fix(ci/cve-scanning): missing trivy https://github.com/aquasecurity/trivy-action/blob/master/entrypoint.sh lead me to believe it is already installed, despite https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md not listing it. But I overlooked that they're using their docker image for the action run. #7349

	name: Validate and label Pull Request

	on:
	pull_request_target:
	types:
	- opened
	- edited
	- reopened
	- synchronize

	jobs:
	getChangedChart:
	if: ${{ !startsWith(github.head_ref, 'release-please--') }}
	uses: ./.github/workflows/get-changed-chart.yaml
	validateCommits:
	if: ${{ !startsWith(github.head_ref, 'release-please--') }}
	name: Validate commits
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
	with:
	fetch-depth: 0
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Conventional commit check
	uses: cocogitto/cocogitto-action@5ae166018d8265bb2df85c1eb521e86a17b61085 # v3
	validateAndLabelPR:
	if: ${{ !startsWith(github.head_ref, 'release-please--') }}
	name: Validate and label PR
	runs-on: ubuntu-latest
	needs: getChangedChart
	steps:
	- name: Conventional commit check
	uses: cocogitto/cocogitto-action@5ae166018d8265bb2df85c1eb521e86a17b61085 # v3
	with:
	check: false
	- run: \|
	set -u
	set -o pipefail

	: "${PR_TITLE:?Environment variable must be set}"

	changed="${CHANGED_CHART?Environment variable must be set}"

	if ! cog verify "$PR_TITLE"; then
	echo "PR title must be a conventional commit message" >&2
	exit 1
	fi

	if [[ -n "$changed" ]] && ! cog verify "$PR_TITLE" 2>&1 \| grep -Eq "^\s+Scope: $changed(/.+\|)\$"; then
	echo "PR title must have scope '$changed/\$subscope'" >&2
	exit 1
	fi
	env:
	PR_TITLE: ${{ github.event.pull_request.title }}
	GITHUB_TOKEN: ${{ github.token }}
	ISSUE_NUMBER: ${{ github.event.number }}
	CHANGED_CHART: ${{ needs.getChangedChart.outputs.chart }}

Provide feedback