fix(ci): replace trivy-action with manual curl install #45
Reference in New Issue
Block a user
Delete Branch "fix/ci/trivy-manual-install"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
PR #44's
GITHUB_TOKENenv injection didn't actually authenticate the github.com clone. Root cause:aquasecurity/trivy-actionwrapsactions/checkout, whosewith.tokeninput defaults to${{ github.token }}(Gitea's auto-token, useless against github.com), and that wins over our env var. The clone keeps hitting the anonymous rate limit.Rather than fight the action's internals (
INPUT_TOKENoverrides,git config insteadOfinjection, etc.), drop it and install Trivy directly viacurl + tarfrom the GitHub release artefact.Side benefits
TRIVY_VERSION=0.70.0) — no more@master. Moving-target tags are exactly what bit us in #43 (the TS6 / ESLint10 / webpack-cli7 mess); not adding a new instance of the same anti-pattern.GITHUBCOM_TOKENpassed as Bearer header on the curl — defensive: release artefact downloads are usually unmetered, but auth is free insurance against rate-limit surprises.Trade-off
Trivy version bumps become manual. Renovate can't track this pin out of the box. A custom regex manager in
renovate.jsoncould be added later if the cadence justifies it; for now, manual review of Trivy releases every few months is acceptable.Test plan
scanjob goes green on this PR — bothInstall TrivyandRun Trivysteps succeed.trivy --versionin the install step's logs reports0.70.0.pnpm ci:auditorgitleakssub-steps ofscan.pushto main post-merge, scan stays green.