From c08951e8487d5f0fe552a028f108de62edfae7c0 Mon Sep 17 00:00:00 2001
From: Manuel Buil <mbuil@suse.com>
Date: Mon, 16 Mar 2026 16:59:02 +0100
Subject: [PATCH] Fix trivy updatecli config

Signed-off-by: Manuel Buil <mbuil@suse.com>
---
 updatecli/updatecli.d/trivy.yaml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/updatecli/updatecli.d/trivy.yaml b/updatecli/updatecli.d/trivy.yaml
index ddab63f1139..b104607bc6a 100644
--- a/updatecli/updatecli.d/trivy.yaml
+++ b/updatecli/updatecli.d/trivy.yaml
@@ -36,7 +36,7 @@ sources:
       token: "{{ requiredEnv .github.token }}"
       versionfilter:
         kind: "regex"
-        pattern: "^v\\d+\\.\\d+$" # Matches "vMajor.Minor" only, skip patch
+        pattern: "^v\\d+\\.\\d+\\.\\d+$" # Matches "vMajor.Minor.Patch"
     transformers:
       - trimprefix: "v"
 
@@ -48,7 +48,15 @@ conditions:
     disablesourceinput: true
     spec:
       file: "Dockerfile.dapper"
-      matchpattern: 'TRIVY_VERSION="\d+\.\d+.\d+"'
+      matchpattern: 'TRIVY_VERSION="\d+\.\d+\.\d+"'
+  trivy-minor-changed:
+    name: "Only update when Trivy major.minor changed"
+    kind: "shell"
+    sourceid: "trivy-release"
+    transformers:
+      - find: '\d+\.\d+'
+    spec:
+      command: 'current=$(sed -n -E ''s/^ENV TRIVY_VERSION="([0-9]+\.[0-9]+)\.[0-9]+"$/\1/p'' Dockerfile.dapper); test "$current" !='
 
 targets:
   trivy-version:
@@ -58,6 +66,6 @@ targets:
     disablesourceinput: true
     spec:
       file: "Dockerfile.dapper"
-      matchpattern: 'TRIVY_VERSION="\d+\.\d+.\d+"'
+      matchpattern: 'TRIVY_VERSION="\d+\.\d+\.\d+"'
       replacepattern: 'TRIVY_VERSION="{{ source `trivy-release` }}"'