From ba24e7e6843a18b00f9c78691eb316343d85226a Mon Sep 17 00:00:00 2001
From: Louis Lotter <louis.lotter@suse.com>
Date: Fri, 12 Jun 2026 11:04:42 +0200
Subject: [PATCH 1/2] STAC-25026-add vexhub-main subdir to tarball location URL

GitHub branch tarballs extract into a vexhub-main/ top-level directory.
Without the go-getter //vexhub-main subdirectory hint, trivy vex repo
download leaves the repository nested (0.1/vexhub-main/...), which
'trivy --vex repo' cannot read (it needs index.json at the version
root) while Grype-style document collection still finds the files.
Result: VEX statements silently stop applying to Trivy scans, e.g.
the jetty CVE-2024-6763 statement on 2026-06-12. Mirrors the rancher
vexhub manifest, which already carries the suffix.
---
 vex-repository.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vex-repository.json b/vex-repository.json
index 1680018..38b0e33 100644
--- a/vex-repository.json
+++ b/vex-repository.json
@@ -6,7 +6,7 @@
       "spec_version": "0.1",
       "locations": [
         {
-          "url": "https://github.com/stackvista/vexhub/archive/refs/heads/main.tar.gz"
+          "url": "https://github.com/stackvista/vexhub/archive/refs/heads/main.tar.gz//vexhub-main"
         }
       ],
       "update_interval": "24h"

From 56c945b94dfc070a4a893a47d16c3505c152d0e3 Mon Sep 17 00:00:00 2001
From: Louis Lotter <louis.lotter@suse.com>
Date: Wed, 17 Jun 2026 16:42:29 +0200
Subject: [PATCH 2/2] STAC-25026-fix index check trigger

---
 .github/workflows/index-check.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/index-check.yml b/.github/workflows/index-check.yml
index 902c4b3..e01c351 100644
--- a/.github/workflows/index-check.yml
+++ b/.github/workflows/index-check.yml
@@ -16,6 +16,7 @@ on:
     paths:
       - "pkg/**"
       - "index.json"
+      - "vex-repository.json"
       - "tools/build_index.py"
       - ".github/workflows/index-check.yml"
   push:
@@ -24,6 +25,7 @@ on:
     paths:
       - "pkg/**"
       - "index.json"
+      - "vex-repository.json"
       - "tools/build_index.py"
 
 permissions:
@@ -35,10 +37,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.14"