From acd077cc362338d1646f0a8f750d87f76933431e Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 19 Feb 2026 20:45:30 +0000
Subject: [PATCH] fix(ci): use oci-archive format for trivy scan and cache
 vulndb

The image was built and saved as an OCI archive (via buildah push
oci-archive:...) but trivy was invoked with --input which only
accepts Docker-format tars. Switch to the oci-archive: image
reference so trivy correctly parses the OCI layout.

Also add a GitHub Actions cache step for ~/.cache/trivy so the
85 MiB vulnerability DB is not re-downloaded on every release run.

https://claude.ai/code/session_01FovhL9GqcEehmbUDtPyt5Z
---
 .github/workflows/release.yaml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 6bd08f5..8e267f2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -101,14 +101,22 @@ jobs:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
         run: dive --ci --source=docker "${IMAGE_NAME}:${IMAGE_VERSION}"
 
+      - name: Cache Trivy vulnerability DB
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/trivy
+          key: trivy-db-${{ runner.os }}-${{ github.run_id }}
+          restore-keys: |
+            trivy-db-${{ runner.os }}-
+
       - name: Trivy vulnerability scan
         env:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
         run: |
           trivy image \
-            --input "build/${IMAGE_NAME}.tar" \
             --severity HIGH,CRITICAL \
-            --exit-code 1
+            --exit-code 1 \
+            "oci-archive:build/${IMAGE_NAME}.tar"
 
       - name: Login to GHCR
         env: