57a08c3b71
## Summary PR #44's `GITHUB_TOKEN` env injection didn't actually authenticate the github.com clone. Root cause: `aquasecurity/trivy-action` wraps `actions/checkout`, whose `with.token` input defaults to `${{ github.token }}` (Gitea's auto-token, useless against github.com), and that wins over our env var. The clone keeps hitting the anonymous rate limit. Rather than fight the action's internals (`INPUT_TOKEN` overrides, `git config insteadOf` injection, etc.), drop it and install Trivy directly via `curl + tar` from the GitHub release artefact. ## Side benefits - **Version pinned** (`TRIVY_VERSION=0.70.0`) — no more `@master`. Moving-target tags are exactly what bit us in #43 (the TS6 / ESLint10 / webpack-cli7 mess); not adding a new instance of the same anti-pattern. - **Predictable** — straight curl + tar, no third-party action indirection to debug. - `GITHUBCOM_TOKEN` passed as Bearer header on the curl — defensive: release artefact downloads are usually unmetered, but auth is free insurance against rate-limit surprises. ## Trade-off Trivy version bumps become manual. Renovate can't track this pin out of the box. A custom regex manager in `renovate.json` could be added later if the cadence justifies it; for now, manual review of [Trivy releases](https://github.com/aquasecurity/trivy/releases) every few months is acceptable. ## Test plan - [ ] `scan` job goes green on this PR — both `Install Trivy` and `Run Trivy` steps succeed. - [ ] `trivy --version` in the install step's logs reports `0.70.0`. - [ ] No regression on the `pnpm ci:audit` or `gitleaks` sub-steps of `scan`. - [ ] On `push` to main post-merge, scan stays green. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #45