JonKazama-Hellion/security-workflows
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(scan): pin Trivy to v0.70.0 to avoid GitHub rate-limit

Browse Source 
The trivy install script otherwise queries api.github.com unauthenticated
for the latest release tag. Self-hosted runners hit rate-limit quickly
when multiple workflows run in succession, leading to empty version
resolution and install failures.

Version pinned with renovate annotation so updates flow through Renovate.
This commit is contained in:
Forge Bot
2026-05-12 00:12:13 +00:00
parent 1222381732
commit 27a469b169
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/security-scan.yml
+7 -1
View File
@@ -49,7 +49,13 @@ jobs:
# trivy-action wrapper does nested checkouts and auth-juggling that # trivy-action wrapper does nested checkouts and auth-juggling that
# does not play well with Self-Hosted Gitea Actions, this is more # does not play well with Self-Hosted Gitea Actions, this is more
# robust and a smaller surface. # robust and a smaller surface.
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin #
# Version pinned: the install script otherwise hits api.github.com to
# resolve "latest", which is unauthenticated and burns through the
# self-hosted runner's GitHub rate-limit on each push. Pinning skips
# the API call entirely. Renovate-bot keeps the version current:
# renovate: datasource=github-releases depName=aquasecurity/trivy
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.70.0
- name: Run Semgrep SAST - name: Run Semgrep SAST
# --config=auto pulls language-appropriate rule packs from semgrep.dev # --config=auto pulls language-appropriate rule packs from semgrep.dev