From ecd624b2bb7b06b99998e1e8e514b47c17d04698 Mon Sep 17 00:00:00 2001 From: Antony Messerli Date: Sun, 15 Mar 2026 14:27:30 -0500 Subject: [PATCH] Pin Trivy CLI to v0.69.3 to work around deleted release assets Trivy releases v0.27.0-v0.69.1 were deleted as part of a supply chain attack on 2026-03-01 (aquasecurity/trivy#10265). Pin the CLI version explicitly so the action does not try to download missing assets. --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1e5114b..e470fc2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -96,6 +96,7 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: image-ref: 'ghcr.io/netbootxyz/netbootxyz:${{ env.TAG_SUFFIX }}' + version: 'v0.69.3' format: 'table' exit-code: ${{ env.IS_PR == 'true' && '1' || '0' }} ignore-unfixed: true