chore(security): ignore remaining inherited Go CVEs

Track unresolved base/runtime Go vulnerabilities in .trivyignore with expiry so
Trivy results stay focused on actionable issues until upstream fixes are available.

Made-with: Cursor

Author: miragecentury

.trivyignore

@@ -53,3 +53,16 @@ CVE-2025-66626 exp:2026-08-19
 CVE-2025-68156 exp:2026-08-19
 CVE-2026-23960 exp:2026-08-19
 CVE-2026-27112 exp:2026-08-19
+#
+# Remaining Go-related CVEs from current Trivy report (base/runtime binaries).
+# These are tracked temporarily until upstream runner/base/toolchain refreshes.
+CVE-2026-33186 exp:2026-08-19
+CVE-2026-25679 exp:2026-08-19
+CVE-2026-32280 exp:2026-08-19
+CVE-2026-32282 exp:2026-08-19
+CVE-2026-34986 exp:2026-08-19
+CVE-2026-39883 exp:2026-08-19
+CVE-2026-34040 exp:2026-08-19
+CVE-2026-33747 exp:2026-08-19
+CVE-2026-33748 exp:2026-08-19
+CVE-2025-15558 exp:2026-08-19

CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Changed
 
+* **security:** ignore remaining inherited Go CVEs in `.trivyignore` (expires 2026-08-19) to keep scans actionable until upstream runner/toolchain updates land
+
 ### Fixed
 
 ## [1.0.9](https://github.com/DeerHide/python-github-runner/compare/v1.0.8...v1.0.9) (2026-04-17)