github/workflows: use ECR mirror for Trivy's DB

[ivanvc]

GitHub Container Registry is returning a TOOMANYREQUESTS error. Switch to AWS ECR mirror, as suggested in aquasecurity/trivy-action#389.

Part of #18671.

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.90%. Comparing base (2c97110) to head (12a0e76).
Report is 4 commits behind head on main.

❗ Current head 12a0e76 differs from pull request most recent head 1af428a

Please upload reports for the commit 1af428a to get more accurate results.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

see 24 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #18672      +/-   ##
==========================================
+ Coverage   68.70%   68.90%   +0.19%     
==========================================
  Files         420      420              
  Lines       35535    35535              
==========================================
+ Hits        24414    24485      +71     
+ Misses       9686     9625      -61     
+ Partials     1435     1425      -10     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2c97110...1af428a. Read the comment docs.

[ivanvc]

It looks to work as expected, refer to: https://github.com/etcd-io/etcd/actions/runs/11150670417/job/30992575192?pr=18672#step:5:13

I'll retest the coverage (linux-amd64-coverage) test, which failed.

[ivanvc]

/retest

[ahrtr]

Is there any restriction on public.ecr.aws/aquasecurity/trivy-db? @dims @chaochn47

[ivanvc]

I thought it was okay, as there are many instances of images from the public.ecr.aws registry in the k/test-infra repo, including our website listing, as it uses an AWS ECR mirror of the NodeJS image.

Either way, it'd be great to have the blessing to use it ✌️.

[ahrtr]

Thanks @ivanvc for the quick fix!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahrtr, ivanvc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ahrtr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jmhbnz]

/cherrypick release-3.5

[k8s-infra-cherrypick-robot]

@jmhbnz: new pull request created: #18687

In response to this:

/cherrypick release-3.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jmhbnz]

/cherrypick release-3.4

[k8s-infra-cherrypick-robot]

@jmhbnz: new pull request created: #18688

In response to this:

/cherrypick release-3.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.