From 30e577d911d9dbcf6677b4c27109bd0a6863149e Mon Sep 17 00:00:00 2001
From: abdul-abdi <Abdullahiabdi1233@gmail.com>
Date: Tue, 24 Mar 2026 00:01:01 +0300
Subject: [PATCH 1/2] fix: update composite action to remediate Trivy supply
 chain attack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The March 19, 2026 Trivy supply chain attack (GHSA-69fq-xp46-6x23)
force-pushed 75 of 76 tags in aquasecurity/trivy-action to
credential-stealing malware. The composite action at b59fa5c2 uses
trivy-action v0.34.1 (compromised).

The composite action at fefef12a (March 11 Dependabot bump) uses
trivy-action v0.35.0 (SHA 57a97c7e), which is the recommended safe
version — protected by GitHub's immutable releases feature.

Ref: https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
---
 .github/workflows/docker-build-push-jfrog.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build-push-jfrog.yaml b/.github/workflows/docker-build-push-jfrog.yaml
index 5d639cd..79dc38a 100644
--- a/.github/workflows/docker-build-push-jfrog.yaml
+++ b/.github/workflows/docker-build-push-jfrog.yaml
@@ -172,7 +172,7 @@ jobs:
           ${{ inputs.pre_build_script }}
 
       - name: Build and push
-        uses: NethermindEth/github-action-image-build-and-push@b59fa5c2f2416973d34123c7cac63965209ed492
+        uses: NethermindEth/github-action-image-build-and-push@fefef12a2baef6d339fb4b244b4cd45c40146161
         with:
           registry: "artifactory"
           image_name: ${{ steps.env-vars.outputs.IMAGE_NAME }}

From a77aa143d274ce47ac65d37b28a49f80d3b47860 Mon Sep 17 00:00:00 2001
From: abdul-abdi <Abdullahiabdi1233@gmail.com>
Date: Tue, 24 Mar 2026 13:26:36 +0300
Subject: [PATCH 2/2] fix: also update composite action ref in dockerhub
 workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Same broken SHA — applies the same trivy-action v0.35.0 remediation
to the DockerHub build workflow.
---
 .github/workflows/docker-build-push-dockerhub.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build-push-dockerhub.yaml b/.github/workflows/docker-build-push-dockerhub.yaml
index 39c8b5f..74c1f10 100644
--- a/.github/workflows/docker-build-push-dockerhub.yaml
+++ b/.github/workflows/docker-build-push-dockerhub.yaml
@@ -143,7 +143,7 @@ jobs:
           ${{ inputs.pre_build_script }}
 
       - name: Build and push
-        uses: NethermindEth/github-action-image-build-and-push@b59fa5c2f2416973d34123c7cac63965209ed492
+        uses: NethermindEth/github-action-image-build-and-push@fefef12a2baef6d339fb4b244b4cd45c40146161
         with:
           registry: "dockerhub"
           image_name: ${{ inputs.repo_name }}/${{ inputs.image_name }}