ci: pin trivy-action in reusable workflow

[patrick-stephens]

Resolves #11594 on an issue with trivy-action: https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release by pinning to the same SHA as the cron-trivy workflow.

Investigation shown on #11594, this PR pins the SHA to the same as the regular scan job for now which is not compromised. Related to #11590 as we update to the latest SHA as well for it.

This PR removes the legacy workflows we no longer use for building old branches as well.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change
• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

Release Notes

Chores

• Removed GitHub Actions workflows for manual container image building that previously supported branch-specific and legacy version builds in the continuous integration pipeline
• Updated security scanning tool action references to fixed commit hashes instead of floating version tags, ensuring consistent and reproducible vulnerability scanning results across all continuous integration executions

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed two manual container-build GitHub Actions workflows and pinned Trivy action references in existing workflows to specific commit SHAs to avoid using the moving @master ref.

Changes

Cohort / File(s)	Summary
Deleted workflows /.github/workflows/build-branch-containers.yaml, /.github/workflows/build-legacy-branch.yaml	Removed the branch-specific container build workflow and the legacy (1.8) multi-arch build/publish workflow (including their workflow_dispatch inputs and build/push/manifest steps).
Trivy action pinning /.github/workflows/call-build-images.yaml, /.github/workflows/cron-trivy.yaml	Replaced moving aquasecurity/trivy-action@master with pinned commit SHAs in Trivy scanner steps (updated references to specific commit hashes).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• github: workflows: security update #11533 — Touches the same workflows and pins Trivy; closely related changes to workflow removal/pinning.

Suggested reviewers

• niedbalski

Poem

🐰 I nibbled old workflows, cleaned the CI glen,
Pinned Trivy's tiny pawprints, safe steps again.
Gone are old branches, builds that used to roam,
Now pipelines rest snug, and the burrow feels like home. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly summarizes the main change: pinning trivy-action to a specific commit SHA in the reusable workflow to mitigate a supply-chain security incident.
Linked Issues check	✅ Passed	The PR successfully addresses all coding objectives from #11594: pins trivy-action to the uncompromised SHA (57a97c7e7821a5776cebc9bb87c984fa69cba8f1) in the reusable workflow and removes legacy workflows that used the compromised master reference.
Out of Scope Changes check	✅ Passed	All changes are within scope: pinning trivy-action in the reusable workflow, updating the cron-trivy workflow to match, and removing legacy build workflows (build-branch-containers.yaml, build-legacy-branch.yaml) no longer needed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch resolve_trivy_incident_mar2026

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/call-build-images.yaml:
- Line 307: The pinned Trivy Action reference (uses:
aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8) is
vulnerable and relies on deleted upstream artifacts; update the action to a
secure, supported tag such as v0.34.2 or a recent stable tag (e.g., v0.35.0) by
replacing the commit pin with the release tag (uses:
aquasecurity/trivy-action@v0.34.2 or `@v0.35.0`) so the workflow uses the patched
release that fixes CVE-2026-26189 and avoids the supply-chain breakage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9fb5f3ee-32ac-4cc9-9d8b-c00f685c0139

📥 Commits

Reviewing files that changed from the base of the PR and between 9d42647 and fa3e35d.

📒 Files selected for processing (3)

• .github/workflows/build-branch-containers.yaml
• .github/workflows/build-legacy-branch.yaml
• .github/workflows/call-build-images.yaml

💤 Files with no reviewable changes (2)

• .github/workflows/build-branch-containers.yaml
• .github/workflows/build-legacy-branch.yaml

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fa3e35d342

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[patrick-stephens]

@coderabbitai please review

[coderabbitai]

@patrick-stephens Sure, I'll review the changes now!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/cron-trivy.yaml (2)

57-57: Update stale inline comment to match the pinned ref.

The comment still says master is deliberate, but Line 59 is now SHA-pinned. Consider updating it to avoid future confusion during incident response.

Suggested comment tweak

-      # Deliberately chosen master here to keep up-to-date.
+      # Pinned to a known-good commit SHA to avoid floating refs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cron-trivy.yaml at line 57, The inline comment that reads
"Deliberately chosen master here to keep up-to-date." is now inaccurate because
the workflow uses a SHA-pinned ref; update that comment to reflect the
SHA-pinning (e.g., "Deliberately pinned to a specific SHA to ensure reproducible
runs") and ensure it sits immediately adjacent to the SHA-pinned ref in the
cron-trivy workflow so future readers understand the intent.

---

59-59: Immutable action pin correctly applied—good supply-chain hardening.

Verification confirms all aquasecurity/trivy-action references in the repository are now pinned to commit SHAs with no floating refs. However, the inline comment at Line 57 stating "Deliberately chosen master here to keep up-to-date" is stale and should be removed or updated.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cron-trivy.yaml at line 59, Remove or update the stale
inline comment "Deliberately chosen master here to keep up-to-date" that now
contradicts the pinned action usage (uses:
aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1); either
delete the comment or replace it with a brief note explaining that the action is
intentionally pinned to a commit SHA for supply-chain security.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/cron-trivy.yaml:
- Line 57: The inline comment that reads "Deliberately chosen master here to
keep up-to-date." is now inaccurate because the workflow uses a SHA-pinned ref;
update that comment to reflect the SHA-pinning (e.g., "Deliberately pinned to a
specific SHA to ensure reproducible runs") and ensure it sits immediately
adjacent to the SHA-pinned ref in the cron-trivy workflow so future readers
understand the intent.
- Line 59: Remove or update the stale inline comment "Deliberately chosen master
here to keep up-to-date" that now contradicts the pinned action usage (uses:
aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1); either
delete the comment or replace it with a brief note explaining that the action is
intentionally pinned to a commit SHA for supply-chain security.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 30495290-1b91-4a55-8a9e-2765cf1b5168

📥 Commits

Reviewing files that changed from the base of the PR and between fa3e35d and b072781.

📒 Files selected for processing (2)

• .github/workflows/call-build-images.yaml
• .github/workflows/cron-trivy.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/call-build-images.yaml