chore(ci): refresh tool versions and improve trivy logs

Update manifest tool/runtime versions and improve Trivy diagnostics by storing
report output and printing a readable vulnerability summary on failure.

Made-with: Cursor

Author: miragecentury

CHANGELOG.md

@@ -14,6 +14,8 @@
 ### Changed
 
 * **security:** add CVE-2026-24051 to .trivyignore (OpenTelemetry SDK in containerd, trivy, argo)
+* **deps:** upgrade runner and bundled tool versions in `manifest.yaml` (runner 2.333.1, argo 4.0.4, kargo 1.9.6, pack 0.40.2, dive 0.13.1, hadolint 2.14.0, yq 4.53.2)
+* **ci(trivy):** write JSON report to `build/trivy-report.json` and print a human-readable vulnerability summary when scans fail
 
 ### Fixed
 

manifest.yaml

@@ -6,12 +6,12 @@ build:
   format: oci
   args:
     - RUNNER_VERSION=2.333.1
-    - ARGO_VERSION=3.6.4
-    - KARGO_VERSION=1.9.2
-    - PACK_VERSION=0.36.4
-    - DIVE_VERSION=0.12.0
-    - HADOLINT_VERSION=2.12.0
-    - YQ_VERSION=4.45.4
+    - ARGO_VERSION=4.0.4
+    - KARGO_VERSION=1.9.6
+    - PACK_VERSION=0.40.2
+    - DIVE_VERSION=0.13.1
+    - HADOLINT_VERSION=2.14.0
+    - YQ_VERSION=4.53.2
   labels:
     - org.opencontainers.image.source=https://github.com/deerhide/python-github-runner
     - org.opencontainers.image.description="Python GitHub Runner"

scripts/builder.sh

@@ -280,10 +280,14 @@ dive_scan() {
 trivy_scan () {
 
     local trivy_scan_exec
+    local trivy_scan_summary
     local trivy_scan_exit_code
+    local trivy_report_file
 
     log_info "Running trivy scan on ${IMAGE_NAME}:${IMAGE_TAG}"
     log_trace "$(trivy --version)"
+    trivy_report_file="${BUILD_DIR}/trivy-report.json"
+    log_info "Writing trivy report to ${trivy_report_file}"
 
     set +e
     trivy_scan_exec=$(\
@@ -297,22 +301,44 @@ trivy_scan () {
             --ignorefile .trivyignore \
             --input ${BUILD_DIR}/${IMAGE_NAME}-${IMAGE_TAG}.tar \
             --format github \
+            --output "${trivy_report_file}" \
             --severity HIGH,CRITICAL \
             --exit-code 2 \
             ${IMAGE_NAME}:${IMAGE_TAG} \
             2>&1
     )
+
+    # Generate a compact human-readable summary for logs.
+    # Keep this non-blocking so report generation/failure semantics stay unchanged.
+    trivy_scan_summary=$(\
+            trivy image \
+            --scanners vuln \
+            --ignore-unfixed \
+            --pkg-types library \
+            --skip-dirs /home/runner/externals \
+            --skip-dirs /usr/local/lib/docker \
+            --skip-files /usr/bin/dockerd \
+            --ignorefile .trivyignore \
+            --input ${BUILD_DIR}/${IMAGE_NAME}-${IMAGE_TAG}.tar \
+            --severity HIGH,CRITICAL \
+            --exit-code 0 \
+            ${IMAGE_NAME}:${IMAGE_TAG} \
+            2>&1
+    )
     # Detect exit code
     trivy_scan_exit_code=$?
     set -e
     if [[ $trivy_scan_exit_code -eq 2 ]]; then
         echo -e "${WHITE_GRAY}${trivy_scan_exec}${NC}"
+        echo -e "${WHITE_GRAY}${trivy_scan_summary}${NC}"
         log_error "Trivy scan failed"
         exit 1
     elif [[ $trivy_scan_exit_code -eq 1 ]]; then
         echo -e "${WHITE_GRAY}${trivy_scan_exec}${NC}"
+        echo -e "${WHITE_GRAY}${trivy_scan_summary}${NC}"
         log_error "Trivy scan error"
     else
+        log_success "Trivy report generated at ${trivy_report_file}"
         log_success "Trivy scan passed"
     fi
 }