chore: update Trivy version handling and add .trivyversion file

adilhusain-s · adilhusain-s · commit c45f93f5595a · 2026-04-28T19:35:37.000+05:30
Signed-off-by: Adilhusain Shaikh &lt;Adilhusain.Shaikh@ibm.com&gt;
diff --git a/.github/release/python-tag-filter.txt b/.github/release/python-tag-filter.txt
@@ -0,0 +1,24 @@
+# Release filter configuration for release-matching-python-tags workflow
+# Format: YAML with version and release_types
+
+# Example 1: Only stable releases of 3.14
+# version: 3.14.*
+# release_types: [stable]
+
+# Example 2: Multiple versions with different release types
+# - version: 3.14.*
+#   release_types: [stable, beta]
+# - version: 3.13.*
+#   release_types: [stable]
+
+# Example 3: All release types (using YAML array syntax)
+# version: 3.14.*
+# release_types:
+#   - stable
+#   - beta
+#   - rc
+#   - alpha
+
+# Current configuration:
+version: 3.15.*
+release_types: [alpha, beta]
diff --git a/.trivyversion b/.trivyversion
@@ -0,0 +1 @@
+v0.70.0
diff --git a/Makefile b/Makefile
@@ -17,11 +17,12 @@ endif
 
 # Versioning
 PYTHON_VERSION          ?= 3.13.3
-ACTIONS_PYTHON_VERSIONS ?= 3.15.0-alpha.5-21016111327
+ACTIONS_PYTHON_VERSIONS ?= 3.13.3-14344076652
 POWERSHELL_VERSION      ?= v7.5.2
 POWERSHELL_NATIVE_VERSION ?= v7.4.0
 UBUNTU_VERSION          ?= 24.04
-TRIVY_VERSION           ?= v0.70.0
+TRIVY_VERSION_FILE      ?= .trivyversion
+TRIVY_VERSION           ?= $(strip $(shell if [ -f "$(TRIVY_VERSION_FILE)" ]; then cat "$(TRIVY_VERSION_FILE)"; else echo v0.70.0; fi))
 
 # Security Gates (0 = Log Only, 1 = Fail Build)
 FAIL_ON_CRITICAL        ?= 1
@@ -139,7 +140,7 @@ verify-gate:
 verify-trivy-version:
 	@echo "--- Verifying Trivy release $(TRIVY_VERSION) ---"
 	@curl -fsSL "https://api.github.com/repos/aquasecurity/trivy/releases/tags/$(TRIVY_VERSION)" >/dev/null || \
-		(echo "ERROR: Trivy release $(TRIVY_VERSION) not found. Set a valid TRIVY_VERSION (e.g. v0.69.2)." && exit 1)
+		(echo "ERROR: Trivy release $(TRIVY_VERSION) not found. Set a valid TRIVY_VERSION (or update .trivyversion, e.g. v0.70.0)." && exit 1)
 
 verify-trivy-checksums:
 	@echo "--- Verifying pinned Trivy checksums for $(TRIVY_VERSION) ---"
diff --git a/python-versions/Dockerfile b/python-versions/Dockerfile
@@ -4,7 +4,7 @@ ARG BASE_IMAGE=powershell:ubuntu-${UBUNTU_VERSION}
 ARG TARGETARCH
 ARG PYTHON_VERSION=3.13.3
 ARG ACTIONS_PYTHON_VERSIONS=3.13.3-14344076652
-ARG TRIVY_VERSION=v0.70.0
+ARG TRIVY_VERSION=v0.70.0  # default should match .trivyversion in repo root
 
 # ================= BUILDER STAGE =====================
 FROM ${BASE_IMAGE} AS builder
