Trivy install keeps failing on the deploy workflow:
- empty TAG: install.sh falls back to 'latest', but the
'latest' GitHub release tag is no longer published.
- pin v0.71.0: pin alone is not durable. The release got
unpublished and install.sh now dies with
'unable to find v0.71.0 - use latest'.
Switch to the official aquasec/trivy Docker image:
- Docker Hub tags are content-addressed and rarely removed,
so the pin is durable.
- The image manifest ships linux/amd64, linux/arm64, linux/ppc64le
and linux/s390x, so the same tag works on the GitHub-hosted
runner and on the ARM64 Pi runner.
- We just need docker pull + docker cp /usr/local/bin/trivy.
- Pinned to 0.70.0 (April 2026) for reasonably current CVE data.
Also normalize .gitignore to plain UTF-8. The working copy had
been re-saved as UTF-16 LE by a Set-Content call without
-Encoding UTF8 (PowerShell 5.1 default on the local Windows box),
so git kept reporting 'Binary files differ' even though the rules
themselves were fine. Re-wrote through the editor to drop the
UTF-16 encoding and added rules for showcase-*.png, *.png.local,
and the test scratch dirs that keep creeping in.
The previous 'curl ... | sh -s -- -b /usr/local/bin' call passed no
positional tag, so the install script fell back to the GitHub 'latest'
tag. aquasecurity/trivy no longer publishes a 'latest' release tag, so
the CI failed at 'Install Trivy' with:
aquasecurity/trivy crit unable to find '' - use 'latest' or see ...
This blocked the entire 3.9.1 hotfix deploy: build-and-push succeeded
(3 fresh 3.9.1 images pushed to git.codeanddice.ru), but scan-images
never ran and deploy was skipped. Production still runs 3.9.0 with the
broken wizard.
Pass 'v0.71.0' as the positional tag; v0.71.0 has Linux-ARM64 and
Linux-AMD64 builds so both the deploy runner (RPi 5) and pr-checks
runner pick the right tarball.
Add a separate GmRelay.DiscordBot worker using NetCord Gateway with startup token validation, PostgreSQL datasource registration, slash-command setup, component interaction service registration, and lifecycle logging.
Wire the Discord service through Aspire AppHost, Docker Compose, PR checks, deploy image build/push/scan/pull steps, README docs, and synchronized version 2.2.0.
Add TDD coverage for project isolation, token validation, startup wiring, runtime wiring, and version synchronization.
Bump version -> 2.2.0
- SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props
scans all C# source during every dotnet build
- HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true
- No extra CI step needed: analyzer runs inside every build job automatically
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- PR checks: filesystem scan with Trivy (vuln, secret, misconfig)
- Deploy pipeline: image scan for bot and web containers before deploy
- Scans entire repository, not filtered file subsets
- Bump version -> 1.14.0
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Enable NuGet lock files so Trivy has dependency targets, fail PR checks when no lock files or language-specific files are detected, and let the installer fetch the latest Trivy release.
Toutsu
Hermes Agent