From bb22bce0785f2d4bfb4a66dfa06f7397e0b0325a Mon Sep 17 00:00:00 2001
From: Roman Borodavkin <barad1tos@gmail.com>
Date: Fri, 20 Mar 2026 20:46:02 +0200
Subject: [PATCH] fix(ci): pin trivy-action to SHA after supply chain
 compromise

- Replace @0.28.0 refs with v0.35.0 SHA
  (57a97c7e) in ci.yml (3) and
  docker-build.yml (2)
- Tags v0.0.1-v0.34.2 were force-pushed
  with malicious code on 2026-03-19
- No secrets leaked, no CI ran after
  compromise timestamp

Impact: CI no longer references
compromised action tags
---
 .github/workflows/ci.yml           | 6 +++---
 .github/workflows/docker-build.yml | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 258b651..22b9d23 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -118,7 +118,7 @@ jobs:
             trivy-db-
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -153,7 +153,7 @@ jobs:
             trivy-db-
 
       - name: Run Trivy secret scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -185,7 +185,7 @@ jobs:
             trivy-db-
 
       - name: Run Trivy config scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
         with:
           scan-type: 'config'
           scan-ref: '.'
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 3cd911f..8b3eb56 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -129,7 +129,7 @@ jobs:
             trivy-db-
 
       - name: Run Trivy container scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
         with:
           image-ref: '${{ env.DOCKER_IMAGE }}:${{ steps.tag.outputs.value }}'
           severity: ${{ env.SECURITY_SEVERITY }}
@@ -168,7 +168,7 @@ jobs:
             trivy-db-
 
       - name: Generate SBOM
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
         with:
           image-ref: '${{ env.DOCKER_IMAGE }}:${{ steps.tag.outputs.value }}'
           format: 'cyclonedx'