Fix pre-commit pipeline: replace broken trivy installation with apt-based install

[Copilot]

The pre-commit pipeline was failing because trivy v0.58.0 didn't exist as a GitHub release (404), and the aquasecurity/setup-trivy@v0.2.5 action (used as an intermediate fix) also failed because it hardcodes a commit SHA in aquasecurity/trivy that no longer exists (75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a).

Changes

• pre-commit.yml: Replace trivy installation with a direct apt-based install from Aqua Security's official apt repository (aquasecurity.github.io/trivy-repo). This avoids all dependency on the aquasecurity/trivy git repository or its GitHub releases. The TRIVY_VERSION env var is removed since the apt repo always provides the latest version:

  # Before
  - name: Setup trivy
    run: |
      wget https://github.com/aquasecurity/trivy/releases/download/v${{env.TRIVY_VERSION}}/trivy_${{env.TRIVY_VERSION}}_Linux-64bit.deb
      sudo dpkg -i trivy_${{env.TRIVY_VERSION}}_Linux-64bit.deb
  
  # After
  - name: Setup trivy
    # Using apt repo to avoid dependency on aquasecurity/trivy git repo (which broke setup-trivy action).
    run: |
      wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
      echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
      sudo apt-get update
      sudo apt-get install -y trivy

• renovate.json: Remove the trivy custom manager since there is no longer a pinned version string in the workflow to track.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>precommit is failing everywhere due to trivy installment</issue_title>
<issue_description>Every piopeline nowe has its precommit action failing wiht logs:
0s
Run wget https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
wget https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
sudo dpkg -i trivy_0.58.0_Linux-64bit.deb
shell: /usr/bin/bash -e {0}
env:
TF_DOCS_VERSION: v0.19.0
TFLINT_VERSION: v0.53.0
TRIVY_VERSION: 0.58.0
pythonLocation: /opt/hostedtoolcache/Python/3.14.3/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.14.3/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.14.3/x64
Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.14.3/x64
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.14.3/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.14.3/x64/lib
JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/25.0.2-10/x64
JAVA_HOME_25_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/25.0.2-10/x64
TERRAFORM_CLI_PATH: /home/runner/work/_temp/b7aad1d9-d834-487f-9675-e54ce0945706
--2026-03-01 06:44:00-- https://github.com/aquasecurity/trivy/releases/download/v0.58.0/trivy_0.58.0_Linux-64bit.deb
Resolving github.com (github.com)... 140.82.116.4
Connecting to github.com (github.com)|140.82.116.4|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2026-03-01 06:44:00 ERROR 404: Not Found.

see https://github.com/OWASP/wrongsecrets/actions/workflows/pre-commit.yml for all failing actions</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes precommit is failing everywhere due to trivy installment #2419

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[commjoen]

@copilot trivy now fails in https://github.com/OWASP/wrongsecrets/actions/runs/22538017615/job/65288823560?pr=2420 with:

Run aquasecurity/setup-trivy@v0.2.5
Run echo "dir=$HOME/.local/bin/trivy-bin" >> $GITHUB_OUTPUT
Run actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
Syncing repository: aquasecurity/trivy
Getting Git version info
Temporarily overriding HOME='/home/runner/work/_temp/01c7c029-c9fe-49e2-bd23-139b79e38641' before making global git config changes
Adding repository directory to the temporary git global config as a safe directory
/usr/bin/git config --global --add safe.directory /home/runner/work/wrongsecrets/wrongsecrets/trivy
Initializing the repository
Disabling automatic garbage collection
Setting up auth
Fetching the repository
  /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --filter=blob:none --depth=1 origin 75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a
  Error: fatal: remote error: upload-pack: not our ref 75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a
  The process '/usr/bin/git' failed with exit code 128
  Waiting 17 seconds before trying again
  /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --filter=blob:none --depth=1 origin 75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a
  Error: fatal: remote error: upload-pack: not our ref 75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a
  The process '/usr/bin/git' failed with exit code 128
  Waiting 17 seconds before trying again
  /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --filter=blob:none --depth=1 origin 75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a
  Error: fatal: remote error: upload-pack: not our ref 75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a
  Error: The process '/usr/bin/git' failed with exit code 128

[Copilot]

@copilot trivy now fails in https://github.com/OWASP/wrongsecrets/actions/runs/22538017615/job/65288823560?pr=2420 with:

...

The setup-trivy@v0.2.5 action internally tries to checkout aquasecurity/trivy at a hardcoded commit hash (75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a) that no longer exists in that repository.

Fixed in commit 1c5ab40 by replacing the action with a direct apt-based install from Aqua Security's official apt repository (aquasecurity.github.io/trivy-repo). This avoids all dependency on the aquasecurity/trivy git repo. Also removed the now-unused TRIVY_VERSION env var and its Renovate custom manager.