RHOAIENG-16076: tests(gha): pre-pull trivy vulnerabilities db to prevent failures to download later #777
Conversation
jiridanek
added
the
trivy-scan
jiridanek
force-pushed
the
jd_gha_update_trivy
branch
from
9a09c37 to
7a26200
Compare
jiridanek
changed the title
…ent failures to download later
jiridanek
force-pushed
the
jd_gha_update_trivy
branch
from
7a26200 to
53bef99
Compare
jiridanek
added
the
tide/merge-method-squash
|
@jiridanek: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
/cc @caponetto |
| @@ -114,6 +115,26 @@ jobs: | |||
| systemctl --user start homebrew.podman.service | |||
| echo "PODMAN_SOCK=/run/user/${UID}/podman/podman.sock" >> $GITHUB_ENV | |||
|
|
|||
| # only one db can be downloaded in one call https://github.com/aquasecurity/trivy/issues/3616 | |||
| - name: Pre-pull Trivy vulnerabilities DB | |||
| if: ${{ contains(fromJson(inputs.github).event.pull_request.labels.*.name, 'trivy-scan') }} | |||
There was a problem hiding this comment.
Instead of having a dedicated step for this code, can it be run as part of the Run Trivy vulnerability scanner step? Besides PR+Label, the Trivy scan also runs through the schedule trigger.
There was a problem hiding this comment.
the whole idea of this PR is to have this as a separate step; trivy likes to fail the db download very often if I don't pre-pull
It prevents problems like skupperproject/skupper-router#1642 (my previous project) has been experiencing recently. They fixed it by deleting the trivy scan from their gha; I think my fix is more nuanced ;P
thanks for catching the missing case with scheduled scans, I'll add that to the step run condition
There was a problem hiding this comment.
when there are long-ish running tests that make the trivy run even later in the job, it fails even more
|
/lgtm |
|
/override ci/prow/images |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jiridanek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@jiridanek: Overrode contexts on behalf of jiridanek: ci/prow/images In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…ent failures to download later (opendatahub-io#777) * RHOAIENG-16076: tests(gha): pre-pull trivy vulnerabilities db to prevent failures to download later * fix from review; use the only true condition to check if trivy should run (cherry picked from commit 6477ed4)
…ent failures to download later (opendatahub-io#777) * RHOAIENG-16076: tests(gha): pre-pull trivy vulnerabilities db to prevent failures to download later * fix from review; use the only true condition to check if trivy should run (cherry picked from commit 6477ed4)
https://issues.redhat.com/browse/RHOAIENG-16076
Description
Another chunk of the
changes to be reviewed and merged.
Turns out that Trivy does not fail to pull the db if the pull happens soon enough after the GHA starts.
How Has This Been Tested?
GHA
Merge criteria: