From b2a82729bee072d354f09f1d2a8e00d1a889c7b0 Mon Sep 17 00:00:00 2001
From: Lari Hotari <lhotari@users.noreply.github.com>
Date: Wed, 2 Apr 2025 22:04:22 +0800
Subject: [PATCH 1/3] Pin aquasecuriy/setup-trivy to hash instead of tag

Fixes #423
---
 action.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/action.yaml b/action.yaml
index 24775a9..331665e 100644
--- a/action.yaml
+++ b/action.yaml
@@ -122,7 +122,11 @@ runs:
   steps:
     - name: Install Trivy
       if: ${{ inputs.skip-setup-trivy == 'false' }}
-      uses: aquasecurity/setup-trivy@v0.2.2
+      # Pin to hash instead of tag for aquasecurity/setup-trivy action so that GitHub Actions 
+      # "allowing select actions" feature can be used to whitelist the dependent action by a hash.
+      # This is needed since some organizations have a policy to only allow pinned 3rd party actions to 
+      # be used.
+      uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087
       with:
         version: ${{ inputs.version }}
         cache: ${{ inputs.cache }}

From 28f4580241b37cff01ef4f8027236244d1272709 Mon Sep 17 00:00:00 2001
From: Lari Hotari <lhotari@users.noreply.github.com>
Date: Mon, 7 Apr 2025 09:45:43 +0300
Subject: [PATCH 2/3] Address review comment

---
 action.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/action.yaml b/action.yaml
index 331665e..2c4d02b 100644
--- a/action.yaml
+++ b/action.yaml
@@ -126,6 +126,7 @@ runs:
       # "allowing select actions" feature can be used to whitelist the dependent action by a hash.
       # This is needed since some organizations have a policy to only allow pinned 3rd party actions to 
       # be used.
+      # ff1b8b060f23b650436d419b5e13f67f5d4c3087 is equal to v0.2.2
       uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087
       with:
         version: ${{ inputs.version }}

From 0ca7acf6e9f8a10de53e22aafa8102ba0e3838e2 Mon Sep 17 00:00:00 2001
From: Lari Hotari <lhotari@users.noreply.github.com>
Date: Mon, 7 Apr 2025 09:58:35 +0300
Subject: [PATCH 3/3] Revisit previous change based on feedback

---
 action.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/action.yaml b/action.yaml
index 2c4d02b..e1705ce 100644
--- a/action.yaml
+++ b/action.yaml
@@ -126,8 +126,7 @@ runs:
       # "allowing select actions" feature can be used to whitelist the dependent action by a hash.
       # This is needed since some organizations have a policy to only allow pinned 3rd party actions to 
       # be used.
-      # ff1b8b060f23b650436d419b5e13f67f5d4c3087 is equal to v0.2.2
-      uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087
+      uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087 # equivalent to `v0.2.2`
       with:
         version: ${{ inputs.version }}
         cache: ${{ inputs.cache }}