit from 60 → 5 000 req/h.Test plan
scanjob goes green on this PR (the trivy step in particular).pushto main post-merge, scan stays green.scan.Related
infra/README.md. Worth doing eventually; this PR is the surgical fix.@masterpin on the trivy-action is also worth replacing with a tagged version (renovate.jsonwill surface bumps once we lift the major-dashboard gate for it). Out of scope for this PR.