github: workflows: remove trivy cron workflow

[edsiper]

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8365a3a8-b511-454d-a91d-82f2c4ba57aa

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 4.2-remove-trivy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can validate your CodeRabbit configuration file in your editor.

If your editor has YAML language server, you can enable auto-completion and validation by adding # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json at the top of your CodeRabbit configuration file.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4eefa48df9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore a scheduled scan for released latest images

Removing this trigger drops the only workflow that periodically rescans fluent/fluent-bit:latest. The remaining Trivy job in .github/workflows/call-build-images.yaml:287-315 only runs as part of image builds (if: inputs.push), while .github/workflows/staging-release.yaml:538-579 later promotes latest tags to DockerHub without any follow-up scan. In practice, CVEs disclosed after a release—the common case for base-image/package vulnerabilities—will no longer be reported for the published latest images until the next rebuild, leaving release containers unmonitored for days or weeks.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep per-architecture Trivy scans for ARM release images

This deletion also removes the only place that scanned the published ARM variants individually. The fallback scan in .github/workflows/call-build-images.yaml:306-314 invokes Trivy once against the multi-arch tag on ubuntu-latest and does not pass --platform; Trivy's own image docs note that, by default, it loads the linux/amd64 image unless --platform is set. After removing this matrix, linux/arm64 and linux/arm/v7 release images no longer get vulnerability coverage, so ARM-only CVEs can ship unnoticed.

Useful? React with 👍 / 👎.