From aabe7cd60bd10cd023898a15b68b4e16068d940a Mon Sep 17 00:00:00 2001
From: Sharang Parnerkar <sharang@meghsakha.com>
Date: Mon, 18 May 2026 21:36:11 +0200
Subject: [PATCH] ci: replace aquasecurity/trivy-action with inline binary

The trivy-action does an internal actions/checkout against
github.com/aquasecurity/trivy, which fails on Gitea (act_runner
injects Gitea creds; clone returns exit 128). Switch to the same
inline-download pattern we use for gitleaks.

Refs: M0.2
---
 .gitea/workflows/ci.yaml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 548f3bb..2671985 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -47,12 +47,13 @@ jobs:
           /tmp/gitleaks detect --source . --no-banner --redact --verbose --exit-code 1
 
       - name: trivy fs scan
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: fs
-          severity: HIGH,CRITICAL
-          exit-code: 1
-          ignore-unfixed: true
+        shell: bash
+        run: |
+          set -euo pipefail
+          TRIVY_VERSION=0.50.0
+          curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
+            | tar -xz -C /tmp trivy
+          /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist .
 
   test:
     runs-on: docker