Bump Trivy to v0.62.1

.github/actions/trivy/action.yaml

@@ -1,39 +1,68 @@
+# Copyright 2024 - 2025 Crunchy Data Solutions, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# schema documentation: https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
 name: Trivy
 description: Scan this project using Trivy
 
 # The Trivy team maintains an action, but it has trouble caching its vulnerability data:
 # https://github.com/aquasecurity/trivy-action/issues/389
 #
+#  1. It caches vulnerability data once per calendar day, despite Trivy wanting
+#     to download more frequently than that.
+#  2. When it fails to download the data, it fails the workflow *and* caches
+#     the incomplete data.
+#  3. When (1) and (2) coincide, every following run that day *must* update the data,
+#     producing more opportunities for (2) and more failed workflows.
+#
 # The action below uses any recent cache matching `cache-prefix` and calculates a cache key
-# derived from the data Trivy downloads.
+# derived from the data Trivy downloads. An older database is better than no scans at all.
+# When a run successfully updates the data, that data is cached and available to other runs.
 
 inputs:
   cache:
     default: restore,success,use
     description: >-
       What Trivy data to cache; one or more of restore, save, success, or use.
+      The value "use" instructs Trivy to read and write to its cache.
+      The value "restore" loads the Trivy cache from GitHub.
+      The value "success" saves the Trivy cache to GitHub when Trivy succeeds.
+      The value "save" saves the Trivy cache to GitHub regardless of Trivy.
 
   database:
     default: update
     description: >-
       How Trivy should handle its data; one of update or skip.
+      The value "skip" fetches no Trivy data at all.
 
   setup:
-    default: v0.57.1,cache
+    default: v0.62.1,cache
     description: >-
       How to install Trivy; one or more of version, none, or cache.
+      The value "none" does not install Trivy at all.
 
   cache-directory:
     default: ${{ github.workspace }}/.cache/trivy
+    description: >-
+      Directory where Trivy should store its data
 
   cache-prefix:
     default: cache-trivy
+    description: >-
+      Name (key) where Trivy data should be stored in the GitHub cache
 
   scan-target:
     default: .
+    description: >-
+      What Trivy should scan
 
   scan-type:
-    default: filesystem
+    default: repository
+    description: >-
+      How Trivy should interpret scan-target; one of filesystem, image, repository, or sbom.
 
 runs:
   using: composite
@@ -50,11 +79,12 @@ runs:
             "setup=\(split("[,\\s]+"; "") - [""])",
             "version=\(split("[,\\s]+"; "") | max_by(split("[v.]"; "") | map(tonumber?)))"
           '
-        ) | tee --append $GITHUB_OUTPUT
+        ) | tee --append "${GITHUB_OUTPUT}"
 
     # Install Trivy as requested.
+    # NOTE: `setup-trivy` can download a "latest" version but cannot cache it.
     - if: ${{ ! contains(fromJSON(steps.parsed.outputs.setup), 'none') }}
-      uses: aquasecurity/[email protected].2
+      uses: aquasecurity/[email protected].3
       with:
         cache: ${{ contains(fromJSON(steps.parsed.outputs.setup), 'cache') }}
         version: ${{ steps.parsed.outputs.version }}
@@ -75,12 +105,13 @@ runs:
         TRIVY_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }}
         TRIVY_SKIP_DB_UPDATE: ${{ inputs.database == 'skip' }}
         TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_VEX_REPO_UPDATE: ${{ inputs.database == 'skip' }}
       run: |
         # Run Trivy
         trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?
 
         checksum=$([[ -z "${TRIVY_CACHE_DIR}" ]] || cat "${TRIVY_CACHE_DIR}/"*/metadata.json | sha256sum)
-        echo 'cache-key=${{ inputs.cache-prefix }}-'"${checksum%% *}" >> $GITHUB_OUTPUT
+        echo 'cache-key=${{ inputs.cache-prefix }}-'"${checksum%% *}" >> "${GITHUB_OUTPUT}"
 
         exit "${result-0}"
 

.github/dependabot.yml

@@ -1,13 +1,17 @@
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates
+# Copyright 2024 - 2025 Crunchy Data Solutions, Inc.
 #
-# See: https://www.github.com/dependabot/dependabot-core/issues/4605
----
+# SPDX-License-Identifier: Apache-2.0
+#
+# documentation: https://docs.github.com/code-security/dependabot/dependabot-version-updates
+# schema documentation: https://docs.github.com/code-security/dependabot/working-with-dependabot/dependabot-options-reference
 # yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json
+---
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /
+    directories:
+      - '/'
+      - '.github/actions/*'
     schedule:
       interval: weekly
       day: tuesday

.github/workflows/lint.yaml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-go@v5
         with: { go-version: stable }
 
-      - uses: golangci/golangci-lint-action@v7
+      - uses: golangci/golangci-lint-action@v8
         with:
           version: latest
           args: --timeout=5m

.github/workflows/trivy.yaml

@@ -29,6 +29,9 @@ jobs:
           TRIVY_DOWNLOAD_DB_ONLY: true
           TRIVY_NO_PROGRESS: true
           TRIVY_SCANNERS: license,secret,vuln
+        with:
+          cache: restore,success,use
+          database: update
 
   licenses:
     # Run this job after the cache job regardless of its success or failure.