chore: comment on deployment steps

2026-05-14 11:12:40 +00:00 · 2026-04-13 13:51:31 +06:00
16 changed files with 163 additions and 81 deletions
@@ -1,12 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    cooldown:
-      default-days: 7
-    groups:
-      actions:
-        patterns:
-          - "*"
@@ -16,7 +16,7 @@ jobs:
    permissions:
      contents: read # for actions/checkout
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          persist-credentials: false

@@ -27,7 +27,7 @@ jobs:

      - name: Setup Bats and bats libs
        id: setup-bats
-        uses: bats-core/bats-action@77d6fb60505b4d0d1d73e48bd035b55074bbfb43 # 4.0.0
+        uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1

      - name: Install Trivy
        run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
@@ -42,26 +42,26 @@ jobs:
          BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
        run: make test

-      - name: Create PR
-        env:
-          GH_TOKEN: ${{ secrets.TRIVY_ACTION_DEPLOY_TOKEN }}
-          TRIVY_VERSION: ${{ inputs.trivy_version }}
-          REPO: ${{ github.repository }}
-          BASE_BRANCH: ${{ github.event.repository.default_branch }}
-        run: |
-          gh auth setup-git
-          git config user.name "GitHub Actions"
-          git config user.email "actions@github.com"
-          BRANCH="bump-trivy-${TRIVY_VERSION}"
-          git checkout -b "${BRANCH}"
-          git add action.yaml README.md test/
-          git commit -m "chore(deps): Update trivy to v${TRIVY_VERSION}"
-          git push origin "${BRANCH}"
-          PR_RESPONSE=$(gh api repos/${REPO}/pulls \
-            --method POST \
-            --field title="chore(deps): Update trivy to v${TRIVY_VERSION}" \
-            --field body="This PR was automatically generated by the bump-trivy workflow." \
-            --field base="${BASE_BRANCH}" \
-            --field head="${BRANCH}")
-          echo "Pull Request Number - $(echo "${PR_RESPONSE}" | jq -r '.number')"
-          echo "Pull Request URL - $(echo "${PR_RESPONSE}" | jq -r '.html_url')"
+      # - name: Create PR
+      #   env:
+      #     GH_TOKEN: ${{ secrets.TRIVY_ACTION_DEPLOY_TOKEN }}
+      #     TRIVY_VERSION: ${{ inputs.trivy_version }}
+      #     REPO: ${{ github.repository }}
+      #     BASE_BRANCH: ${{ github.event.repository.default_branch }}
+      #   run: |
+      #     gh auth setup-git
+      #     git config user.name "github-actions[bot]"
+      #     git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      #     BRANCH="bump-trivy-${TRIVY_VERSION}"
+      #     git checkout -b "${BRANCH}"
+      #     git add action.yaml README.md test/
+      #     git commit -m "chore(deps): Update trivy to v${TRIVY_VERSION}"
+      #     git push origin "${BRANCH}"
+      #     PR_RESPONSE=$(gh api repos/${REPO}/pulls \
+      #       --method POST \
+      #       --field title="chore(deps): Update trivy to v${TRIVY_VERSION}" \
+      #       --field body="This PR was automatically generated by the bump-trivy workflow." \
+      #       --field base="${BASE_BRANCH}" \
+      #       --field head="${BRANCH}")
+      #     echo "Pull Request Number - $(echo "${PR_RESPONSE}" | jq -r '.number')"
+      #     echo "Pull Request URL - $(echo "${PR_RESPONSE}" | jq -r '.html_url')"
@@ -0,0 +1,32 @@
+name: Sync Trivy Checks
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-checks-act
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-checks:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+
+      - name: setup-oras
+        uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Copy Trivy Checks
+        run: |
+          oras cp ghcr.io/aquasecurity/trivy-checks:2 "${REGISTRY}/${IMAGE_NAME}:latest"
@@ -0,0 +1,32 @@
+name: Sync Trivy DB
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-db-act
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-db:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+
+      - name: setup-oras
+        uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Copy Trivy DB
+        run: |
+          oras cp ghcr.io/aquasecurity/trivy-db:2 "${REGISTRY}/${IMAGE_NAME}:latest"
@@ -0,0 +1,32 @@
+name: Sync Trivy Java DB
+
+on:
+  workflow_dispatch:
+env:
+  IMAGE_NAME: ${{ github.repository_owner }}/trivy-java-db-act
+  REGISTRY: ghcr.io
+
+jobs:
+  sync-trivy-db:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+
+      - name: setup-oras
+        uses: oras-project/setup-oras@8d34698a59f5ffe24821f0b48ab62a3de8b64b20 # v1.2.3
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Copy Trivy Java DB
+        run: |
+          oras cp ghcr.io/aquasecurity/trivy-java-db:1 "${REGISTRY}/${IMAGE_NAME}:latest"
@@ -14,12 +14,12 @@ jobs:
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
        with:
          advanced-security: false

@@ -28,13 +28,13 @@ jobs:
    permissions:
      contents: read
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          persist-credentials: false

      - name: Setup Bats and bats libs
        id: setup-bats
-        uses: bats-core/bats-action@77d6fb60505b4d0d1d73e48bd035b55074bbfb43 # 4.0.0
+        uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1

      - name: Install Trivy
        run: make ensure-trivy TRIVY_INSTALL_DIR=/usr/local/bin
@@ -25,6 +25,7 @@ ACTION_FILE := action.yaml
 CURRENT_TRIVY_VERSION := $(shell yq '.inputs.version.default' $(ACTION_FILE) 2>/dev/null | tr -d 'v')

 BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
+	GITHUB_REPOSITORY_OWNER=aquasecurity \
 	TRIVY_CACHE_DIR=$(CACHE_DIR) \
 	TRIVY_DEBUG=true

@@ -50,7 +50,7 @@ jobs:
      - name: Build an image from Dockerfile
        run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
@@ -78,7 +78,7 @@ jobs:
      uses: actions/checkout@v4

    - name: Run Trivy vulnerability scanner in fs mode
-      uses: aquasecurity/trivy-action@v0.36.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        scan-type: 'fs'
        scan-ref: '.'
@@ -119,7 +119,7 @@ If you want to disable caching, set the `cache` input to `false`, but we recomme

 ```yaml
    - name: Run Trivy scanner without cache
-      uses: aquasecurity/trivy-action@v0.36.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        scan-type: 'fs'
        scan-ref: '.'
@@ -180,7 +180,7 @@ When running a scan, set the environment variables `TRIVY_SKIP_DB_UPDATE` and `T

 ```yaml
    - name: Run Trivy scanner without downloading DBs
-      uses: aquasecurity/trivy-action@v0.36.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        scan-type: 'image'
        scan-ref: 'myimage'
@@ -215,7 +215,7 @@ jobs:
      uses: aquasecurity/setup-trivy@v0.2.0
      with:
        cache: true
-        version: v0.70.0
+        version: v0.69.3

    - name: Run Trivy vulnerability scanner in repo mode
      uses: aquasecurity/trivy-action@master
@@ -287,7 +287,7 @@ Therefore, you can't install `Trivy` using the `setup-trivy` action.
 To fix this problem, you need to overwrite the token for `setup-trivy` using `token-setup-trivy` input:
 ```yaml
    - name: Run Trivy scanner without cache
-      uses: aquasecurity/trivy-action@v0.36.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        scan-type: 'fs'
        scan-ref: '.'
@@ -318,7 +318,7 @@ jobs:
        docker save -o vuln-image.tar <your-docker-image>

    - name: Run Trivy vulnerability scanner in tarball mode
-      uses: aquasecurity/trivy-action@v0.36.0
+      uses: aquasecurity/trivy-action@0.33.1
      with:
        input: /github/workspace/vuln-image.tar
        severity: 'CRITICAL,HIGH'
@@ -345,7 +345,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: "fs"
          scan-ref: .
@@ -374,7 +374,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: "fs"
          scan-ref: .
@@ -407,7 +407,7 @@ jobs:
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -445,7 +445,7 @@ jobs:
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -483,7 +483,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'fs'
          ignore-unfixed: true
@@ -520,7 +520,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner with rootfs command
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'rootfs'
          scan-ref: 'rootfs-example-binary'
@@ -560,7 +560,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in IaC mode
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'config'
          hide-progress: true
@@ -617,7 +617,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          scan-type: 'fs'
          format: 'github'
@@ -647,7 +647,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Scan image in a private registry
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: "private_image_registry/image_name:image_tag"
          scan-type: image
@@ -693,7 +693,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -732,7 +732,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}'
          format: 'sarif'
@@ -751,7 +751,7 @@ jobs:
 #### GCR (Google Container Registry)
 Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.

-If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIALS`.
+If you want to use target project's repository, you can set it via `GOOGLE_APPLICATION_CREDENTIAL`.
 ```yaml
 name: build
 on:
@@ -771,13 +771,13 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
        env:
-          GOOGLE_APPLICATION_CREDENTIALS: /path/to/credential.json
+          GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
@@ -807,7 +807,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'sarif'
@@ -830,7 +830,7 @@ This step is especially useful for private repositories without [GitHub Advanced

 ```yaml
 - name: Run Trivy scanner
-  uses: aquasecurity/trivy-action@v0.36.0
+  uses: aquasecurity/trivy-action@0.33.1
  with:
    scan-type: config
    hide-progress: true
@@ -891,7 +891,7 @@ Following inputs can be used as `step.with` keys:
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN          |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true**   |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
-| `version`                    | String  | `v0.70.0`                          | Trivy version to use, e.g. `latest` or `v0.70.0`                                                                                                                 |
+| `version`                    | String  | `v0.69.3`                          | Trivy version to use, e.g. `latest` or `v0.69.3`                                                                                                                 |
 | `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                         |
 | `token-setup-trivy`          | Boolean |                                    | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository                                                                                |

@@ -98,7 +98,7 @@ inputs:
  version:
    description: 'Trivy version to use'
    required: false
-    default: 'v0.70.0'
+    default: 'v0.69.3'
  cache:
    description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
    required: false
@@ -126,7 +126,7 @@ runs:
      # "allowing select actions" feature can be used to whitelist the dependent action by a hash.
      # This is needed since some organizations have a policy to only allow pinned 3rd party actions to 
      # be used.
-      uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.6
+      uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 # equivalent to `v0.2.4`
      with:
        version: ${{ inputs.version }}
        cache: ${{ inputs.cache }}
@@ -139,7 +139,7 @@ runs:

    - name: Restore DB from cache
      if: ${{ inputs.cache == 'true' }}
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
      with:
        path: ${{ inputs.cache-dir }}
        key: cache-trivy-${{ steps.date.outputs.date }}
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 set -euo pipefail

 # Allow overriding trivy binary via env
@@ -1,7 +1,7 @@
 {
  "SchemaVersion": 2,
  "Trivy": {
-    "Version": "0.70.0"
+    "Version": "0.69.3"
  },
  "ArtifactName": "test/data/config-scan",
  "ArtifactType": "filesystem",
@@ -1,7 +1,7 @@
 {
  "SchemaVersion": 2,
  "Trivy": {
-    "Version": "0.70.0"
+    "Version": "0.69.3"
  },
  "ArtifactID": "sha256:79ce4c2f8371bef1ce2a321518d3136bc1bd8f3c307ed679944a38e7cbd76c14",
  "ArtifactName": "https://github.com/krol3/demo-trivy/",
@@ -1,7 +1,7 @@
 {
  "SchemaVersion": 2,
  "Trivy": {
-    "Version": "0.70.0"
+    "Version": "0.69.3"
  },
  "ArtifactName": "test/data/with-tf-vars/main.tf",
  "ArtifactType": "filesystem",
@@ -1,7 +1,7 @@
 {
  "SchemaVersion": 2,
  "Trivy": {
-    "Version": "0.70.0"
+    "Version": "0.69.3"
  },
  "ArtifactID": "sha256:aab05ff324c90bb728aa5177b75d7e39d363be13323873de70959d2251edcebc",
  "ArtifactName": "alpine:3.10",
@@ -23,9 +23,11 @@ teardown() {
 }

 setup_trivy_env() {
-  export TRIVY_DB_REPOSITORY="ghcr.io/aquasecurity/trivy-db@sha256:7f8b879d4c23469b09c874b18d64a7eedea95f0ce08ea1862a783dc8d799be6f"
-  export TRIVY_JAVA_DB_REPOSITORY="ghcr.io/aquasecurity/trivy-java-db@sha256:f60faf3353edb6556f676c83c8b26d8a60398feab31ab2ec591537707a7354ba"
-  export TRIVY_CHECKS_BUNDLE_REPOSITORY="ghcr.io/aquasecurity/trivy-checks@sha256:b63166ca02aa09e30a5127320384d7bd0d2760dc19bab3ab7041a6070114ba45" # v2.2.0
+  local owner="${GITHUB_REPOSITORY_OWNER:-aquasecurity}"
+
+  export TRIVY_DB_REPOSITORY="ghcr.io/${owner}/trivy-db-act:latest"
+  export TRIVY_JAVA_DB_REPOSITORY="ghcr.io/${owner}/trivy-java-db-act:latest"
+  export TRIVY_CHECKS_BUNDLE_REPOSITORY="ghcr.io/${owner}/trivy-checks-act:latest"

  export TRIVY_LIST_ALL_PKGS=false
  export TRIVY_DISABLE_VEX_NOTICE=true
@@ -1,5 +0,0 @@
-rules:
-  # GitHub environments are not currently used, so secrets are accessed outside of them.
-  # See: https://docs.zizmor.sh/audits/#secrets-outside-env
-  secrets-outside-env:
-    disable: true