Update Trivy vulnerability scanner version to v0.35.0 in central-pubish.yml and publish-release.yml workflows

[madushajg]

$title

Summary by CodeRabbit

• Chores
  • Upgraded the vulnerability scanner used in CI workflows to a newer version.
  • Updated CI authentication in build and publish workflows to use the repository actor and token instead of previous automation credentials.

[coderabbitai]

Walkthrough

Updated multiple GitHub Actions workflows: bumped Trivy action from v0.34.2 to v0.35.0 in two workflows and changed packaging authentication env vars to use github.actor and secrets.GITHUB_TOKEN in two build/pull-request workflows. No other workflow logic was modified.

Changes

Cohort / File(s)	Summary
Trivy Action Version Upgrades .github/workflows/central-publish.yml, .github/workflows/publish-release.yml	Updated Trivy action version from v0.34.2 to v0.35.0. No other step changes.
Packaging / Auth Environment Updates .github/workflows/build-with-bal-test-graalvm.yml, .github/workflows/pull-request.yml	Replaced secrets.BALLERINA_BOT_USERNAME with ${{ github.actor }} and secrets.BALLERINA_BOT_TOKEN with ${{ secrets.GITHUB_TOKEN }} for packageUser and packagePAT respectively in Ubuntu and Windows jobs. No other logic changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through workflows, tidy and bright,
Bumped Trivy's shoes and fixed auth by night,
Tokens now kinder, actor in place,
A carrot of CI with a cleaner trace 🥕

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title describes updating Trivy scanner versions in two workflow files, but the actual changeset includes additional unmentioned modifications to authentication variables in two other workflow files.	Revise the title to accurately reflect all changes, such as 'Update Trivy scanner version and authentication credentials in GitHub Actions workflows' or split into separate PRs.
Description check	⚠️ Warning	The PR description is entirely empty except for the title variable; none of the required template sections (Purpose, Goals, Approach, etc.) are filled in.	Complete the PR description using the repository template by filling in Purpose, Goals, Approach, and other relevant sections to document the changes and their rationale.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/central-publish.yml (1)

38-38: Apply the same SHA pinning strategy here.

Line 38 also references Trivy by tag (@v0.35.0). Please pin this action to the exact commit SHA as well, to keep both publish workflows equally hardened.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/central-publish.yml at line 38, The Trivy Action is
referenced by tag ("uses: aquasecurity/trivy-action@v0.35.0") which should be
pinned to a specific commit SHA; update that line to use the exact commit SHA
(e.g. "uses: aquasecurity/trivy-action@<COMMIT_SHA>") instead of the tag,
matching the same SHA pinning approach used in the other publish workflow so
both workflows are consistently hardened.

.github/workflows/publish-release.yml (1)

38-38: Pin the Trivy action to an immutable commit SHA.

Line 38 currently uses a mutable tag (@v0.35.0). For release workflows, prefer pinning to the exact commit digest to reduce supply-chain risk. Semantic version tags can be retagged or updated by maintainers, making commit SHAs more secure.

To find the correct commit SHA for v0.35.0, run:

git ls-remote --tags https://github.com/aquasecurity/trivy-action v0.35.0

Then update the action reference to use the full commit SHA instead of the version tag.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-release.yml at line 38, Replace the mutable tag
reference "uses: aquasecurity/trivy-action@v0.35.0" with the action pinned to
the exact commit SHA: run git ls-remote --tags
https://github.com/aquasecurity/trivy-action v0.35.0 to get the commit digest
and update the uses line to "uses: aquasecurity/trivy-action@<COMMIT_SHA>" so
the workflow references the immutable commit instead of the semantic tag.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/central-publish.yml:
- Line 38: The Trivy Action is referenced by tag ("uses:
aquasecurity/trivy-action@v0.35.0") which should be pinned to a specific commit
SHA; update that line to use the exact commit SHA (e.g. "uses:
aquasecurity/trivy-action@<COMMIT_SHA>") instead of the tag, matching the same
SHA pinning approach used in the other publish workflow so both workflows are
consistently hardened.

In @.github/workflows/publish-release.yml:
- Line 38: Replace the mutable tag reference "uses:
aquasecurity/trivy-action@v0.35.0" with the action pinned to the exact commit
SHA: run git ls-remote --tags https://github.com/aquasecurity/trivy-action
v0.35.0 to get the commit digest and update the uses line to "uses:
aquasecurity/trivy-action@<COMMIT_SHA>" so the workflow references the immutable
commit instead of the semantic tag.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7340d09a-cca8-44c3-88ec-06731ac2b4b1

📥 Commits

Reviewing files that changed from the base of the PR and between e681862 and a380154.

📒 Files selected for processing (2)

• .github/workflows/central-publish.yml
• .github/workflows/publish-release.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pull-request.yml:
- Around line 27-33: Replace use of the repository-scoped GITHUB_TOKEN in the
"Build the Package" step by wiring a personal access token (PAT) with
read:packages scope (e.g., secrets.BALLERINA_BOT_TOKEN) into the
packageUser/packagePAT env vars used by the Gradle build; update the same change
in the analogous "windows-build" job so both jobs set packageUser and packagePAT
from the PAT secret instead of github.actor/GITHUB_TOKEN to allow resolving
maven.pkg.github.com/ballerina-platform/* dependencies across organizations.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 80193fcf-facd-4fc9-9974-82fd7d994048

📥 Commits

Reviewing files that changed from the base of the PR and between a380154 and 7a13fe4.

📒 Files selected for processing (2)

• .github/workflows/build-with-bal-test-graalvm.yml
• .github/workflows/pull-request.yml

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️