Files
apf_portal/.gitea/workflows
julien 57a08c3b71
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m45s
CI / scan (push) Failing after 2m59s
CI / a11y (push) Successful in 1m26s
CI / perf (push) Successful in 3m33s
fix(ci): replace trivy-action with manual curl install (#45)
## Summary
PR #44's `GITHUB_TOKEN` env injection didn't actually authenticate the github.com clone. Root cause: `aquasecurity/trivy-action` wraps `actions/checkout`, whose `with.token` input defaults to `${{ github.token }}` (Gitea's auto-token, useless against github.com), and that wins over our env var. The clone keeps hitting the anonymous rate limit.

Rather than fight the action's internals (`INPUT_TOKEN` overrides, `git config insteadOf` injection, etc.), drop it and install Trivy directly via `curl + tar` from the GitHub release artefact.

## Side benefits
- **Version pinned** (`TRIVY_VERSION=0.70.0`) — no more `@master`. Moving-target tags are exactly what bit us in #43 (the TS6 / ESLint10 / webpack-cli7 mess); not adding a new instance of the same anti-pattern.
- **Predictable** — straight curl + tar, no third-party action indirection to debug.
- `GITHUBCOM_TOKEN` passed as Bearer header on the curl — defensive: release artefact downloads are usually unmetered, but auth is free insurance against rate-limit surprises.

## Trade-off
Trivy version bumps become manual. Renovate can't track this pin out of the box. A custom regex manager in `renovate.json` could be added later if the cadence justifies it; for now, manual review of [Trivy releases](https://github.com/aquasecurity/trivy/releases) every few months is acceptable.

## Test plan
- [ ] `scan` job goes green on this PR — both `Install Trivy` and `Run Trivy` steps succeed.
- [ ] `trivy --version` in the install step's logs reports `0.70.0`.
- [ ] No regression on the `pnpm ci:audit` or `gitleaks` sub-steps of `scan`.
- [ ] On `push` to main post-merge, scan stays green.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #45
2026-05-07 00:17:13 +02:00
..