From 0d6d7dc7b21031d0e6cdcad55f91caf4221d2547 Mon Sep 17 00:00:00 2001 From: Matt Collins Date: Wed, 3 Jun 2026 15:37:49 +1000 Subject: [PATCH 1/2] chore: upgrade trivy-action from v0.35.0 to v0.36.0 v0.35.0 internally calls actions/cache@v4.2.4 (Node 20) when cache=true (the default). v0.36.0 upgrades this to actions/cache@v5.0.5 (Node 24). Co-Authored-By: Claude Sonnet 4.6 --- actions/vulnerability_scan/action.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/vulnerability_scan/action.yaml b/actions/vulnerability_scan/action.yaml index b80f5a99..329e36de 100644 --- a/actions/vulnerability_scan/action.yaml +++ b/actions/vulnerability_scan/action.yaml @@ -79,7 +79,7 @@ runs: key: cache-trivy-${{ steps.date.outputs.date }} - name: Generate Trivy vulnerability scan report - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 if: inputs.publish_vulnerabilities == 'true' with: image-ref: ${{ inputs.image_ref }} @@ -103,7 +103,7 @@ runs: - name: Local vulnerability scanner for MEDIUM,HIGH,CRITICAL for reporting if: ${{ inputs.full_report == 'true' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: image-ref: ${{ inputs.image_ref }} scan-type: ${{ inputs.scan_type }} @@ -119,7 +119,7 @@ runs: TRIVY_DEPENDENCY_TREE: true - name: Test with Trivy vulnerability scanner - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 with: image-ref: ${{ inputs.image_ref }} scan-type: ${{ inputs.scan_type }} From df686e447e1602d4dd86950c51224af97228524e Mon Sep 17 00:00:00 2001 From: Matt Collins Date: Wed, 3 Jun 2026 15:40:53 +1000 Subject: [PATCH 2/2] fix: use commit SHA instead of tag object SHA for trivy-action v0.36.0 Co-Authored-By: Claude Sonnet 4.6 --- actions/vulnerability_scan/action.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/vulnerability_scan/action.yaml b/actions/vulnerability_scan/action.yaml index 329e36de..3c98de0c 100644 --- a/actions/vulnerability_scan/action.yaml +++ b/actions/vulnerability_scan/action.yaml @@ -79,7 +79,7 @@ runs: key: cache-trivy-${{ steps.date.outputs.date }} - name: Generate Trivy vulnerability scan report - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 if: inputs.publish_vulnerabilities == 'true' with: image-ref: ${{ inputs.image_ref }} @@ -103,7 +103,7 @@ runs: - name: Local vulnerability scanner for MEDIUM,HIGH,CRITICAL for reporting if: ${{ inputs.full_report == 'true' }} - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: ${{ inputs.image_ref }} scan-type: ${{ inputs.scan_type }} @@ -119,7 +119,7 @@ runs: TRIVY_DEPENDENCY_TREE: true - name: Test with Trivy vulnerability scanner - uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: ${{ inputs.image_ref }} scan-type: ${{ inputs.scan_type }}