test: use pinned digests for trivy-db, trivy-java-db and trivy-checks (#555)

2026-05-14 03:02:40 +00:00 · 2026-04-13 14:53:11 +06:00
parent aeb13962e8
commit 264c9c5e18
5 changed files with 3 additions and 102 deletions
@@ -1,32 +0,0 @@
-name: Sync Trivy Checks
-
-on:
-  workflow_dispatch:
-env:
-  IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks-act
-  REGISTRY: ghcr.io
-
-jobs:
-  sync-trivy-checks:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          persist-credentials: false
-
-      - name: setup-oras
-        uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
-
-      - name: Login to GitHub Packages Container registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Copy Trivy Checks
-        run: |
-          oras cp ghcr.io/aquasecurity/trivy-checks:2 "${REGISTRY}/${IMAGE_NAME}:latest"
@@ -1,32 +0,0 @@
-name: Sync Trivy DB
-
-on:
-  workflow_dispatch:
-env:
-  IMAGE_NAME: ${{ github.repository_owner }}/trivy-db-act
-  REGISTRY: ghcr.io
-
-jobs:
-  sync-trivy-db:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          persist-credentials: false
-
-      - name: setup-oras
-        uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
-
-      - name: Login to GitHub Packages Container registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Copy Trivy DB
-        run: |
-          oras cp ghcr.io/aquasecurity/trivy-db:2 "${REGISTRY}/${IMAGE_NAME}:latest"
@@ -1,32 +0,0 @@
-name: Sync Trivy Java DB
-
-on:
-  workflow_dispatch:
-env:
-  IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db-act
-  REGISTRY: ghcr.io
-
-jobs:
-  sync-trivy-db:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          persist-credentials: false
-
-      - name: setup-oras
-        uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
-
-      - name: Login to GitHub Packages Container registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Copy Trivy Java DB
-        run: |
-          oras cp ghcr.io/aquasecurity/trivy-java-db:1 "${REGISTRY}/${IMAGE_NAME}:latest"
@@ -25,7 +25,6 @@ ACTION_FILE := action.yaml
 CURRENT_TRIVY_VERSION := $(shell yq '.inputs.version.default' $(ACTION_FILE) 2>/dev/null | tr -d 'v')

 BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
-	GITHUB_REPOSITORY_OWNER=aquasecurity \
 	TRIVY_CACHE_DIR=$(CACHE_DIR) \
 	TRIVY_DEBUG=true

@@ -23,11 +23,9 @@ teardown() {
 }

 setup_trivy_env() {
-  local owner="${GITHUB_REPOSITORY_OWNER:-aquasecurity}"
-
-  export TRIVY_DB_REPOSITORY="ghcr.io/${owner}/trivy-db-act:latest"
-  export TRIVY_JAVA_DB_REPOSITORY="ghcr.io/${owner}/trivy-java-db-act:latest"
-  export TRIVY_CHECKS_BUNDLE_REPOSITORY="ghcr.io/${owner}/trivy-checks-act:latest"
+  export TRIVY_DB_REPOSITORY="ghcr.io/aquasecurity/trivy-db@sha256:7f8b879d4c23469b09c874b18d64a7eedea95f0ce08ea1862a783dc8d799be6f"
+  export TRIVY_JAVA_DB_REPOSITORY="ghcr.io/aquasecurity/trivy-java-db@sha256:f60faf3353edb6556f676c83c8b26d8a60398feab31ab2ec591537707a7354ba"
+  export TRIVY_CHECKS_BUNDLE_REPOSITORY="ghcr.io/aquasecurity/trivy-checks@sha256:b63166ca02aa09e30a5127320384d7bd0d2760dc19bab3ab7041a6070114ba45" # v2.2.0

  export TRIVY_LIST_ALL_PKGS=false
  export TRIVY_DISABLE_VEX_NOTICE=true