From c017ec6941a833b60ea8f866a1c87c0b81db512d Mon Sep 17 00:00:00 2001
From: ilia <ilia@levkin.ca>
Date: Mon, 15 Dec 2025 15:50:04 -0500
Subject: [PATCH] Fix: Update CI workflow to install a fixed version of Trivy
 for improved reliability and error handling during installation

---
 .gitea/workflows/ci.yml | 49 +++++++++++++++++++++++++++++------------
 1 file changed, 35 insertions(+), 14 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index afdb1a2..a154233 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -242,22 +242,43 @@ jobs:
 
       - name: Install Trivy
         run: |
+          set -e
           apt-get update && apt-get install -y wget curl tar
-          # Try multiple download methods for reliability
-          echo "Downloading Trivy..."
-          if wget -q "https://github.com/aquasecurity/trivy/releases/latest/download/trivy_linux_amd64.tar.gz" -O /tmp/trivy.tar.gz 2>&1; then
-            echo "Downloaded tar.gz, extracting..."
-            tar -xzf /tmp/trivy.tar.gz -C /tmp/ trivy
-            mv /tmp/trivy /usr/local/bin/trivy
-          elif wget -q "https://github.com/aquasecurity/trivy/releases/latest/download/trivy_linux_amd64" -O /usr/local/bin/trivy 2>&1; then
-            echo "Downloaded binary directly"
-          else
-            echo "Failed to download Trivy, trying with version detection..."
-            TRIVY_VERSION=$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')
-            wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O /tmp/trivy.tar.gz
-            tar -xzf /tmp/trivy.tar.gz -C /tmp/ trivy
-            mv /tmp/trivy /usr/local/bin/trivy
+          
+          # Use a fixed, known-good Trivy version to avoid URL/redirect issues
+          TRIVY_VERSION="0.58.2"
+          TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
+          
+          echo "Installing Trivy version: ${TRIVY_VERSION}"
+          echo "Downloading from: ${TRIVY_URL}"
+          
+          if ! wget --progress=bar:force "${TRIVY_URL}" -O /tmp/trivy.tar.gz 2>&1; then
+            echo "❌ Failed to download Trivy archive"
+            echo "Checking if file was partially downloaded:"
+            ls -lh /tmp/trivy.tar.gz 2>/dev/null || echo "No file found"
+            exit 1
           fi
+          
+          if [ ! -f /tmp/trivy.tar.gz ] || [ ! -s /tmp/trivy.tar.gz ]; then
+            echo "❌ Downloaded Trivy archive is missing or empty"
+            exit 1
+          fi
+          
+          echo "Download complete. File size: $(du -h /tmp/trivy.tar.gz | cut -f1)"
+          echo "Extracting Trivy..."
+          if ! tar -xzf /tmp/trivy.tar.gz -C /tmp/ trivy; then
+            echo "❌ Failed to extract Trivy binary from archive"
+            tar -tzf /tmp/trivy.tar.gz 2>&1 | head -20 || true
+            exit 1
+          fi
+          
+          if [ ! -f /tmp/trivy ]; then
+            echo "❌ Trivy binary not found after extraction"
+            ls -la /tmp/ | grep trivy || ls -la /tmp/ | head -20
+            exit 1
+          fi
+          
+          mv /tmp/trivy /usr/local/bin/trivy
           chmod +x /usr/local/bin/trivy
           /usr/local/bin/trivy --version
           trivy --version