Merge pull request 'fix(scan): pin Trivy to v0.70.0 (avoid GitHub rate-limit)' (#2 ) from fix/pin-trivy-version into main

Reviewed-on: #2
fix(scan): pin Trivy to v0.70.0 to avoid GitHub rate-limit
2026-05-12 00:13:43 +00:00 · 2026-05-12 00:12:13 +00:00
1 changed files with 7 additions and 1 deletions
@@ -49,7 +49,13 @@ jobs:
        # trivy-action wrapper does nested checkouts and auth-juggling that
        # does not play well with Self-Hosted Gitea Actions, this is more
        # robust and a smaller surface.
-        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
+        #
+        # Version pinned: the install script otherwise hits api.github.com to
+        # resolve "latest", which is unauthenticated and burns through the
+        # self-hosted runner's GitHub rate-limit on each push. Pinning skips
+        # the API call entirely. Renovate-bot keeps the version current:
+        # renovate: datasource=github-releases depName=aquasecurity/trivy
+        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.70.0

      - name: Run Semgrep SAST
        # --config=auto pulls language-appropriate rule packs from semgrep.dev