Skip to content

fix(workflows): bump Trivy to v0.71.0 and setup-oras to v2.0.0 (Node 24)#49

Merged
toddysm merged 1 commit into
mainfrom
fix/trivy-version-and-oras-node24
Jun 5, 2026
Merged

fix(workflows): bump Trivy to v0.71.0 and setup-oras to v2.0.0 (Node 24)#49
toddysm merged 1 commit into
mainfrom
fix/trivy-version-and-oras-node24

Conversation

@toddysm

@toddysm toddysm commented Jun 5, 2026

Copy link
Copy Markdown
Owner

Fixes two issues observed when running the scan-* workflows.

1. Trivy install failure

installing Trivy binary
aquasecurity/trivy info checking GitHub for tag 'v0.58.1'
aquasecurity/trivy info found version: 0.58.1 for v0.58.1/Linux/64bit
Error: Process completed with exit code 1.

Cause: the old default trivy_version: v0.58.1 no longer installs through the current Trivy install.sh — it fails right after resolving the version. Reproduced locally: v0.58.1 exits 1, v0.71.0 installs cleanly (exit 0).

Fix: bump the default trivy_version to v0.71.0 (current latest). The version is still overridable per-call and recorded in the scan-report referrer.

2. setup-oras Node 20 deprecation warning

Node.js 20 actions are deprecated ... oras-project/setup-oras@22ce207...

Fix: upgrade setup-oras from v1.2.4 (Node 20) to v2.0.0 (Node 24, SHA-pinned 38de303…). v2.0.0 supports the ORAS CLI up to 1.3.1, so the pinned CLI is bumped 1.3.0 → 1.3.1.

(setup-crane is a composite action and setup-trivy is composite too, so neither triggers the Node 20 deprecation.)

Validated with YAML parse and actionlint.

- Trivy: the old default v0.58.1 no longer installs via the current
  install.sh (exit 1 right after "found version"); v0.71.0 installs
  cleanly. Bump the default trivy_version to v0.71.0.
- setup-oras: v1.2.4 runs on the deprecated Node 20. Upgrade to v2.0.0
  (Node 24) to clear the deprecation warning; pin the ORAS CLI to 1.3.1,
  which v2.0.0 supports.
Copilot AI review requested due to automatic review settings June 5, 2026 22:55

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the reusable image scanning workflow to fix failures/deprecations in GitHub Actions by bumping the default Trivy version and upgrading the pinned setup-oras action (and corresponding ORAS CLI version).

Changes:

  • Bump the reusable workflow input default trivy_version from v0.58.1 to v0.71.0.
  • Upgrade oras-project/setup-oras from v1.2.4 to v2.0.0 (SHA pinned) to avoid Node 20 deprecation warnings.
  • Bump the installed ORAS CLI version from 1.3.0 to 1.3.1 to match the upgraded action’s supported range.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@toddysm toddysm merged commit 90144ae into main Jun 5, 2026
1 check passed
@toddysm toddysm deleted the fix/trivy-version-and-oras-node24 branch June 9, 2026 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants