3172c0353b
Setting `GITHUB_TOKEN` env on `aquasecurity/trivy-action@master` did not authenticate the github.com clone (#44 attempted that). Reason: the action wraps `actions/checkout`, whose `with.token` input defaults to `${{ github.token }}` (Gitea's auto-token, not our github.com PAT), and that input wins over the GITHUB_TOKEN env variable. The clone keeps hitting the anonymous rate limit. Rather than chase the action's internals (INPUT_TOKEN tricks, git config insteadOf, etc.), drop the wrapper entirely and install Trivy directly via `curl + tar` from the GitHub release artefact. Side benefits: - Pinned version (`TRIVY_VERSION=0.70.0`) — no more `@master`, which is itself an anti-pattern (moving target, surprise breaking changes are exactly what bit us in #43). - Predictable behaviour, fewer indirections to debug. - GITHUBCOM_TOKEN passed as Bearer header on the curl — handles the rate limit on release downloads as defence-in-depth (release artefacts are usually unmetered, but the auth is free). Trivy version bumps are now manual (Renovate cannot track this pin out of the box). A custom regex manager in renovate.json could be added later if the cadence justifies it; for now manual review of https://github.com/aquasecurity/trivy/releases is fine.