ci: add dependabot, pin trivy-action@0.30.0, release no longer waits on scan

2026-04-12 11:30:32 +00:00 · 2026-02-24 10:48:06 +00:00
parent 761e08f168
commit 5f385dce45
3 changed files with 19 additions and 3 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -72,7 +72,7 @@ jobs:
      # ── CVE scan of source tree and Cargo.lock ──────────────────────────────
      - name: Trivy — filesystem scan (Cargo.lock + source)
        if: always()
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.30.0
        with:
          scan-type: fs
          scan-ref: .
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -120,7 +120,7 @@ jobs:
      # ── CVE scan of the pushed image ────────────────────────────────────────
      # Images are FROM scratch — no OS packages, only binary CVE scan
      - name: Trivy — image scan (${{ matrix.name }})
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.30.0
        with:
          scan-type: image
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
@@ -139,7 +139,7 @@ jobs:
  release:
    name: GitHub Release
    runs-on: ubuntu-latest
-    needs: [build, scan]
+    needs: build
    permissions:
      contents: write
      packages: read  # to pull image for SBOM generation