Merge pull request 'Update actions/checkout action to v6' (#4) from renovate/actions-checkout-6.x into main

Reviewed-on: #4

.gitea/workflows/security-scan.yml

@@ -1,8 +1,13 @@
 name: Security Scan (reusable)
 
 # Reusable workflow consumed by per-repo security.yml stubs across the
-# Hellion stack. Runs Semgrep SAST and Trivy filesystem scan in parallel.
-# Either job failing fails the calling workflow.
+# Hellion stack. Runs Semgrep SAST + Trivy filesystem scan sequentially
+# inside a single job. Either tool failing fails the calling workflow.
+#
+# Why one job, not two parallel jobs:
+# act_runner v0.6.1 has a race condition when two jobs in the same task
+# share a workspace and chown it in parallel — one container never gets
+# /var/run/act/ provisioned and silent-fails. Sequential steps avoid it.
 
 on:
   workflow_call:
@@ -24,24 +29,37 @@ on:
         default: ''
 
 jobs:
-  semgrep:
-    name: Semgrep SAST
+  scan:
+    name: Security Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.x'
 
       - name: Install Semgrep
         run: pip install --no-cache-dir semgrep
 
-      - name: Run Semgrep scan
+      - name: Install Trivy
+        # Direct install via the official upstream script. The aquasecurity/
+        # trivy-action wrapper does nested checkouts and auth-juggling that
+        # does not play well with Self-Hosted Gitea Actions, this is more
+        # robust and a smaller surface.
+        #
+        # Version pinned: the install script otherwise hits api.github.com to
+        # resolve "latest", which is unauthenticated and burns through the
+        # self-hosted runner's GitHub rate-limit on each push. Pinning skips
+        # the API call entirely. Renovate-bot keeps the version current:
+        # renovate: datasource=github-releases depName=aquasecurity/trivy
+        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.70.0
+
+      - name: Run Semgrep SAST
         # --config=auto pulls language-appropriate rule packs from semgrep.dev
-        # without requiring an account. --error makes the job fail when ERROR
+        # without requiring an account. --error makes the step fail when ERROR
         # findings exist. WARNING-level rules still run for visibility but do
         # not fail the build (they would dominate the noise).
         # Per-repo rule exclusion via the semgrep-exclude-rules input.
@@ -57,22 +75,11 @@ jobs:
           echo "Running: semgrep scan $args"
           semgrep scan $args
 
-  trivy:
-    name: Trivy Vulnerability Scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Trivy
-        # Direct install via the official upstream script. The aquasecurity/
-        # trivy-action wrapper does nested checkouts and auth-juggling that
-        # does not play well with Self-Hosted Gitea Actions, this is more
-        # robust and a smaller surface.
-        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
-
       - name: Run Trivy filesystem scan
+        # if: always() — surface Trivy findings even when Semgrep fails first,
+        # so a single run gives the full combined picture.
         # Scans dependency manifests (NuGet, npm, package-lock etc.) against
         # the NVD CVE database. --ignore-unfixed skips findings that have
         # no patched version available so we focus on actionable items.
+        if: always()
         run: trivy fs --severity ${{ inputs.severity }} --exit-code 1 --ignore-unfixed .

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}