fix: bump trivy-action to 0.35.0 to fix binary download failure#62
Merged
Conversation
Adds a Keep a Changelog-formatted CHANGELOG.md documenting all releases from v2.1.0 through v2.5.5. Adds a 'Create GitHub Release' step to the merge job in docker-publish.yml that extracts the relevant section from CHANGELOG.md and publishes a GitHub Release on each version bump, satisfying OSPS-BR-04.01 (releases must contain a descriptive log of modifications). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
trivy-action@0.34.1 fails to install Trivy v0.69.1 (exits with code 1 immediately after finding the release tag), blocking every post-merge release pipeline run since v2.5.4. v0.35.0 bundles Trivy v0.69.3 and resolves the download issue. Fixes post-merge pipeline failures for v2.5.5 and v2.5.6. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
paradoxbound
added a commit
that referenced
this pull request
Mar 8, 2026
## Summary - Corrects `[2.5.5] - unreleased` → `[2.5.6] - 2026-03-08` (v2.5.5 was never tagged; the pipeline was broken and the changes released as v2.5.6) - Adds missing entries for `trivy-action` bump (#62) and Dockerfile CVE patch (#63) - Updates comparison links to reference `v2.5.6` Also patches the existing v2.5.6 GitHub Release (currently empty body) with the correct notes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Paradoxbound <paradoxbound@paradoxbound.org> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
aquasecurity/trivy-actionfrom0.34.1→0.35.0in both thescanjob andpre-merge-cd-checkjobRoot cause
trivy-action@0.34.1attempts to install Trivyv0.69.1at runtime. The binary download fails immediately (exit code 1, ~2 seconds) after finding the release tag, producing no SARIF output and blocking themergejob. Every post-merge push tomainsince v2.5.4 has hit this failure, so v2.5.5 has never been released despite the version bump being onmain.trivy-action@0.35.0bundles Trivyv0.69.3and resolves the issue.Test plan
scanjob completes successfully🤖 Generated with Claude Code