fix(ci): lowercase Trivy image-ref and bump all actions to latest

Soju06 · Soju06 · commit 3b94de4457a9 · 2026-04-02T21:08:24.000+09:00
Trivy fails to parse uppercase image references (Soju06 → soju06).
Compute lowercased ref in a prior step, same pattern as the Helm push fix.

Action bumps:
- docker/setup-buildx-action v3 → v4
- docker/setup-qemu-action v3 → v4
- docker/login-action v3 → v4
- docker/metadata-action v5 → v6
- docker/build-push-action v6 → v7
- github/codeql-action v3 → v4
- oven-sh/setup-bun v2.1.3 → v2 (floating major)
- astral-sh/setup-uv v7.5.0 → v8
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,7 +19,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2.1.3
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: "1.3.10"
 
@@ -38,7 +38,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2.1.3
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: "1.3.10"
 
@@ -57,7 +57,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2.1.3
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: "1.3.10"
 
@@ -76,7 +76,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2.1.3
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: "1.3.10"
 
@@ -95,7 +95,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7.5.0
+        uses: astral-sh/setup-uv@v8
         with:
           python-version: "3.13"
           enable-cache: true
@@ -115,7 +115,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7.5.0
+        uses: astral-sh/setup-uv@v8
         with:
           python-version: "3.13"
           enable-cache: true
@@ -135,7 +135,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2.1.3
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: "1.3.10"
 
@@ -146,7 +146,7 @@ jobs:
         run: cd frontend && bun run build
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7.5.0
+        uses: astral-sh/setup-uv@v8
         with:
           python-version: "3.13"
           enable-cache: true
@@ -182,7 +182,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2.1.3
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: "1.3.10"
 
@@ -193,7 +193,7 @@ jobs:
         run: cd frontend && bun run build
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7.5.0
+        uses: astral-sh/setup-uv@v8
         with:
           python-version: "3.13"
           enable-cache: true
@@ -213,7 +213,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7.5.0
+        uses: astral-sh/setup-uv@v8
         with:
           python-version: "3.13"
           enable-cache: true
@@ -253,7 +253,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7.5.0
+        uses: astral-sh/setup-uv@v8
         with:
           python-version: "3.13"
           enable-cache: true
@@ -278,7 +278,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2.1.3
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: "1.3.10"
 
@@ -289,7 +289,7 @@ jobs:
         run: cd frontend && bun run build
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7.5.0
+        uses: astral-sh/setup-uv@v8
         with:
           python-version: "3.13"
           enable-cache: true
@@ -337,10 +337,10 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Build Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: Dockerfile
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
           ref: ${{ env.RELEASE_TAG }}
 
       - name: Set up Bun
-        uses: oven-sh/setup-bun@v2.1.3
+        uses: oven-sh/setup-bun@v2
         with:
           bun-version: "1.3.10"
 
@@ -40,7 +40,7 @@ jobs:
         run: cd frontend && bun run build
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v7.5.0
+        uses: astral-sh/setup-uv@v8
         with:
           python-version: "3.13"
           enable-cache: true
@@ -155,21 +155,21 @@ jobs:
           ref: ${{ env.RELEASE_TAG }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
@@ -179,7 +179,7 @@ jobs:
             type=raw,value=latest
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: Dockerfile
@@ -190,17 +190,21 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Set lowercase image ref
+        id: image
+        run: echo "ref=ghcr.io/${GITHUB_REPOSITORY,,}:${{ steps.meta.outputs.version }}" >> "$GITHUB_OUTPUT"
+
       - name: Scan Docker image with Trivy (SARIF)
         uses: aquasecurity/trivy-action@0.35.0
         with:
-          image-ref: ghcr.io/${{ github.repository }}:${{ steps.meta.outputs.version }}
+          image-ref: ${{ steps.image.outputs.ref }}
           format: sarif
           output: trivy-results.sarif
           severity: CRITICAL,HIGH
           ignore-unfixed: true
 
       - name: Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         with:
           sarif_file: trivy-results.sarif
