Regression hotfix. Introduced by v2.6.2 (PR #196): the permissions: read-all top-level on docker-multiplatform.yml stripped the security-events: write scope that the Trivy SARIF upload step relies on. The failure only surfaced after merge because the security-scan job is gated on github.event_name != 'pull_request', so PR builds were green and main / tag pushes failed.
Fix
Job-level permissions override on security-scan:
permissions:
security-events: write
contents: readWorkflow default stays read-all. The build job is unaffected (Docker Hub push goes through DOCKERHUB_TOKEN, not GITHUB_TOKEN).
The two failures in the activity log from v2.6.3 (main merge commit + v2.6.3 tag push) will remain as historical failures - they aren't retried automatically. Future pushes will succeed.
Closes #199.