Trivy install keeps failing on the deploy workflow:
- empty TAG: install.sh falls back to 'latest', but the
'latest' GitHub release tag is no longer published.
- pin v0.71.0: pin alone is not durable. The release got
unpublished and install.sh now dies with
'unable to find v0.71.0 - use latest'.
Switch to the official aquasec/trivy Docker image:
- Docker Hub tags are content-addressed and rarely removed,
so the pin is durable.
- The image manifest ships linux/amd64, linux/arm64, linux/ppc64le
and linux/s390x, so the same tag works on the GitHub-hosted
runner and on the ARM64 Pi runner.
- We just need docker pull + docker cp /usr/local/bin/trivy.
- Pinned to 0.70.0 (April 2026) for reasonably current CVE data.
Also normalize .gitignore to plain UTF-8. The working copy had
been re-saved as UTF-16 LE by a Set-Content call without
-Encoding UTF8 (PowerShell 5.1 default on the local Windows box),
so git kept reporting 'Binary files differ' even though the rules
themselves were fine. Re-wrote through the editor to drop the
UTF-16 encoding and added rules for showcase-*.png, *.png.local,
and the test scratch dirs that keep creeping in.
Toutsu
99a58d7835