👷 [maykinmedia/objects-api#463] Fix trivy rate limiting errors

.github/workflows/ci.yml

@@ -132,6 +132,10 @@ jobs:
           format: 'sarif'
           output: 'trivy-results-docker.sarif'
           ignore-unfixed: true
+        env:
+          # Uses the cache from trivy.yml workflow
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
 
       - name: Upload results to GH Security tab
         uses: github/codeql-action/upload-sarif@v3

.github/workflows/trivy.yml

@@ -0,0 +1,37 @@
+name: Update Trivy Cache
+
+on:
+  workflow_call:  # This allows other workflows to call it
+    inputs:       # Define any inputs if necessary (optional)
+      manual_trigger:
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Download and extract the Java DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+          oras pull ghcr.io/aquasecurity/trivy-java-db:1
+          tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+          rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}