chore(deps): bump aquasecurity/setup-trivy from 0.2.6 to 0.3.1

[dependabot]

Bumps aquasecurity/setup-trivy from 0.2.6 to 0.3.1.

Release notes

Sourced from aquasecurity/setup-trivy's releases.

v0.3.1

v0.3.1

🐛 Bug fix

Fixes a regression in v0.3.0 that made the action fail to load in every workflow, even when path was not set:

Unrecognized named-value: 'runner'. Located at position 1 within expression: runner.temp

A literal ${{ runner.temp }} had been left in an input description inside action.yaml. GitHub evaluates every ${{ }} expression in the file — including input descriptions, where the runner context is unavailable — so the action could not be loaded at all. The expression has been removed from the description and from the validation error message. See #37 (#38).

If you are on v0.3.0, upgrade to v0.3.1.

✅ Tests

Added a CI workflow that runs the action on ubuntu / windows / macOS (default, cached, and custom-path installs) and verifies that an invalid path is rejected. Because it exercises the action via uses: ./, it catches action-loading failures like #37 that static linters miss.

ℹ️ Note

The v0.3.0 security hardening and the path breaking change still apply: path must be a literal path; shell variables ($HOME, $RUNNER_TEMP) and ~ are not expanded. Use a GitHub expression or a relative path:

path: ${{ runner.temp }}/trivy
path: ./bins

Full Changelog: aquasecurity/setup-trivy@v0.3.0...v0.3.1

v0.3.0

v0.3.0

[!CAUTION] This release is broken — do not use it. Upgrade to v0.3.1.

v0.3.0 fails to load in every workflow, even when path is not set, with:

Unrecognized named-value: 'runner'. Located at position 1 within expression: runner.temp

The cause is a literal ${{ runner.temp }} left in an input description inside action.yaml. GitHub evaluates every ${{ }} in the file, including in input descriptions where the runner context is unavailable, so the action cannot be loaded at all. Fixed in #38 (released as v0.3.1); see #37.

🔒 Security

... (truncated)

Commits

• 81e5143 fix: remove literal ${{ runner.temp }} that breaks action loading (#38)
• 151a37f fix!: prevent script injection in run blocks (#33)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)