fix(ci): repoint three more broken SHA pins in security-scan.yml#10
Merged
Conversation
VSCode's GitHub Actions extension surfaced three pins that don't resolve in the upstream repos — same broken-prefix-then-diverged pattern as the trufflehog and EnricoMi fixes (see commits 67301aa, 71d41b9). The pins live in `security-scan.yml`, which runs on a different trigger than the PR workflows, so these never failed during PR #9. - gitleaks/gitleaks-action: pin annotated v2.3.7 but the SHA was invalid. Funny detail: the broken SHA `ff98106e4c7b2bc287eb9b...` shares the first 12 chars with the real v2.3.9 SHA `ff98106e4c7b... 2bc287b24...`. Bumped to v2.3.9 (latest in the v2.x line — staying in-major to avoid v3.0.0 breaking changes). - actions/dependency-review-action: pin annotated v4.5.0 was invalid. Bumped to v4.9.0 (latest in v4.x — v5.0.0 may have breaking changes). - gaurav-nelson/github-action-markdown-link-check: pin annotated v1.0.15 was invalid. Bumped to 1.0.17 (latest 1.x; the upstream tag is annotated, so dereferenced to commit SHA `3c3b66f...`). Verified all three new SHAs against `gh api repos/X/git/commits/SHA` before pinning. Audited all 12 other action pins in the workflows directory while at it — all resolve cleanly.
`Trivy Filesystem Scan` has been failing 54 consecutive runs on main since at least 2025-10-15. The currently-pinned `trivy-action@v0.29.0` transitively references `aquasecurity/setup-trivy@v0.2.2`, which GitHub Actions can no longer resolve — the job aborts during "Set up job", before checkout, before the scan even starts. This was masked on PRs because the broken SHA pins in #10 made everyone assume CI churn was pin-related; it wasn't. Changes: - Bump `aquasecurity/trivy-action` from v0.29.0 to v0.36.0 (SHA `ed142fd...`). v0.36.0 is the current release post-March-2026 trivy-action supply-chain incident — earlier 0.0.1-0.34.2 had their tags re-pointed during the compromise and should be avoided. - Add `TRIVY_DB_REPOSITORY` / `TRIVY_JAVA_DB_REPOSITORY` env vars to point at the public.ecr.aws mirrors. GHCR rate-limits hitting trivy-action runs is the dominant CI failure mode in 2025-2026 (trivy-action#389); the AWS ECR mirror sidesteps it. - Set `ignore-unfixed: true`, `exit-code: 0`, `continue-on-error: true`. This makes Trivy advisory: findings still appear in the GitHub Security tab via the existing SARIF upload, but they don't gate merges. For a single-developer toolkit with no production blast radius, that's the right altitude. Adding to PR #10 because both fixes touch security-scan.yml and the broader theme is the same: stale CI plumbing exposed once the trufflehog pin fix from PR #9 unblocked the workflow chain.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
VSCode's GitHub Actions extension surfaced three SHA pins in `security-scan.yml` that don't resolve in their upstream repos — same broken-prefix-then-diverged pattern as the trufflehog (commit 67301aa) and EnricoMi (commit 71d41b9) fixes.
These pins live in `security-scan.yml`, which has a different trigger than the PR workflows, so they never failed during PR #9.
Pins fixed
Stayed within the originally-annotated major version on each (matching the trufflehog v3.x → v3.95.5 precedent) to avoid surprise breaking changes from v2→v3 or v4→v5 bumps.
Verification
Test plan