Merge branch 'develop' into ci/trivy-scan

ci(security): scan every push and stabilise the Trivy DB cache key
Drop the push paths filter so secret and misconfig scans cover all file types (YAML, JSON, native, scripts), not just JS/TS. Replace the per-run github.run_id cache key with a weekly per-OS key, so the vulnerability DB is reused within the week instead of writing a fresh immutable cache entry on every run.
2026-06-06 05:58:35 +01:00 · 2026-06-05 14:33:01 +02:00 · 2026-06-05 13:16:13 +02:00 · 2026-06-01 17:31:29 +02:00
1 changed files with 60 additions and 0 deletions
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -0,0 +1,60 @@
 name: 🛡️ Trivy Security Scan
 # Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
 # leaked secrets and misconfigurations, and reports them to GitHub code scanning.
 # Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
 # upload needs a write token that fork PRs don't get).
 on:
  push:
    branches: [develop, master]
  schedule:
    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
  workflow_dispatch:
 permissions:
  contents: read
 concurrency:
  group: trivy-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  trivy:
    name: 🔎 Filesystem scan
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      security-events: write # upload SARIF to code scanning
    steps:
      - name: 📥 Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      # Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week
      # instead of a fresh immutable entry per run, still refreshing the DB every week.
      - name: 🗓️ Compute weekly Trivy cache key
        id: trivy-cache-key
        run: echo "value=trivy-db-${{ runner.os }}-$(date -u +%G-%V)" >> "$GITHUB_OUTPUT"
      - name: 💾 Cache Trivy vulnerability DB
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.cache/trivy
          key: ${{ steps.trivy-cache-key.outputs.value }}
          restore-keys: trivy-db-${{ runner.os }}-
      - name: 🔎 Run Trivy filesystem scan
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
        with:
          scan-type: fs
          scan-ref: .
          scanners: vuln,secret,misconfig
          ignore-unfixed: true
          severity: CRITICAL,HIGH
          format: sarif
          output: trivy-results.sarif
      - name: 📤 Upload results to code scanning
        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
        with:
          sarif_file: trivy-results.sarif
          category: trivy-fs