diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 7ee8f49..d941558 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -72,12 +72,27 @@ jobs: steps: - name: Install Trivy run: | - # Pinned version — the upstream install.sh resolves the - # positional tag against the GitHub releases API; the `latest` - # tag is no longer published, so leaving it empty fails with - # `unable to find '' - use 'latest' or see ...`. v0.71.0 has - # Linux-ARM64 builds for the Pi runner. - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0 + # Install Trivy from the official Docker image instead of the + # upstream install.sh. Rationale: + # 1. install.sh resolves the positional tag against the + # GitHub releases API; when a release is unpublished or + # yanked, the script fails with + # `unable to find '' - use 'latest' or see ...` + # even when the release once existed. We hit this with + # v0.71.0. + # 2. Docker Hub tags are content-addressed and rarely + # removed, so a pinned image tag is much more stable. + # 3. The image is multi-arch (linux/amd64, linux/arm64, + # linux/ppc64le, linux/s390x) so the same tag works on + # the GitHub-hosted runner and on the ARM64 Pi runner. + set -euo pipefail + TRIVY_VERSION="0.70.0" + docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}" + docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}" + docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy + docker rm trivy-tmp >/dev/null + chmod +x /usr/local/bin/trivy + trivy --version - name: Scan Bot image run: | diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml index de0f59e..8dfa56e 100644 --- a/.gitea/workflows/pr-checks.yml +++ b/.gitea/workflows/pr-checks.yml @@ -47,8 +47,19 @@ jobs: - name: Install Trivy run: | - # Pinned version — see deploy.yml for why. - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0 + # Install Trivy from the official Docker image instead of the + # upstream install.sh. Rationale (see deploy.yml for the long + # version): the GitHub release tag we pinned (v0.71.0) was + # unpublished, and install.sh fails hard on missing tags. + # Docker Hub images are content-addressed and rarely removed, + # and the multi-arch manifest covers linux/amd64 + linux/arm64. + set -euo pipefail + TRIVY_VERSION="0.70.0" + docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}" + docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}" + docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy + docker rm trivy-tmp >/dev/null + chmod +x /usr/local/bin/trivy trivy --version - name: Trivy filesystem security scan diff --git a/.gitignore b/.gitignore index fed626e..9753a66 100644 Binary files a/.gitignore and b/.gitignore differ