From c9a8000a84ea94c8a5846c9f7fae819177e3668c Mon Sep 17 00:00:00 2001 From: JonKazama-Hellion Date: Sat, 9 May 2026 11:49:14 +0200 Subject: [PATCH] Replace aquasecurity/trivy-action with direct install The Trivy GitHub Action wrapper does nested checkouts and auth-juggling that breaks on Self-Hosted Gitea Actions: 'Failure - Main Checkout install script' on the first HellionChat run. Switching to the upstream install.sh + plain `trivy fs` invocation has a smaller surface and removes the action-internal git clone dance entirely. --- .gitea/workflows/security-scan.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.gitea/workflows/security-scan.yml b/.gitea/workflows/security-scan.yml index 2df1137..e2dd42f 100644 --- a/.gitea/workflows/security-scan.yml +++ b/.gitea/workflows/security-scan.yml @@ -47,14 +47,15 @@ jobs: - name: Checkout uses: actions/checkout@v4 + - name: Install Trivy + # Direct install via the official upstream script. The aquasecurity/ + # trivy-action wrapper does nested checkouts and auth-juggling that + # does not play well with Self-Hosted Gitea Actions, this is more + # robust and a smaller surface. + run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin + - name: Run Trivy filesystem scan # Scans dependency manifests (NuGet, npm, package-lock etc.) against - # the NVD CVE database. ignore-unfixed skips findings that have no - # patched version available so we focus on actionable items. - uses: aquasecurity/trivy-action@master - with: - scan-type: fs - scan-ref: . - severity: ${{ inputs.severity }} - exit-code: '1' - ignore-unfixed: true + # the NVD CVE database. --ignore-unfixed skips findings that have + # no patched version available so we focus on actionable items. + run: trivy fs --severity ${{ inputs.severity }} --exit-code 1 --ignore-unfixed .