JonKazama-Hellion/security-workflows
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(scan): pin Trivy to v0.70.0 (avoid GitHub rate-limit) #2

Merged
JonKazama-Hellion merged 1 commits from fix/pin-trivy-version into main 2026-05-12 00:13:43 +00:00
Conversation 0 Commits 1 Files Changed 1
+7 -1
renovate-bot commented 2026-05-12 00:12:13 +00:00
Collaborator
Copy Link
Copy Source

Problem

Trivy-Install-Step nutzte install.sh ohne Version-Pin. Das Script ruft api.github.com unauthenticated auf, um den "latest" Tag zu finden. Self-Hosted Runner hat begrenztes Rate-Limit (~60/h). Bei mehreren Workflow-Runs in kurzer Zeit (z.B. nach Bulk-Merges) failt der API-Call mit leerer Response:

aquasecurity/trivy info checking GitHub for latest tag
aquasecurity/trivy crit unable to find '' - use 'latest' or see https://github.com/aquasecurity/trivy/releases for details

Beobachtet auf nova-corp-website nach den juengsten 6 PR-Merges.

Fix

Trivy auf konkrete Version v0.70.0 gepinnt (aktueller stable). Install-Script ueberspringt damit den API-Call.

Renovate-Annotation # renovate: datasource=github-releases depName=aquasecurity/trivy ist vorbereitet — sobald Renovate sie aufpickt, kommen Version-Bumps als regulaere PRs.

Wirkung

Greift automatisch in allen 8 Repos beim naechsten Workflow-Trigger nach Merge (kein zusaetzlicher Action noetig).

## Problem Trivy-Install-Step nutzte `install.sh` ohne Version-Pin. Das Script ruft api.github.com unauthenticated auf, um den "latest" Tag zu finden. Self-Hosted Runner hat begrenztes Rate-Limit (~60/h). Bei mehreren Workflow-Runs in kurzer Zeit (z.B. nach Bulk-Merges) failt der API-Call mit leerer Response: ``` aquasecurity/trivy info checking GitHub for latest tag aquasecurity/trivy crit unable to find '' - use 'latest' or see https://github.com/aquasecurity/trivy/releases for details ``` Beobachtet auf nova-corp-website nach den juengsten 6 PR-Merges. ## Fix Trivy auf konkrete Version `v0.70.0` gepinnt (aktueller stable). Install-Script ueberspringt damit den API-Call. Renovate-Annotation `# renovate: datasource=github-releases depName=aquasecurity/trivy` ist vorbereitet — sobald Renovate sie aufpickt, kommen Version-Bumps als regulaere PRs. ## Wirkung Greift automatisch in allen 8 Repos beim naechsten Workflow-Trigger nach Merge (kein zusaetzlicher Action noetig).
renovate-bot added 1 commit 2026-05-12 00:12:13 +00:00
fix(scan): pin Trivy to v0.70.0 to avoid GitHub rate-limit 27a469b169 
The trivy install script otherwise queries api.github.com unauthenticated
for the latest release tag. Self-hosted runners hit rate-limit quickly
when multiple workflows run in succession, leading to empty version
resolution and install failures.

Version pinned with renovate annotation so updates flow through Renovate.
renovate-bot added 1 commit 2026-05-12 00:12:15 +00:00
fix(scan): pin Trivy to v0.70.0 to avoid GitHub rate-limit 27a469b169 
The trivy install script otherwise queries api.github.com unauthenticated
for the latest release tag. Self-hosted runners hit rate-limit quickly
when multiple workflows run in succession, leading to empty version
resolution and install failures.

Version pinned with renovate annotation so updates flow through Renovate.
JonKazama-Hellion merged commit 7cbc8fcccc into main 2026-05-12 00:13:43 +00:00
JonKazama-Hellion deleted branch fix/pin-trivy-version 2026-05-12 00:13:43 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something is broken or behaves unexpectedly
 dependencies
Dependency updates (Renovate)
 documentation
Documentation changes or additions
 duplicate
Already covered by another issue or PR
 enhancement
New feature or improvement request
 good first issue
Good entry point for new contributors
 help wanted
Extra attention or external help needed
 question
Further information is requested
 security
Security-related issue (Forge-Bronze)
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
renovate-bot (Forge Bot) JonKazama-Hellion (Jon Kazama)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: JonKazama-Hellion/security-workflows#2
Delete Branch "fix/pin-trivy-version"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?