From 9f6bc4279012fc93cb6d41f8bc8a68eeb0840ad6 Mon Sep 17 00:00:00 2001
From: Anthony <pham.anthony1@gmail.com>
Date: Fri, 20 Mar 2026 22:18:32 +0100
Subject: [PATCH] fix: update trivy-action to safe SHA (v0.35.0)

Update aquasecurity/trivy-action from untagged commit to v0.35.0
pinned by SHA to mitigate supply chain risk from the March 19
compromise.
Ref: https://github.com/aquasecurity/trivy-action/issues/541
---
 .github/workflows/docker-publish-openclaw.yml      | 2 +-
 .github/workflows/docker-publish-x402-verifier.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker-publish-openclaw.yml b/.github/workflows/docker-publish-openclaw.yml
index c0967d76..55a774c6 100644
--- a/.github/workflows/docker-publish-openclaw.yml
+++ b/.github/workflows/docker-publish-openclaw.yml
@@ -224,7 +224,7 @@ jobs:
 
     steps:
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac # master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           format: 'sarif'
diff --git a/.github/workflows/docker-publish-x402-verifier.yml b/.github/workflows/docker-publish-x402-verifier.yml
index 8b027c76..68e7ea1f 100644
--- a/.github/workflows/docker-publish-x402-verifier.yml
+++ b/.github/workflows/docker-publish-x402-verifier.yml
@@ -97,7 +97,7 @@ jobs:
 
     steps:
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac # master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build.outputs.digest }}
           format: 'sarif'