Merge branch 'release-2025.2' into fix-camera-model-validation

Irakus · web-flow · commit b25ce20dfb5c · 2026-03-25T14:36:21.000+01:00
diff --git a/.github/workflows/tests-all.yml b/.github/workflows/tests-all.yml
@@ -31,7 +31,7 @@ concurrency:
 
 env:
   DOCKER_BUILDKIT: 1
-  SUPASS: ${{ secrets.SUPASS }}
+  SUPASS: demo
   BUILD_TYPE: DAILY
 
 permissions:
diff --git a/.github/workflows/tests-bat.yml b/.github/workflows/tests-bat.yml
@@ -43,7 +43,7 @@ concurrency:
 
 env:
   DOCKER_BUILDKIT: 1
-  SUPASS: ${{ secrets.SUPASS }}
+  SUPASS: demo
 
 permissions:
   contents: read
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -6,9 +6,6 @@ name: "[Code Analysis] Trivy"
 run-name: "[Code Analysis] Trivy"
 
 on:
-  schedule:
-    - cron: "0 2 * * 0" # Every Sunday at 2:00 AM UTC
-  workflow_call: {}
   workflow_dispatch: {}
   push:
     branches:
@@ -23,39 +20,50 @@ on:
       - synchronize
       - reopened
 
-  # Trigger workflow when enqueued to a merge group
-  # (must be under 'on')
-  merge_group:
-
 permissions:
   contents: read # needed for actions/checkout
 
 jobs:
   trivy-image-scan:
     name: "Build images and run Trivy image scan"
-    if: ${{ github.event_name == 'push' }}
     permissions:
       contents: read
     runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
+      - name: Free up runner space
+        run: |
+          # Remove Java (JDKs)
+          sudo rm -rf /usr/lib/jvm
+          # Remove .NET SDKs
+          sudo rm -rf /usr/share/dotnet
+          # Remove Swift toolchain
+          sudo rm -rf /usr/share/swift
+          # Remove Haskell (GHC)
+          sudo rm -rf /usr/local/.ghcup
+          # Remove Julia
+          sudo rm -rf /usr/local/julia*
+          # Remove Android SDKs
+          sudo rm -rf /usr/local/lib/android
+      - name: "Remove all Docker images"
+        uses: ./.github/actions/cleanup
+        with:
+          system-prune: "true"
       - name: Install Trivy
         id: setup_trivy
-        uses: aquasecurity/setup-trivy@e6c2c5e321ed9123bda567646e2f96565e34abe1 # v0.2.4
+        uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.5
         with:
-          version: "v0.65.0"
+          version: "v0.69.2"
       - name: "Build images"
         id: build_images
         run: |
-          git rev-parse HEAD > version.txt
           echo "SCENESCAPE_VERSION=$(cat version.txt)" >> "$GITHUB_ENV"
-          make
-          docker image ls | awk '{print $1 ":" $2}' | grep $(cat version.txt) | grep -v "\-test" > images.txt
-      # Step name corrected from "Run Trivy Cirital/High Image Scan" to "Run Trivy Critical/High Image Scan".
-      # Verified that no dependent processes rely on the old name.
+          make build-all
+          docker image ls | awk '{print $1}' | grep $(cat version.txt) | grep -v "\-test" > images.txt
       - name: "Run Trivy Image Scan"
         if: always() && steps.build_images.outcome == 'success' && steps.setup_trivy.outcome == 'success'
         run: |
@@ -65,10 +73,11 @@ jobs:
           while read image; do
             echo "::group::Scanning image: $image"
             scan_name=$(echo $image | cut -f1 -d":")
-            trivy image --list-all-pkgs --severity HIGH,CRITICAL --config ".github/resources/sdl/trivy_config.yml" --exit-code 1 "$image"
+            trivy image --config ".github/resources/sdl/trivy_config.yml" "$image"
+            IMAGE_CODE=$?
+            EXIT_CODE=$((EXIT_CODE || IMAGE_CODE))
             echo "::endgroup::"
-            EXIT_CODE=$((EXIT_CODE || $?))
-            if [ $EXIT_CODE -eq 1 ]; then
+            if [ $IMAGE_CODE -eq 1 ]; then
               echo "::error title=Trivy Image Scan Failed::Trivy scan found HIGH or CRITICAL vulnerabilities in image ${image}"
             fi
           done <<< $(cat images.txt)
@@ -81,20 +90,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Run Trivy Critical Filesystem Scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
         with:
-          version: "v0.65.0"
+          version: "v0.69.2"
           scan-type: "fs"
           scan-ref: .
           trivy-config: ".github/resources/sdl/trivy_config.yml"
-          severity: "HIGH,CRITICAL"
-          ignore-unfixed: false
-          scanners: "vuln,misconfig,secret"
-          exit-code: "1"
       - name: Create Error message if Vulnerabilities Found
         if: failure()
         run: |
