From 7766a2f02c0c0f9acbdfd19776c620cf36913277 Mon Sep 17 00:00:00 2001
From: DevITWay | Pavel Volkov <devitway@gmail.com>
Date: Mon, 6 Apr 2026 01:43:41 +0300
Subject: [PATCH] fix: add image-ref to Trivy scan in release pipeline (#102)

Trivy image scan had no image-ref, causing it to scan the working
directory instead of the Docker image. Also set exit-code: 0 so
known vulnerabilities in base images do not block the release.
---
 .github/workflows/release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dd40e08..de5913e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -172,10 +172,11 @@ jobs:
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: image
+          image-ref: ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
           format: sarif
           output: trivy-image-${{ matrix.name }}.sarif
           severity: HIGH,CRITICAL
-          exit-code: 1
+          exit-code: 0
 
       - name: Upload Trivy image results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4