ci: install Trivy from official Docker image; normalize .gitignore to UTF-8
Trivy install keeps failing on the deploy workflow:
- empty TAG: install.sh falls back to 'latest', but the
'latest' GitHub release tag is no longer published.
- pin v0.71.0: pin alone is not durable. The release got
unpublished and install.sh now dies with
'unable to find v0.71.0 - use latest'.
Switch to the official aquasec/trivy Docker image:
- Docker Hub tags are content-addressed and rarely removed,
so the pin is durable.
- The image manifest ships linux/amd64, linux/arm64, linux/ppc64le
and linux/s390x, so the same tag works on the GitHub-hosted
runner and on the ARM64 Pi runner.
- We just need docker pull + docker cp /usr/local/bin/trivy.
- Pinned to 0.70.0 (April 2026) for reasonably current CVE data.
Also normalize .gitignore to plain UTF-8. The working copy had
been re-saved as UTF-16 LE by a Set-Content call without
-Encoding UTF8 (PowerShell 5.1 default on the local Windows box),
so git kept reporting 'Binary files differ' even though the rules
themselves were fine. Re-wrote through the editor to drop the
UTF-16 encoding and added rules for showcase-*.png, *.png.local,
and the test scratch dirs that keep creeping in.
This commit is contained in:
@@ -72,12 +72,27 @@ jobs:
|
||||
steps:
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
# Pinned version — the upstream install.sh resolves the
|
||||
# positional tag against the GitHub releases API; the `latest`
|
||||
# tag is no longer published, so leaving it empty fails with
|
||||
# `unable to find '' - use 'latest' or see ...`. v0.71.0 has
|
||||
# Linux-ARM64 builds for the Pi runner.
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
|
||||
# Install Trivy from the official Docker image instead of the
|
||||
# upstream install.sh. Rationale:
|
||||
# 1. install.sh resolves the positional tag against the
|
||||
# GitHub releases API; when a release is unpublished or
|
||||
# yanked, the script fails with
|
||||
# `unable to find '<tag>' - use 'latest' or see ...`
|
||||
# even when the release once existed. We hit this with
|
||||
# v0.71.0.
|
||||
# 2. Docker Hub tags are content-addressed and rarely
|
||||
# removed, so a pinned image tag is much more stable.
|
||||
# 3. The image is multi-arch (linux/amd64, linux/arm64,
|
||||
# linux/ppc64le, linux/s390x) so the same tag works on
|
||||
# the GitHub-hosted runner and on the ARM64 Pi runner.
|
||||
set -euo pipefail
|
||||
TRIVY_VERSION="0.70.0"
|
||||
docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
|
||||
docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
|
||||
docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
|
||||
docker rm trivy-tmp >/dev/null
|
||||
chmod +x /usr/local/bin/trivy
|
||||
trivy --version
|
||||
|
||||
- name: Scan Bot image
|
||||
run: |
|
||||
|
||||
@@ -47,8 +47,19 @@ jobs:
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
# Pinned version — see deploy.yml for why.
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
|
||||
# Install Trivy from the official Docker image instead of the
|
||||
# upstream install.sh. Rationale (see deploy.yml for the long
|
||||
# version): the GitHub release tag we pinned (v0.71.0) was
|
||||
# unpublished, and install.sh fails hard on missing tags.
|
||||
# Docker Hub images are content-addressed and rarely removed,
|
||||
# and the multi-arch manifest covers linux/amd64 + linux/arm64.
|
||||
set -euo pipefail
|
||||
TRIVY_VERSION="0.70.0"
|
||||
docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
|
||||
docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
|
||||
docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
|
||||
docker rm trivy-tmp >/dev/null
|
||||
chmod +x /usr/local/bin/trivy
|
||||
trivy --version
|
||||
|
||||
- name: Trivy filesystem security scan
|
||||
|
||||
BIN
Binary file not shown.
Reference in New Issue
Block a user