ci: pin trivy to an existing release (0.59.1 does not exist)#28
Open
mlwelles wants to merge 1 commit into
Open
ci: pin trivy to an existing release (0.59.1 does not exist)#28mlwelles wants to merge 1 commit into
mlwelles wants to merge 1 commit into
Conversation
The Trunk config pinned trivy@0.59.1, but that release does not exist on github.com/aquasecurity/trivy — Trunk's templated download (.../v0.59.1/trivy_0.59.1_Linux-64bit.tar.gz) returns HTTP 404, failing the Trunk Code Quality check on any PR whose diff trivy scans (e.g. workflow or broad changes) while reporting no actual lint issues. Bump to trivy@0.69.3, a real release with the expected Linux-64bit asset. The plugin (v1.6.7) downloads trivy via a version-templated URL, so no other change is needed.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this fixes
The Trunk config pins
trivy@0.59.1, but that release does not exist ongithub.com/aquasecurity/trivy. Trunk downloads tools from a version-templatedURL, so it requests:
which returns HTTP 404. The Trunk Code Quality check then fails with
✖ No issues, 1 failure— zero lint findings, one tool-install failure —whenever a PR's diff is something trivy scans (workflow files, broad changes).
It has failed identically for weeks across multiple PRs.
The fix
Bump the pin to
trivy@0.69.3, a real release that ships the expectedtrivy_0.69.3_Linux-64bit.tar.gzasset. The Trunk trivy plugin (v1.6.7) uses aversion-templated download URL with no per-version enumeration, so this one-line
change is sufficient — no plugin bump required.
No source or lint-rule changes; this only repairs the Trunk toolchain so the
Code Quality check can run.
Summary by cubic
Pin
trivyfrom 0.59.1 to 0.69.3 to stop CI failures caused by a nonexistent release. This restores the Trunk Code Quality check by allowingtrivyto download and run.Written for commit 7e97f3a. Summary will update on new commits.