ci: pin Trivy version to v0.69.3 to fix failing install

[david-waltermire]

Summary

The Code CI job has been failing on dependabot PRs since late March because the Trivy install step exits with code 1 during setup. The aquasecurity/trivy-action defaults to installing Trivy v0.65.0, but release artifacts for older Trivy versions were removed upstream, so contrib/install.sh can no longer fetch them.

This pins version: v0.69.3 on the trivy-action invocation so install.sh targets a release whose assets are still published.

Changes

• .github/workflows/build.yml — add version: 'v0.69.3' to the Trivy step, with a comment linking to the upstream discussion.

References

• https://github.com/aquasecurity/trivy/discussions/10265 — upstream announcement of the removed artifacts
• Trivy installation failing in GitHub Actions with aquasecurity/setup-trivy@v0.2.2/0.2.5 aquasecurity/setup-trivy#30 — tracking issue for the install failure, with confirmed working mitigation

Test Plan

• CI Code job passes on this PR (previously failing on dependabot PRs build(deps): bump org.fusesource.jansi:jansi from 2.4.2 to 2.4.3 #251, build(deps): bump org.apache.logging.log4j:log4j-bom from 2.25.3 to 2.25.4 #252, build(deps-dev): bump io.github.git-commit-id:git-commit-id-maven-plugin from 9.0.2 to 10.0.0 #255)
• Trivy scan completes and SARIF output is produced

Summary by CodeRabbit

• Chores
  • Enhanced security scanning by explicitly specifying a pinned version of the security tool in the build process, ensuring consistency and reproducibility of security checks across releases.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1bbcdc57-9822-4be3-822b-a515e6dc4427

📥 Commits

Reviewing files that changed from the base of the PR and between 45f1daf and d241b3f.

📒 Files selected for processing (1)

• .github/workflows/build.yml

---

📝 Walkthrough

Walkthrough

The build workflow configuration now explicitly pins the Trivy security scanner to version v0.69.3 via the aquasecurity/trivy-action parameter, replacing implicit reliance on the action's default version for filesystem vulnerability scanning.

Changes

Cohort / File(s)	Summary
CI Workflow Configuration .github/workflows/build.yml	Pinned Trivy engine version to v0.69.3 in the aquasecurity/trivy-action step to ensure consistent vulnerability scanning across builds.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

• build: fix CI infrastructure (Trivy action bump + FedRAMP test URL) liboscal-java#277: Related Trivy version pinning change in the same workflow file with a different Trivy version (v0.35.0).
• build: exclude maven2 artifact repo checkout from Trivy scan liboscal-java#252: Modifies Trivy scan configuration in the same workflow to adjust skip-directories settings.
• ci: pin Trivy binary version to v0.70.0 metaschema-java#681: Pins Trivy binary version to v0.70.0 in the same aquasecurity/trivy-action step across a related repository.

Poem

🐰 A version pinned down with care,
No more surprises in the air,
Trivy scans with steady hand,
v0.69.3 is now planned!
Security builds on solid ground,
Consistency is what we've found. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: pinning Trivy version to v0.69.3 to resolve installation failures in CI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}