From 87f4664309a0f48517993cf28f897024bfadf788 Mon Sep 17 00:00:00 2001
From: Headgent <rolf@headgent.com>
Date: Sun, 14 Jun 2026 07:05:15 +0200
Subject: [PATCH] fix(ci): pin trivy-action to existing v0.36.0 + make job
 non-blocking (#5)

The previous pin @0.28.0 does not exist (action resolution failed), reddening
the otherwise-green main run although all images published correctly. Pin to
v0.36.0 (verified via git refs) and add continue-on-error so the informational
CVE report can never block a publish, per PRD E6 (Trivy non-blocking).
---
 .github/workflows/ci.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d9fdbcf..adf0587 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -108,9 +108,12 @@ jobs:
   trivy-report:
     # Non-blocking CVE visibility on the freshly published images (base-image CVEs
     # are not self-fixable, so this reports instead of failing the build).
+    # continue-on-error keeps the run green even if Trivy itself errors (DB download,
+    # rate limit) — this job is purely informational and must never block a publish.
     if: github.event_name != 'pull_request'
     needs: build-test-and-push
     runs-on: ubuntu-latest
+    continue-on-error: true
     permissions:
       contents: read
     strategy:
@@ -119,7 +122,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Scan image for HIGH/CRITICAL CVEs
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: headgent/phpcli:${{ matrix.php_version }}
           format: table