fix(ci): use ghcr.io for Trivy DB instead of mirror.gcr.io (#509)

Serph91P · web-flow · commit cc3564d4e637 · 2026-03-15T13:14:19.000+01:00
mirror.gcr.io returns 404 when downloading the Trivy vulnerability DB,
causing CI scans to fail with:
  FATAL: failed to download artifact from mirror.gcr.io/aquasec/trivy-db:2

Set TRIVY_DB_REPOSITORY and TRIVY_JAVA_DB_REPOSITORY env vars to use
the official ghcr.io registry (ghcr.io/aquasecurity/trivy-db:2) in all
workflows: security-scan.yml, release.yml, test.yml.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -171,6 +171,9 @@ jobs:
           docker run -d --name streamvault-test \
             -p 7000:7000 \
             -e DATABASE_URL=sqlite:///./test.db \
+            -e TWITCH_APP_ID=ci_test_placeholder \
+            -e TWITCH_APP_SECRET=ci_test_placeholder \
+            -e BASE_URL=http://localhost:7000 \
             streamvault:test
 
           # Wait for container to be healthy with retries
