From 05c765627f6c24087f894690b447a5fbbb4c1127 Mon Sep 17 00:00:00 2001
From: devitway <devitway@gmail.com>
Date: Mon, 23 Feb 2026 16:47:18 +0000
Subject: [PATCH] ci: fix trivy image tag (strip v prefix)

---
 .github/workflows/release.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 471eacd..ecd5d31 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -130,12 +130,17 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Set version tag (strip leading v)
+        id: ver
+        run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
+
       # ── CVE scan of the pushed image ────────────────────────────────────────
+      # Images are FROM scratch — no OS packages, only binary CVE scan
       - name: Trivy — image scan (${{ matrix.name }})
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: image
-          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}${{ matrix.suffix }}
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
           format: sarif
           output: trivy-image-${{ matrix.name }}.sarif
           severity: HIGH,CRITICAL