Copilot commented on code in PR #18010:
URL: https://github.com/apache/pinot/pull/18010#discussion_r3003570710
##########
.github/workflows/pinot_vuln_check.yml:
##########
@@ -49,16 +49,24 @@ jobs:
PINOT_SHA: ${{ github.sha }}
run: .github/workflows/scripts/.pinot_vuln_check.sh
+ - name: Install Trivy
+ run: |
Review Comment:
`apt-get install` is executed before any `apt-get update`. On GitHub runners
this can intermittently fail due to stale package indexes. Run `sudo apt-get
update` before installing `wget/gnupg/lsb-release` (and you can combine updates
to avoid doing it twice).
```suggestion
run: |
sudo apt-get update
```
##########
.github/workflows/pinot_vuln_check.yml:
##########
@@ -49,16 +49,24 @@ jobs:
PINOT_SHA: ${{ github.sha }}
run: .github/workflows/scripts/.pinot_vuln_check.sh
+ - name: Install Trivy
+ run: |
+ sudo apt-get install -y wget apt-transport-https gnupg lsb-release
+ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key
| sudo apt-key add -
+ echo "deb https://aquasecurity.github.io/trivy-repo/deb
$(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
Review Comment:
The Trivy install step uses `apt-key`, which is deprecated on modern Ubuntu
and may break as runners upgrade. Prefer importing the key into a dedicated
keyring and referencing it via `signed-by=` in the repo entry (instead of
trusting the key globally).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
