Skip to content

fix: bump trivy-action to 0.35.0 to fix binary download failure#62

Merged
paradoxbound merged 2 commits into
mainfrom
fix/trivy-action-version
Mar 8, 2026
Merged

fix: bump trivy-action to 0.35.0 to fix binary download failure#62
paradoxbound merged 2 commits into
mainfrom
fix/trivy-action-version

Conversation

@paradoxbound

Copy link
Copy Markdown
Owner

Summary

  • Bumps aquasecurity/trivy-action from 0.34.10.35.0 in both the scan job and pre-merge-cd-check job
  • Fixes the post-merge pipeline failing on the Scan image for vulnerabilities step since v2.5.4

Root cause

trivy-action@0.34.1 attempts to install Trivy v0.69.1 at runtime. The binary download fails immediately (exit code 1, ~2 seconds) after finding the release tag, producing no SARIF output and blocking the merge job. Every post-merge push to main since v2.5.4 has hit this failure, so v2.5.5 has never been released despite the version bump being on main.

trivy-action@0.35.0 bundles Trivy v0.69.3 and resolves the issue.

Test plan

  • Post-merge pipeline scan job completes successfully
  • GitHub Release for v2.5.5 is created automatically after merge

🤖 Generated with Claude Code

Paradoxbound and others added 2 commits March 8, 2026 10:54
Adds a Keep a Changelog-formatted CHANGELOG.md documenting all releases
from v2.1.0 through v2.5.5. Adds a 'Create GitHub Release' step to the
merge job in docker-publish.yml that extracts the relevant section from
CHANGELOG.md and publishes a GitHub Release on each version bump, satisfying
OSPS-BR-04.01 (releases must contain a descriptive log of modifications).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
trivy-action@0.34.1 fails to install Trivy v0.69.1 (exits with code 1
immediately after finding the release tag), blocking every post-merge
release pipeline run since v2.5.4. v0.35.0 bundles Trivy v0.69.3 and
resolves the download issue.

Fixes post-merge pipeline failures for v2.5.5 and v2.5.6.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@paradoxbound paradoxbound merged commit 9860fd0 into main Mar 8, 2026
12 checks passed
paradoxbound pushed a commit that referenced this pull request Mar 8, 2026
v2.5.5 was never tagged (pipeline was broken); the accumulated changes
released as v2.5.6. Corrects the version label, date, adds missing entries
for the Trivy fix (#62) and Dockerfile CVE patch (#63), and updates the
comparison links.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
paradoxbound added a commit that referenced this pull request Mar 8, 2026
## Summary

- Corrects `[2.5.5] - unreleased` → `[2.5.6] - 2026-03-08` (v2.5.5 was
never tagged; the pipeline was broken and the changes released as
v2.5.6)
- Adds missing entries for `trivy-action` bump (#62) and Dockerfile CVE
patch (#63)
- Updates comparison links to reference `v2.5.6`

Also patches the existing v2.5.6 GitHub Release (currently empty body)
with the correct notes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Paradoxbound <paradoxbound@paradoxbound.org>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant