Add Trivy scanning to main workflow

.gitea/workflows/homelab-main.yml

@@ -68,6 +68,57 @@ jobs:
 
           "${gitleaks_bin}" git --redact=100 --verbose --exit-code 1 .
 
+      - name: Scan for vulnerabilities and misconfigurations with Trivy
+        run: |
+          set -euo pipefail
+
+          trivy_version="0.70.0"
+          case "$(uname -m)" in
+            x86_64|amd64)
+              trivy_platform="Linux-64bit"
+              trivy_sha256="8b4376d5d6befe5c24d503f10ff136d9e0c49f9127a4279fd110b727929a5aa9"
+              ;;
+            aarch64|arm64)
+              trivy_platform="Linux-ARM64"
+              trivy_sha256="2f6bb988b553a1bbac6bdd1ce890f5e412439564e17522b88a4541b4f364fc8d"
+              ;;
+            *)
+              echo "Unsupported runner architecture: $(uname -m)" >&2
+              exit 1
+              ;;
+          esac
+
+          tool_dir="${HOME}/.cache/homelab-tools/trivy/${trivy_version}/${trivy_platform}"
+          trivy_bin="${tool_dir}/trivy"
+          installed_version=""
+          if [[ -x "${trivy_bin}" ]]; then
+            installed_version="$("${trivy_bin}" --version | awk '/^Version:/ {print $2; exit}')"
+          fi
+          if [[ "${installed_version}" != "${trivy_version}" ]]; then
+            archive="trivy_${trivy_version}_${trivy_platform}.tar.gz"
+            tmpdir="$(mktemp -d)"
+            trap 'rm -rf "${tmpdir}"' EXIT
+
+            curl -fsSL -o "${tmpdir}/${archive}" \
+              "https://github.com/aquasecurity/trivy/releases/download/v${trivy_version}/${archive}"
+            printf '%s  %s\n' "${trivy_sha256}" "${tmpdir}/${archive}" | sha256sum -c -
+
+            mkdir -p "${tool_dir}"
+            tar -xzf "${tmpdir}/${archive}" -C "${tmpdir}" trivy
+            install -m 0755 "${tmpdir}/trivy" "${trivy_bin}"
+          fi
+
+          trivy_cache="${HOME}/.cache/homelab-tools/trivy/cache"
+          trivy_docker_config="${HOME}/.cache/homelab-tools/trivy/docker-config"
+          mkdir -p "${trivy_cache}" "${trivy_docker_config}"
+          printf '{}\n' > "${trivy_docker_config}/config.json"
+          export DOCKER_CONFIG="${trivy_docker_config}"
+
+          "${trivy_bin}" fs --scanners vuln,misconfig --severity HIGH,CRITICAL \
+            --exit-code 0 --no-progress --cache-dir "${trivy_cache}" .
+          "${trivy_bin}" fs --scanners vuln,misconfig --severity CRITICAL \
+            --exit-code 1 --no-progress --cache-dir "${trivy_cache}" .
+
       - name: Validate shell, Kubernetes manifests, and OpenTofu stacks
         run: |
           set -euo pipefail