diff --git a/.github/workflows/reusable-trivy.yml b/.github/workflows/reusable-trivy.yml index c654c0a..3423ff4 100644 --- a/.github/workflows/reusable-trivy.yml +++ b/.github/workflows/reusable-trivy.yml @@ -158,6 +158,20 @@ jobs: actions: read packages: read steps: + # image-ref is a ghcr.io reference by digest (see the usage comment at + # the top of this file). `permissions: packages: read` alone does not + # authenticate the docker/trivy pull for a private package - confirmed + # by a real failure (unauthorized pulling a same-run-pushed private + # GHCR image) before this step existed. Every caller of this reusable + # publishes to ghcr.io, so logging in here (not conditionally, not + # registry-parsed from image-ref) covers every real usage. + - name: Log in to GHCR for the image pull + uses: docker/login-action@c99871dec2022cc055c062a10cc1a1310835ceb4 # v4.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Trivy image vulnerability scan uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: