Skip to content

Commit 0731c06

Browse files
nullvariantclaude
andauthored
fix(ci): replace trivy-action with direct GitHub Releases download (#361)
The trivy-action's install.sh downloads via get.trivy.dev, which is blocked by harden-runner egress policy and has no entry in allowed-endpoints. Download Trivy directly from GitHub Releases (github.com + objects.githubusercontent.com are already allowed). 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Model-Raw: claude-opus-4-6-20250514 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 2e065b8 commit 0731c06

1 file changed

Lines changed: 13 additions & 6 deletions

File tree

.github/workflows/publish.yml

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -67,13 +67,20 @@ jobs:
6767

6868
# Supply Chain Security: Trivy VSIX scan (post-package, pre-publish)
6969
# Scans the packaged VSIX for known CVEs before any publishing step
70+
# Downloads Trivy directly from GitHub Releases to avoid get.trivy.dev
71+
# dependency (blocked by harden-runner egress policy)
7072
- name: Scan VSIX with Trivy
71-
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
72-
with:
73-
scan-type: 'fs'
74-
scan-ref: 'extensions/git-id-switcher'
75-
severity: 'CRITICAL,HIGH'
76-
exit-code: '1'
73+
env:
74+
TRIVY_VERSION: '0.69.3'
75+
run: |
76+
curl -sfL -o trivy.tar.gz \
77+
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
78+
tar -xzf trivy.tar.gz trivy
79+
chmod +x trivy
80+
./trivy fs extensions/git-id-switcher \
81+
--severity CRITICAL,HIGH \
82+
--exit-code 1
83+
rm -f trivy trivy.tar.gz
7784
7885
# Supply Chain Security: Cosign keyless signing for VSIX
7986
# Uses GitHub OIDC token (no secret key management required)

0 commit comments

Comments
 (0)