From 99a58d78352adf777bd2cdbe8e809de0be672d46 Mon Sep 17 00:00:00 2001
From: Toutsu <Hegin4@yandex.ru>
Date: Mon, 8 Jun 2026 12:09:19 +0300
Subject: [PATCH] ci: install Trivy from official Docker image; normalize
 .gitignore to UTF-8

Trivy install keeps failing on the deploy workflow:

  - empty TAG: install.sh falls back to 'latest', but the
    'latest' GitHub release tag is no longer published.
  - pin v0.71.0: pin alone is not durable. The release got
    unpublished and install.sh now dies with
    'unable to find v0.71.0 - use latest'.

Switch to the official aquasec/trivy Docker image:

  - Docker Hub tags are content-addressed and rarely removed,
    so the pin is durable.
  - The image manifest ships linux/amd64, linux/arm64, linux/ppc64le
    and linux/s390x, so the same tag works on the GitHub-hosted
    runner and on the ARM64 Pi runner.
  - We just need docker pull + docker cp /usr/local/bin/trivy.
  - Pinned to 0.70.0 (April 2026) for reasonably current CVE data.

Also normalize .gitignore to plain UTF-8. The working copy had
been re-saved as UTF-16 LE by a Set-Content call without
-Encoding UTF8 (PowerShell 5.1 default on the local Windows box),
so git kept reporting 'Binary files differ' even though the rules
themselves were fine. Re-wrote through the editor to drop the
UTF-16 encoding and added rules for showcase-*.png, *.png.local,
and the test scratch dirs that keep creeping in.
---
 .gitea/workflows/deploy.yml    |  27 +++++++++++++++++++++------
 .gitea/workflows/pr-checks.yml |  15 +++++++++++++--
 .gitignore                     | Bin 380 -> 570 bytes
 3 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 7ee8f49..d941558 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -72,12 +72,27 @@ jobs:
     steps:
       - name: Install Trivy
         run: |
-          # Pinned version — the upstream install.sh resolves the
-          # positional tag against the GitHub releases API; the `latest`
-          # tag is no longer published, so leaving it empty fails with
-          # `unable to find '' - use 'latest' or see ...`. v0.71.0 has
-          # Linux-ARM64 builds for the Pi runner.
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
+          # Install Trivy from the official Docker image instead of the
+          # upstream install.sh. Rationale:
+          #   1. install.sh resolves the positional tag against the
+          #      GitHub releases API; when a release is unpublished or
+          #      yanked, the script fails with
+          #      `unable to find '<tag>' - use 'latest' or see ...`
+          #      even when the release once existed. We hit this with
+          #      v0.71.0.
+          #   2. Docker Hub tags are content-addressed and rarely
+          #      removed, so a pinned image tag is much more stable.
+          #   3. The image is multi-arch (linux/amd64, linux/arm64,
+          #      linux/ppc64le, linux/s390x) so the same tag works on
+          #      the GitHub-hosted runner and on the ARM64 Pi runner.
+          set -euo pipefail
+          TRIVY_VERSION="0.70.0"
+          docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
+          docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
+          docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
+          docker rm trivy-tmp >/dev/null
+          chmod +x /usr/local/bin/trivy
+          trivy --version
 
       - name: Scan Bot image
         run: |
diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml
index de0f59e..8dfa56e 100644
--- a/.gitea/workflows/pr-checks.yml
+++ b/.gitea/workflows/pr-checks.yml
@@ -47,8 +47,19 @@ jobs:
 
       - name: Install Trivy
         run: |
-          # Pinned version — see deploy.yml for why.
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
+          # Install Trivy from the official Docker image instead of the
+          # upstream install.sh. Rationale (see deploy.yml for the long
+          # version): the GitHub release tag we pinned (v0.71.0) was
+          # unpublished, and install.sh fails hard on missing tags.
+          # Docker Hub images are content-addressed and rarely removed,
+          # and the multi-arch manifest covers linux/amd64 + linux/arm64.
+          set -euo pipefail
+          TRIVY_VERSION="0.70.0"
+          docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
+          docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
+          docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
+          docker rm trivy-tmp >/dev/null
+          chmod +x /usr/local/bin/trivy
           trivy --version
 
       - name: Trivy filesystem security scan
diff --git a/.gitignore b/.gitignore
index fed626e8d7aff9709587872cfa012d7647370ca9..9753a668a712d33e31b5b9d585a27681fb2b5f6e 100644
GIT binary patch
delta 268
zcmZ9GF^<AO3`MnwYECf{-AYVaYFLQ|1mXf{a7;4VNjw@m1S+mX&Dkh$5Tc;^`u5Ya
zAEW#DHv74niQOb@7gVAx?Ao6KYi^^z^f^?uScdEcYFmcP#*wn1Y++n8u$t+^P8&!%
z;4WcK)MM7Q`d0)#4j#moYm(tW8GO|e%Qb-YS;EnSs2*Z>nEtxdR;sC~2haHKU-bpK
uIH*mDDbi&hsd91_BgnF+PEseY&KZhjvqSyU%}I(sf`81%5Yfq4S@Q(bKwakm

delta 76
zcmdnR@`q`I1*1zjLn=cOgDyh~kS=4;1Cm8RsK=1Qkk63Lz{|kJfUY8+p_HKnMFjwL
Cjt)rx