fix(ci): replace trivy-action with manual curl install #45

Merged
julien merged 1 commits from fix/ci/trivy-manual-install into main 2026-05-07 00:17:13 +02:00
Owner

Summary

PR #44's GITHUB_TOKEN env injection didn't actually authenticate the github.com clone. Root cause: aquasecurity/trivy-action wraps actions/checkout, whose with.token input defaults to ${{ github.token }} (Gitea's auto-token, useless against github.com), and that wins over our env var. The clone keeps hitting the anonymous rate limit.

Rather than fight the action's internals (INPUT_TOKEN overrides, git config insteadOf injection, etc.), drop it and install Trivy directly via curl + tar from the GitHub release artefact.

Side benefits

  • Version pinned (TRIVY_VERSION=0.70.0) — no more @master. Moving-target tags are exactly what bit us in #43 (the TS6 / ESLint10 / webpack-cli7 mess); not adding a new instance of the same anti-pattern.
  • Predictable — straight curl + tar, no third-party action indirection to debug.
  • GITHUBCOM_TOKEN passed as Bearer header on the curl — defensive: release artefact downloads are usually unmetered, but auth is free insurance against rate-limit surprises.

Trade-off

Trivy version bumps become manual. Renovate can't track this pin out of the box. A custom regex manager in renovate.json could be added later if the cadence justifies it; for now, manual review of Trivy releases every few months is acceptable.

Test plan

  • scan job goes green on this PR — both Install Trivy and Run Trivy steps succeed.
  • trivy --version in the install step's logs reports 0.70.0.
  • No regression on the pnpm ci:audit or gitleaks sub-steps of scan.
  • On push to main post-merge, scan stays green.
## Summary PR #44's `GITHUB_TOKEN` env injection didn't actually authenticate the github.com clone. Root cause: `aquasecurity/trivy-action` wraps `actions/checkout`, whose `with.token` input defaults to `${{ github.token }}` (Gitea's auto-token, useless against github.com), and that wins over our env var. The clone keeps hitting the anonymous rate limit. Rather than fight the action's internals (`INPUT_TOKEN` overrides, `git config insteadOf` injection, etc.), drop it and install Trivy directly via `curl + tar` from the GitHub release artefact. ## Side benefits - **Version pinned** (`TRIVY_VERSION=0.70.0`) — no more `@master`. Moving-target tags are exactly what bit us in #43 (the TS6 / ESLint10 / webpack-cli7 mess); not adding a new instance of the same anti-pattern. - **Predictable** — straight curl + tar, no third-party action indirection to debug. - `GITHUBCOM_TOKEN` passed as Bearer header on the curl — defensive: release artefact downloads are usually unmetered, but auth is free insurance against rate-limit surprises. ## Trade-off Trivy version bumps become manual. Renovate can't track this pin out of the box. A custom regex manager in `renovate.json` could be added later if the cadence justifies it; for now, manual review of [Trivy releases](https://github.com/aquasecurity/trivy/releases) every few months is acceptable. ## Test plan - [ ] `scan` job goes green on this PR — both `Install Trivy` and `Run Trivy` steps succeed. - [ ] `trivy --version` in the install step's logs reports `0.70.0`. - [ ] No regression on the `pnpm ci:audit` or `gitleaks` sub-steps of `scan`. - [ ] On `push` to main post-merge, scan stays green.
julien added 1 commit 2026-05-07 00:01:42 +02:00
fix(ci): replace trivy-action with manual curl install
CI / commits (pull_request) Successful in 1m36s
CI / check (pull_request) Successful in 1m46s
CI / scan (pull_request) Failing after 3m34s
CI / a11y (pull_request) Successful in 2m5s
CI / perf (pull_request) Successful in 3m17s
3172c0353b
Setting `GITHUB_TOKEN` env on `aquasecurity/trivy-action@master` did
not authenticate the github.com clone (#44 attempted that). Reason:
the action wraps `actions/checkout`, whose `with.token` input
defaults to `${{ github.token }}` (Gitea's auto-token, not our
github.com PAT), and that input wins over the GITHUB_TOKEN env
variable. The clone keeps hitting the anonymous rate limit.

Rather than chase the action's internals (INPUT_TOKEN tricks, git
config insteadOf, etc.), drop the wrapper entirely and install
Trivy directly via `curl + tar` from the GitHub release artefact.

Side benefits:
- Pinned version (`TRIVY_VERSION=0.70.0`) — no more `@master`,
  which is itself an anti-pattern (moving target, surprise breaking
  changes are exactly what bit us in #43).
- Predictable behaviour, fewer indirections to debug.
- GITHUBCOM_TOKEN passed as Bearer header on the curl — handles
  the rate limit on release downloads as defence-in-depth (release
  artefacts are usually unmetered, but the auth is free).

Trivy version bumps are now manual (Renovate cannot track this pin
out of the box). A custom regex manager in renovate.json could be
added later if the cadence justifies it; for now manual review of
https://github.com/aquasecurity/trivy/releases is fine.
julien merged commit 57a08c3b71 into main 2026-05-07 00:17:13 +02:00
julien deleted branch fix/ci/trivy-manual-install 2026-05-07 00:17:14 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#45