fix(workflows): bump Trivy to v0.71.0 and setup-oras to v2.0.0 (Node 24)#49
Merged
Conversation
- Trivy: the old default v0.58.1 no longer installs via the current install.sh (exit 1 right after "found version"); v0.71.0 installs cleanly. Bump the default trivy_version to v0.71.0. - setup-oras: v1.2.4 runs on the deprecated Node 20. Upgrade to v2.0.0 (Node 24) to clear the deprecation warning; pin the ORAS CLI to 1.3.1, which v2.0.0 supports.
There was a problem hiding this comment.
Pull request overview
This PR updates the reusable image scanning workflow to fix failures/deprecations in GitHub Actions by bumping the default Trivy version and upgrading the pinned setup-oras action (and corresponding ORAS CLI version).
Changes:
- Bump the reusable workflow input default
trivy_versionfromv0.58.1tov0.71.0. - Upgrade
oras-project/setup-orasfrom v1.2.4 to v2.0.0 (SHA pinned) to avoid Node 20 deprecation warnings. - Bump the installed ORAS CLI version from
1.3.0to1.3.1to match the upgraded action’s supported range.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes two issues observed when running the
scan-*workflows.1. Trivy install failure
Cause: the old default
trivy_version: v0.58.1no longer installs through the current Trivyinstall.sh— it fails right after resolving the version. Reproduced locally:v0.58.1exits 1,v0.71.0installs cleanly (exit 0).Fix: bump the default
trivy_versiontov0.71.0(current latest). The version is still overridable per-call and recorded in the scan-report referrer.2. setup-oras Node 20 deprecation warning
Fix: upgrade
setup-orasfrom v1.2.4 (Node 20) to v2.0.0 (Node 24, SHA-pinned38de303…). v2.0.0 supports the ORAS CLI up to 1.3.1, so the pinned CLI is bumped1.3.0 → 1.3.1.(
setup-craneis a composite action andsetup-trivyis composite too, so neither triggers the Node 20 deprecation.)Validated with YAML parse and actionlint.