feat: add token for setup-trivy (#421)

* feat: add `token-setup-trivy` input.

* docs: add info about `token-setup-trivy`

* fix: use correct commit

* refactor: use `default: ${{ github.token }}` for `token-setup-trivy`

* refactor: use `setup-trivy` v0.2.2

README.md

@@ -279,6 +279,22 @@ jobs:
           skip-setup-trivy: true
 ```
 
+#### Use non-default token to install Trivy
+GitHub Enterprise Server (GHES) uses an invalid `github.token` for `https://github.com` server.
+Therefore, you can't install `Trivy` using the `setup-trivy` action.
+
+To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
+```yaml
+    - name: Run Trivy scanner without cache
+      uses: aquasecurity/trivy-action@0.28.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        token-setup-trivy: ${{ secrets.GITHUB_PAT }}
+```
+
+GitHub even has [create-github-app-token](https://github.com/actions/create-github-app-token) for similar cases.
+
 ### Scanning a Tarball
 ```yaml
 name: build
@@ -777,6 +793,7 @@ Following inputs can be used as `step.with` keys:
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values                                      |
 | `version`                    | String  | `v0.56.1`                          | Trivy version to use, e.g. `latest` or `v0.56.1`                                                                                                               |
 | `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                       |
+| `token-setup-trivy`          | Boolean |                                    | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository                                                                              |
 
 ### Environment variables
 You can use [Trivy environment variables][trivy-env] to set the necessary options (including flags that are not supported by [Inputs](#inputs), such as `--secret-config`).

action.yaml

@@ -107,16 +107,26 @@ inputs:
     description: 'skip calling the setup-trivy action to install trivy'
     required: false
     default: 'false'
+  token-setup-trivy:
+    description: >
+      `token-setup-trivy` is required when `github.token` in invalid for `https://github.com` server.
+      See https://github.com/aquasecurity/setup-trivy/?tab=readme-ov-file#install-trivy-with-non-default-token for more details.
+      `token-setup-trivy` is only used to fetch the Trivy repository in `setup-trivy`
+    required: false
+    ## ${{ github.token }} is default value for actions/checkout
+    ## cf. https://github.com/actions/checkout/blob/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871/action.yml#L24
+    default: ${{ github.token }}
 
 runs:
   using: 'composite'
   steps:
     - name: Install Trivy
       if: ${{ inputs.skip-setup-trivy == 'false' }}
-      uses: aquasecurity/setup-trivy@v0.2.1
+      uses: aquasecurity/setup-trivy@v0.2.2
       with:
         version: ${{ inputs.version }}
         cache: ${{ inputs.cache }}
+        token: ${{ inputs.token-setup-trivy }}
 
     - name: Get current date
       id: date