Toutsu/GmRelayBot
1
1
Fork 0
Code Issues 18 Pull Requests 1 Actions Packages Projects Releases 85 Wiki Activity

ci: install Trivy from official Docker image; normalize .gitignore to UTF-8
Deploy Telegram Bot / build-and-push (push) Successful in 52s
Details
Deploy Telegram Bot / scan-images (push) Successful in 3m0s
Details
Deploy Telegram Bot / deploy (push) Successful in 43s
Details

Browse Source 
Trivy install keeps failing on the deploy workflow:

  - empty TAG: install.sh falls back to 'latest', but the
    'latest' GitHub release tag is no longer published.
  - pin v0.71.0: pin alone is not durable. The release got
    unpublished and install.sh now dies with
    'unable to find v0.71.0 - use latest'.

Switch to the official aquasec/trivy Docker image:

  - Docker Hub tags are content-addressed and rarely removed,
    so the pin is durable.
  - The image manifest ships linux/amd64, linux/arm64, linux/ppc64le
    and linux/s390x, so the same tag works on the GitHub-hosted
    runner and on the ARM64 Pi runner.
  - We just need docker pull + docker cp /usr/local/bin/trivy.
  - Pinned to 0.70.0 (April 2026) for reasonably current CVE data.

Also normalize .gitignore to plain UTF-8. The working copy had
been re-saved as UTF-16 LE by a Set-Content call without
-Encoding UTF8 (PowerShell 5.1 default on the local Windows box),
so git kept reporting 'Binary files differ' even though the rules
themselves were fine. Re-wrote through the editor to drop the
UTF-16 encoding and added rules for showcase-*.png, *.png.local,
and the test scratch dirs that keep creeping in.
This commit is contained in:
Toutsu
2026-06-08 12:09:19 +03:00
parent f491727cec
commit 99a58d7835
3 changed files with 34 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/deploy.yml
+21 -6
View File
@@ -72,12 +72,27 @@ jobs:
steps: steps:
- name: Install Trivy - name: Install Trivy
run: | run: |
# Pinned version — the upstream install.sh resolves the # Install Trivy from the official Docker image instead of the
# positional tag against the GitHub releases API; the `latest` # upstream install.sh. Rationale:
# tag is no longer published, so leaving it empty fails with # 1. install.sh resolves the positional tag against the
# `unable to find '' - use 'latest' or see ...`. v0.71.0 has # GitHub releases API; when a release is unpublished or
# Linux-ARM64 builds for the Pi runner. # yanked, the script fails with
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0 # `unable to find '<tag>' - use 'latest' or see ...`
# even when the release once existed. We hit this with
# v0.71.0.
# 2. Docker Hub tags are content-addressed and rarely
# removed, so a pinned image tag is much more stable.
# 3. The image is multi-arch (linux/amd64, linux/arm64,
# linux/ppc64le, linux/s390x) so the same tag works on
# the GitHub-hosted runner and on the ARM64 Pi runner.
set -euo pipefail
TRIVY_VERSION="0.70.0"
docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
docker rm trivy-tmp >/dev/null
chmod +x /usr/local/bin/trivy
trivy --version
- name: Scan Bot image - name: Scan Bot image
run: | run: |
.gitea/workflows/pr-checks.yml
+13 -2
View File
@@ -47,8 +47,19 @@ jobs:
- name: Install Trivy - name: Install Trivy
run: | run: |
# Pinned version — see deploy.yml for why. # Install Trivy from the official Docker image instead of the
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0 # upstream install.sh. Rationale (see deploy.yml for the long
# version): the GitHub release tag we pinned (v0.71.0) was
# unpublished, and install.sh fails hard on missing tags.
# Docker Hub images are content-addressed and rarely removed,
# and the multi-arch manifest covers linux/amd64 + linux/arm64.
set -euo pipefail
TRIVY_VERSION="0.70.0"
docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
docker rm trivy-tmp >/dev/null
chmod +x /usr/local/bin/trivy
trivy --version trivy --version
- name: Trivy filesystem security scan - name: Trivy filesystem security scan
.gitignore
BIN
View File
Binary file not shown.