From 27a469b1699d2b8aa6d3e2ca113872a3f2bf0602 Mon Sep 17 00:00:00 2001
From: Forge Bot <3+renovate-bot@noreply.gitea.hellion-forge.cloud>
Date: Tue, 12 May 2026 00:12:13 +0000
Subject: [PATCH] fix(scan): pin Trivy to v0.70.0 to avoid GitHub rate-limit

The trivy install script otherwise queries api.github.com unauthenticated
for the latest release tag. Self-hosted runners hit rate-limit quickly
when multiple workflows run in succession, leading to empty version
resolution and install failures.

Version pinned with renovate annotation so updates flow through Renovate.
---
 .gitea/workflows/security-scan.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/security-scan.yml b/.gitea/workflows/security-scan.yml
index 221aa45..3d23f45 100644
--- a/.gitea/workflows/security-scan.yml
+++ b/.gitea/workflows/security-scan.yml
@@ -49,7 +49,13 @@ jobs:
         # trivy-action wrapper does nested checkouts and auth-juggling that
         # does not play well with Self-Hosted Gitea Actions, this is more
         # robust and a smaller surface.
-        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
+        #
+        # Version pinned: the install script otherwise hits api.github.com to
+        # resolve "latest", which is unauthenticated and burns through the
+        # self-hosted runner's GitHub rate-limit on each push. Pinning skips
+        # the API call entirely. Renovate-bot keeps the version current:
+        # renovate: datasource=github-releases depName=aquasecurity/trivy
+        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.70.0
 
       - name: Run Semgrep SAST
         # --config=auto pulls language-appropriate rule packs from semgrep.dev