Dynamic parameters

.github/ISSUE_TEMPLATE/maintainer.md

@@ -0,0 +1,11 @@
+---
+name: Maintainer
+about: Create an issue by maintainers
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+## Are you a maintainer of the Trivy project?
+If not, please open [a discussion](https://github.com/aquasecurity/trivy/discussions); if you are, please review [the guideline](https://trivy.dev/latest/community/contribute/discussion/).

.github/workflows/publish-chart.yaml

@@ -13,9 +13,6 @@ on:
       - main
     paths:
       - 'helm/trivy/**'
-  push:
-    tags:
-      - "v*"
 env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
@@ -25,7 +22,6 @@ env:
 jobs:
   # `test-chart` job starts if a PR with Helm Chart is created, merged etc.
   test-chart:
-    if: github.event_name != 'push'
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -56,35 +52,6 @@ jobs:
           sed -i -e '136s,false,'true',g' ./helm/trivy/values.yaml
           ct lint-and-install --validate-maintainers=false --charts helm/trivy
 
-  # `update-chart-version` job starts if a new tag is pushed
-  update-chart-version:
-    if: github.event_name == 'push'
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/[email protected]
-        with:
-          fetch-depth: 0
-
-      - name: Set up Git user
-        run: |
-          git config --global user.email "[email protected]"
-          git config --global user.name "GitHub Actions"
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-
-      - name: Install Go tools
-        run: go install tool # GOBIN is added to the PATH by the setup-go action  
-
-      - name: Create a PR with Trivy version
-        run: mage helm:updateVersion
-        env:
-          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
-          # This allows the created PR to trigger tests and other workflows
-          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
 
   # `publish-chart` job starts if a PR with a new Helm Chart is merged or manually
   publish-chart:

.github/workflows/release.yaml

@@ -55,3 +55,33 @@ jobs:
 
       - name: Create deb repository
         run: ci/deploy-deb.sh
+
+  # `update-chart-version` creates a new PR for updating the helm chart
+  update-chart-version:
+    needs: deploy-packages
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git user
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub Actions"
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
+
+      - name: Create a PR with Trivy version
+        run: mage helm:updateVersion
+        env:
+          # Use ORG_REPO_TOKEN instead of GITHUB_TOKEN
+          # This allows the created PR to trigger tests and other workflows
+          GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

.github/workflows/semantic-pr.yaml

@@ -1,22 +1,23 @@
-name: "Lint PR title"
+name: "Validate PR Title"
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited
       - synchronize
 
 jobs:
-  main:
+  validate:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - name: Validate PR title
+        shell: bash
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          types: |
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          # Valid types
+          VALID_TYPES: |
             feat
             fix
             docs
@@ -29,13 +30,15 @@ jobs:
             chore
             revert
             release
-
-          scopes: |
+          # Valid scopes categorized by area
+          VALID_SCOPES: |
+            # Scanners
             vuln
             misconf
             secret
             license
 
+            # Targets
             image
             fs
             repo
@@ -46,6 +49,7 @@ jobs:
             vm
             plugin
 
+            # OS
             alpine
             wolfi
             chainguard
@@ -62,6 +66,7 @@ jobs:
             distroless
             windows
 
+            # Languages
             ruby
             php
             python
@@ -71,37 +76,88 @@ jobs:
             java
             go
             c
-            c\+\+
+            c++
             elixir
             dart
             swift
             bitnami
             conda
             julia
 
+            # Package types
             os
             lang
 
+            # IaC
             kubernetes
             dockerfile
             terraform
             cloudformation
 
+            # Container
             docker
             podman
             containerd
             oci
 
+            # SBOM
+            sbom
+            spdx
+            cyclonedx
+
+            # Misc
             cli
             flag
-
-            cyclonedx
-            spdx
             purl
             vex
-
             helm
             report
             db
             parser
             deps
+        run: |
+          set -euo pipefail
+
+          # Convert env vars to regex alternatives, excluding comments and empty lines
+          TYPES_REGEX=$(echo "$VALID_TYPES" | grep -v '^$' | paste -sd '|')
+          SCOPES_REGEX=$(echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | paste -sd '|')
+
+          # Basic format check (should match: type(scope): description or type: description)
+          FORMAT_REGEX="^[a-z]+(\([a-z0-9+]+\))?!?: .+$"
+          if ! echo "$PR_TITLE" | grep -qE "$FORMAT_REGEX"; then
+            echo "Error: Invalid PR title format"
+            echo "Expected format: <type>(<scope>): <description> or <type>: <description>"
+            echo "Examples:"
+            echo "  feat(vuln): add new vulnerability detection"
+            echo "  fix: correct parsing logic"
+            echo "  docs(kubernetes): update installation guide"
+            echo -e "\nCurrent title: $PR_TITLE"
+            exit 1
+          fi
+
+          # Extract type and scope for validation
+          TYPE=$(echo "$PR_TITLE" | sed -E 's/^([a-z]+)(\([a-z0-9+]+\))?!?: .+$/\1/')
+          SCOPE=$(echo "$PR_TITLE" | sed -E 's/^[a-z]+\(([a-z0-9+]+)\)!?: .+$/\1/; t; s/.*//')
+
+          # Validate type
+          if ! echo "$VALID_TYPES" | grep -qx "$TYPE"; then
+            echo "Error: Invalid type '${TYPE}'"
+            echo -e "\nValid types:"
+            echo "$VALID_TYPES" | grep -v '^$' | sed 's/^/- /'
+            echo -e "\nCurrent title: $PR_TITLE"
+            exit 1
+          fi
+
+          # Validate scope if present
+          if [ -n "$SCOPE" ]; then
+            if ! echo "$VALID_SCOPES" | grep -v '^#' | grep -qx "$SCOPE"; then
+              echo "Error: Invalid scope '${SCOPE}'"
+              echo -e "\nValid scopes:"
+              echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | sed 's/^/- /'
+              echo -e "\nCurrent title: $PR_TITLE"
+              exit 1
+            fi
+          fi
+
+          echo "PR title validation passed ✅"
+          echo "Current title: $PR_TITLE"

.github/workflows/spdx-cron.yaml

@@ -29,10 +29,7 @@ jobs:
           fi        
 
       - name: Microsoft Teams Notification
-        ## Until the PR with the fix for the AdaptivCard version is merged yet
-        ## https://github.com/Skitionek/notify-microsoft-teams/pull/96
-        ## Use the aquasecurity fork
-        uses: aquasecurity/notify-microsoft-teams@master
+        uses: Skitionek/notify-microsoft-teams@e7a2493ac87dad8aa7a62f079f295e54ff511d88
         if: failure()
         with:
           webhook_url: ${{ secrets.TRIVY_MSTEAMS_WEBHOOK }}

.github/workflows/test.yaml

@@ -38,10 +38,10 @@ jobs:
 
       - name: Lint
         id: lint
-        uses: golangci/golangci-lint-action@v6.5.0
+        uses: golangci/golangci-lint-action@v7.0.0
         with:
-          version: v1.64
-          args: --verbose --out-format=line-number
+          version: v2.1
+          args: --verbose
         if: matrix.operating-system == 'ubuntu-latest'
 
       - name: Check if linter failed