The trivy install script otherwise queries api.github.com unauthenticated
for the latest release tag. Self-hosted runners hit rate-limit quickly
when multiple workflows run in succession, leading to empty version
resolution and install failures.
Version pinned with renovate annotation so updates flow through Renovate.
act_runner v0.6.1 fails when 2 jobs in the same task chown the shared workspace in parallel. Sequential steps inside one job sidestep the issue.
Trivy step uses if: always() so both tools surface findings in a single run.
Two changes for noise reduction and per-repo control:
1. New optional input `semgrep-exclude-rules` (comma-separated rule
IDs). Lets a consumer skip rules that are context-specific false
positives (e.g. SQLi rules in a local-only plugin with SqlParameter-
bound values).
2. Semgrep now only fails the build on ERROR-severity findings.
WARNING-level rules still run for visibility but do not block.
Keeps the noise floor low while still surfacing concerns.
Both are opt-in for consumers, default behaviour stays scan-everything.
The Trivy GitHub Action wrapper does nested checkouts and auth-juggling
that breaks on Self-Hosted Gitea Actions: 'Failure - Main Checkout
install script' on the first HellionChat run. Switching to the
upstream install.sh + plain `trivy fs` invocation has a smaller
surface and removes the action-internal git clone dance entirely.
JonKazama-Hellion
renovate-bot