From e5692c0baeca4e8abba657b970fcd4bb21d53996 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Fri, 13 Feb 2026 16:23:17 +0000
Subject: [PATCH] fix: pin aquasecurity/trivy-action to commit hash (v0.34.0)

- Pin trivy-action to commit hash c1824fd6edce30d7ab345a9989de00bbd46ef284
- Resolves CodeQL warnings about unpinned 3rd party actions
- Applied to both PHP and nginx image scanning steps

Co-authored-by: Manuel H. <LouisLetcher@users.noreply.github.com>
---
 .github/workflows/container-build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
index f89556f..46b6de9 100644
--- a/.github/workflows/container-build.yml
+++ b/.github/workflows/container-build.yml
@@ -97,7 +97,7 @@ jobs:
 
       - name: Trivy scan (php image)
         if: github.event_name != 'pull_request'
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_PHP }}@${{ steps.build_php.outputs.digest }}
           format: table
@@ -108,7 +108,7 @@ jobs:
 
       - name: Trivy scan (nginx image)
         if: github.event_name != 'pull_request'
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NGINX }}@${{ steps.build_nginx.outputs.digest }}
           format: table