diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 2d5d1c37e..dd13c1e74 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -9,7 +9,6 @@ on: env: TF_DOCS_VERSION: v0.19.0 TFLINT_VERSION: v0.53.0 - TRIVY_VERSION: 0.58.0 permissions: contents: read jobs: @@ -55,9 +54,13 @@ jobs: chmod +x terraform-docs mv terraform-docs /usr/local/bin/ - name: Setup trivy + # Using apt repo to avoid dependency on aquasecurity/trivy git repo (which broke setup-trivy action). + # Installs the latest available trivy version; pin by appending =VERSION to the apt-get install line if needed. run: | - wget https://github.com/aquasecurity/trivy/releases/download/v${{env.TRIVY_VERSION}}/trivy_${{env.TRIVY_VERSION}}_Linux-64bit.deb - sudo dpkg -i trivy_${{env.TRIVY_VERSION}}_Linux-64bit.deb + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install -y trivy - name: Pre-commit checks uses: pre-commit/action@v3.0.1 - name: pre-commit-ci-lite diff --git a/renovate.json b/renovate.json index db3f65c79..2d225e022 100644 --- a/renovate.json +++ b/renovate.json @@ -30,17 +30,6 @@ ], "datasourceTemplate": "github-releases" }, - { - "customType": "regex", - "managerFilePatterns": [ - "/.github/workflows/pre-commit.yml/" - ], - "depNameTemplate": "aquasecurity/trivy", - "matchStrings": [ - "TRIVY_VERSION=\"(?.*?)\"" - ], - "datasourceTemplate": "github-releases" - }, { "customType": "regex", "managerFilePatterns": [