From 065e8011ee6823a89f3cf5dd3eb4d66142f743e8 Mon Sep 17 00:00:00 2001
From: Toutsu <Hegin4@yandex.ru>
Date: Mon, 8 Jun 2026 10:23:31 +0300
Subject: [PATCH] ci: pin Trivy v0.71.0 in install step

The previous 'curl ... | sh -s -- -b /usr/local/bin' call passed no
positional tag, so the install script fell back to the GitHub 'latest'
tag. aquasecurity/trivy no longer publishes a 'latest' release tag, so
the CI failed at 'Install Trivy' with:
  aquasecurity/trivy crit unable to find '' - use 'latest' or see ...

This blocked the entire 3.9.1 hotfix deploy: build-and-push succeeded
(3 fresh 3.9.1 images pushed to git.codeanddice.ru), but scan-images
never ran and deploy was skipped. Production still runs 3.9.0 with the
broken wizard.

Pass 'v0.71.0' as the positional tag; v0.71.0 has Linux-ARM64 and
Linux-AMD64 builds so both the deploy runner (RPi 5) and pr-checks
runner pick the right tarball.
---
 .gitea/workflows/deploy.yml    | 7 ++++++-
 .gitea/workflows/pr-checks.yml | 3 ++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 953def3..feadfb2 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -72,7 +72,12 @@ jobs:
     steps:
       - name: Install Trivy
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+          # Pinned version — the upstream install.sh resolves the
+          # positional tag against the GitHub releases API; the `latest`
+          # tag is no longer published, so leaving it empty fails with
+          # `unable to find '' - use 'latest' or see ...`. v0.71.0 has
+          # Linux-ARM64 builds for the Pi runner.
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
 
       - name: Scan Bot image
         run: |
diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml
index 6cdcd2c..de0f59e 100644
--- a/.gitea/workflows/pr-checks.yml
+++ b/.gitea/workflows/pr-checks.yml
@@ -47,7 +47,8 @@ jobs:
 
       - name: Install Trivy
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+          # Pinned version — see deploy.yml for why.
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
           trivy --version
 
       - name: Trivy filesystem security scan