Update trivy actions to v0.3.1 (main)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
aquasecurity/setup-trivy	action	minor	v0.2.6 → v0.3.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

aquasecurity/setup-trivy (aquasecurity/setup-trivy)

v0.3.1

Compare Source

v0.3.1

🐛 Bug fix

Fixes a regression in v0.3.0 that made the action fail to load in every
workflow, even when path was not set:

Unrecognized named-value: 'runner'. Located at position 1 within expression: runner.temp

A literal ${{ runner.temp }} had been left in an input description inside
action.yaml. GitHub evaluates every ${{ }} expression in the file —
including input descriptions, where the runner context is unavailable — so the
action could not be loaded at all. The expression has been removed from the
description and from the validation error message. See #​37 (#​38).

If you are on v0.3.0, upgrade to v0.3.1.

✅ Tests

Added a CI workflow that runs the action on ubuntu / windows / macOS (default,
cached, and custom-path installs) and verifies that an invalid path is
rejected. Because it exercises the action via uses: ./, it catches
action-loading failures like #​37 that static linters miss.

ℹ️ Note

The v0.3.0 security hardening and the path breaking change still apply:
path must be a literal path; shell variables ($HOME, $RUNNER_TEMP) and
~ are not expanded. Use a GitHub expression or a relative path:

path: ${{ runner.temp }}/trivy
path: ./bins

Full Changelog: aquasecurity/setup-trivy@v0.3.0...v0.3.1

v0.3.0

Compare Source

v0.3.0

[!CAUTION]
This release is broken — do not use it. Upgrade to v0.3.1.

v0.3.0 fails to load in every workflow, even when path is not set, with:

Unrecognized named-value: 'runner'. Located at position 1 within expression: runner.temp

The cause is a literal ${{ runner.temp }} left in an input description inside
action.yaml. GitHub evaluates every ${{ }} in the file, including in input
descriptions where the runner context is unavailable, so the action cannot be
loaded at all. Fixed in #​38 (released as v0.3.1); see #​37.

🔒 Security

Hardened the action against shell script injection: ${{ }} values are now passed via env: instead of being inlined into run: blocks, and all shell variables are quoted.

⚠️ Breaking change

The path input must now be a literal path. Shell variables ($HOME, $RUNNER_TEMP) and ~ are no longer expanded and will fail the action.

Only affects you if you explicitly set path with a $ or ~. Default usage is unchanged (Trivy installs to $HOME/.local/bin/trivy-bin), and aquasecurity/trivy-action is not affected.

# ❌ now rejected
path: $RUNNER_TEMP/trivy

# ✅ use a GitHub expression or a literal path
path: ${{ runner.temp }}/trivy
path: ./bins

Full Changelog: aquasecurity/setup-trivy@v0.2.6...v0.3.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.