chore(deps): update https://gitea.t000-n.de/t.behrendt/actions action to v0.1.5 (#6)

This PR contains the following updates:

| Package | Type | Update | Change | Pending |
|---|---|---|---|---|
| [https://gitea.t000-n.de/t.behrendt/actions](https://gitea.t000-n.de/t.behrendt/actions) | action | patch | `0.1.4` → `0.1.5` | `0.2.1` (+3) |

---

### Release Notes

<details>
<summary>t.behrendt/actions (https://gitea.t000-n.de/t.behrendt/actions)</summary>

### [`v0.1.5`](https://gitea.t000-n.de/t.behrendt/actions/compare/0.1.4...0.1.5)

[Compare Source](https://gitea.t000-n.de/t.behrendt/actions/compare/0.1.4...0.1.5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjQiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImFjdGlvbiIsImRlcHMiXX0=-->

Reviewed-on: t.behrendt/trivy-workflows#6
Reviewed-by: t.behrendt <t.behrendt@noreply.localhost>
Co-authored-by: Renovate Bot <renovate@t00n.de>
Co-committed-by: Renovate Bot <renovate@t00n.de>

.gitea/workflows/cd.yaml

@@ -15,10 +15,10 @@ jobs:
           fetch-depth: 0
       - name: Increment tag
         id: tag
-        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@8d27605e8e6b2990e92e5aa75d703e602b8c4b2a # 0.1.28
+        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@41b7e04221df8a033bec841d40a097b76e5f67ff # 0.1.29
         with:
           token: ${{ secrets.GITEA_TOKEN }}
       - name: Push tag
-        uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@8973a9f9ff51c16b937364e0047e7ad07e937d3f # 0.1.4
+        uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@74e7be819ecfc1a8d3e3fcf679e8f3e0a7065343 # 0.1.5
         with:
           tag: ${{ steps.tag.outputs.new-tag }}

.gitea/workflows/prerelease.yaml

@@ -13,11 +13,11 @@ jobs:
           fetch-depth: 0
       - name: Increment tag
         id: tag
-        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@8d27605e8e6b2990e92e5aa75d703e602b8c4b2a # 0.1.28
+        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@41b7e04221df8a033bec841d40a097b76e5f67ff # 0.1.29
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           prerelease: true
       - name: Push tag
-        uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@8973a9f9ff51c16b937364e0047e7ad07e937d3f # 0.1.4
+        uses: https://gitea.t000-n.de/t.behrendt/actions/release-git-tag@74e7be819ecfc1a8d3e3fcf679e8f3e0a7065343 # 0.1.5
         with:
           tag: ${{ steps.tag.outputs.new-tag }}

.gitea/workflows/run-trivy-scan.yaml

@@ -23,6 +23,11 @@ on:
         required: false
         type: string
         default: ""
+      scan-fs:
+        description: "Run Trivy file system scan on the repository root."
+        required: false
+        type: boolean
+        default: false
     outputs:
       merged-sarif-artifact:
         description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)."
@@ -110,9 +115,28 @@ jobs:
           name: image-sarif
           path: image-sarif.json
 
+  fs-scan:
+    if: inputs.scan-fs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@83a7cef9f19e3a5a30311839f99f83690a490cf8 # 1.4.5
+      - run: |
+          server="${{ inputs.trivy-server-url }}"
+          args=(fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln .)
+          [ -n "$server" ] && args+=(--server "$server")
+          trivy "${args[@]}"
+        env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+      - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
+        with:
+          name: fs-sarif
+          path: fs-sarif.json
+
   merge:
     runs-on: ubuntu-latest
-    needs: [config-scan, image-scan]
+    needs: [config-scan, image-scan, fs-scan]
     if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images)
     outputs:
       merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }}
@@ -145,6 +169,9 @@ jobs:
           if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then
             [ -n "$files" ] && files="$files"$'\n'"  - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json"
           fi
+          if [ "${{ inputs.scan-fs }}" = "true" ] && [ -f fs-sarif-artifact/fs-sarif.json ]; then
+            [ -n "$files" ] && files="$files"$'\n'"  - fs-sarif-artifact/fs-sarif.json" || files="- fs-sarif-artifact/fs-sarif.json"
+          fi
           echo "files<<EOF" >> "$GITHUB_OUTPUT"
           echo "$files" >> "$GITHUB_OUTPUT"
           echo "EOF" >> "$GITHUB_OUTPUT"