chore(deps): bump zircote/.github/.github/workflows/reusable-trivy.yml from 77a87549a65c6c978a0e87efe0168ed3517f7ca4 to 75667179b994ac4b1f07db4fa0cee8012f3ea115

[dependabot]

Bumps zircote/.github/.github/workflows/reusable-trivy.yml from 77a87549a65c6c978a0e87efe0168ed3517f7ca4 to 75667179b994ac4b1f07db4fa0cee8012f3ea115.

Changelog

Sourced from zircote/.github/.github/workflows/reusable-trivy.yml's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

• Attested delivery architecture — nine centralized reusable workflows constituted from HMH-ProdOps/.github@8f3b4d41a9aeedb430bd575020170ce0641dbd95 and parameterized for zircote: build-attest.yml, sign-and-attest.yml (SLSA Build L3 signing boundary), verify-attestation.yml (fail-closed gate), promote.yml, promote-prod.yml, sbom-and-scan.yml, dora-emit.yml, pin-check.yml, mirror-images.yml
• SECURITY.md "Verifying Release Artifacts" section with the full workstation verification command set (gh attestation verify --signer-workflow, cosign verify, SBOM/vuln attestation checks)
• pin-check CI gate (pin-check-ci.yml): every PR asserts all uses: references in .github/workflows/ and actions/ are pinned to full 40-char SHAs, calling the central pin-check.yml by SHA-pinned cross-repo reference
• Attested-delivery documentation (docs/, Diátaxis): tutorial (first attested release), how-to guides (onboarding, SHA-pin enforcement, SBOM/vuln scan, DORA metrics, admission enforcement), full workflow reference (inputs/outputs/secrets/permissions, verified against the workflow files), design explanation, and rollout status with acceptance tests; README and CLAUDE.md now present the architecture with links into docs/
• Stale Health Check workflow (stale-health-check.md): weekly scan for stale issues (>30d), abandoned PRs (>7d), failing CI, and README staleness across all zircote repos (tracker: stlhlt01)
• Dependency Ecosystem workflow (dependency-ecosystem.md): weekly cross-repo dependency intelligence — Dependabot PR audit, version consistency, coverage gaps, and health scoring (tracker: depeco01)
• Agent Health Monitor workflow (agent-health-monitor.md): daily meta-monitoring of all gh-aw workflows for consecutive failures, missed schedules, and timeouts (tracker: agenthm01)
• Generic compile script (scripts/compile-gh-aw.sh): parameterized compile + patch for any gh-aw workflow, replacing hardcoded org-monitor references
• Three new automation labels: stale-health, dep-ecosystem, agent-health

Fixed

• Profile README automation silently broken: update-profile-readme.yml pushed directly to the protected main branch, was rejected (GH006), and the retry loop swallowed the failure — runs reported success while the profile went stale since 2026-03. Now opens an auto-merge PR via the GitHub App token and fails loudly
• README examples called nonexistent workflow inputs (run-tests, run-race-detector, scan-secrets/scan-dependencies on reusable-security, generate-changelog, composite-action cache/version/output-file) — all examples regenerated from the actual workflow_call/action inputs
• Documentation taught unpinned @main/@v4 action refs contradicting the org SHA-pinning policy — all positive examples in README, skills, agents, and presentation docs now pin to full commit SHAs
• Broken markdown fence nesting (3-backtick templates containing 3-backtick code blocks) in copilot-tuner, ecosystem-migrator, ai-tuning, ecosystem-migration, presentation-generation, and presentations README — outer fences now use 4 backticks; this also fixes the phantom broken assets/diagram.png image link
• .github/copilot-instructions.md referenced nonexistent reusable-ci-rust.yml; agents/skills referenced nonexistent scripts/validate-sha-pinning.sh/validate-workflows.sh (replaced with actionlint + pin grep)
• profile/README.md ccpkg link pointed at renamed zircote/plugin-packaging (now zircote/ccpkg); example presentation author corrected to Robert Allen
• CONTRIBUTING.md development setup replaced generic boilerplate with this repo's real toolchain (actionlint, compile-gh-aw.sh, pin-check)
• README links to private template repos now marked private instead of 404ing for visitors; added LICENSE file (MIT) to back the README license claim; ~40 unlabeled code fences given language tags
• attested-delivery skill brought into skill-doc compliance (Purpose/Triggers/Usage sections, allowed-tools frontmatter, trigger-phrase description); profile-maintainer agent aligned to the shared agent structure
• dependabot-automerge.yml called the reusable auto-merge workflow at the mutable @main ref; now uses the local-path form (same-commit, exempt from pin-check)
• attested-delivery skill templates: dora-emit.yml left hmh.dora.* metric names unparameterized (now __org__.dora.*); build-attest.yml/sign-and-attest.yml example image carried a dqo/app path (now ghcr.io/__org__/app)
• promote-prod.yml and mirror-images.yml regenerated from the generic templates — removes HMH-specific "CCAB" terminology (now "change-record") and repo-specific comments

Changed

• promote-prod.yml change-record gate reframed to GitHub-native: the gate now requires an open GitHub issue carrying an approval label (default change-approved) whose body records the exact digest being promoted (always asserted), with an optional GitHub Projects v2 Status assertion via project-number/approved-status. Replaces the JIRA inputs (jira-issue-key, jira-digest-field) and JIRA_* secrets with change-issue/change-repo/approval-label/project-number/approved-status and an optional CHANGE_RECORD_TOKEN. Skill template, docs, and references updated to match
• Addressed Copilot review feedback from #442 that was bypassed: fixed the onboarding guide's verify-job example to match the build-attest path, documented why sbom-and-scan.yml callers must grant packages: write, and removed the accidentally committed docs/presentations/.subcog/audit.log (now gitignored via **/.subcog/)
• scripts/compile-org-monitor.sh is now a thin wrapper delegating to compile-gh-aw.sh
• CLAUDE.md updated with workflow table (names, tracker IDs, schedules), generic compile instructions, and compile-all loop command
• Removed invalid discussions: false frontmatter rule from CLAUDE.md (not a valid gh-aw compiler property)

[0.2.0] - 2025-01-20

Added

• Organization-wide repository monitor gh-aw workflow (org-monitor.md, tracker: orgmon01)
• GitHub App integration (zircote-org-monitor) for cross-repo MCP access
• Compile + patch script for .github repo runtime-import bug workaround (gh-aw#18711)
• gh-aw workflow conventions documented in CLAUDE.md

Fixed

... (truncated)

Commits

• 7566717 ci: bump github/gh-aw from 0.79.9 to 0.80.5 (#476)
• 655cf6f ci: bump zircote/.github/.github/workflows/pin-check.yml from 68927d3c0db9484...
• 063cd1b ci: bump softprops/action-gh-release from 3.0.0 to 3.0.1 (#473)
• 0cef7d5 ci: bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 (#472)
• c6e54d7 ci: bump astral-sh/setup-uv from 8.0.0 to 8.2.0 (#470)
• e3010b1 docs(profile): update activity highlights (#469)
• 515a4c7 fix(sign-and-attest): don't push image SBOM as a release asset (#468)
• 118ec3e feat(reusable-trivy): add ignore-unfixed input for base-image gating (#467)
• 8c7a1ef chore: add lefthook git hooks (actionlint, merge-markers, pin-check) (#466)
• 740cb8e docs(security): pin v0.2.0 as the consumer-recommended release (#465)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Superseded by #127.