From 14f049d3719ca2cbdffcd466d74adfc1959b24b1 Mon Sep 17 00:00:00 2001 From: Vova Kolmakov Date: Tue, 2 Jun 2026 14:12:30 +0700 Subject: [PATCH 1/2] CI: Retry Trivy scanner image pull to absorb transient Docker Hub timeouts Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/cve-scan.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml index 6bd08de9859b..238c96e69b7d 100644 --- a/.github/workflows/cve-scan.yml +++ b/.github/workflows/cve-scan.yml @@ -51,6 +51,11 @@ jobs: # ------------------------------------------------------------------ cve-scan: runs-on: ubuntu-24.04 + env: + # Trivy scanner image, pinned by digest (matches lhotari/sandboxed-trivy-action's + # default at the pinned ref). Pre-pulled with retry below to absorb transient Docker + # Hub (registry-1.docker.io) timeouts that otherwise fail the job with exit code 125. + TRIVY_IMAGE: aquasec/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c permissions: contents: read security-events: write @@ -142,6 +147,19 @@ jobs: else cp ${{ matrix.scan-path }}/iceberg-${{ matrix.distribution }}-*.jar /tmp/cve-scan/ fi + - name: Pull Trivy image (with retry) + # Pre-pull the scanner image so the action's docker run finds it locally and never hits + # the registry. Retrying with backoff absorbs transient Docker Hub timeouts (exit 125). + run: | + for attempt in 1 2 3 4 5; do + if docker pull "${TRIVY_IMAGE}"; then + exit 0 + fi + echo "docker pull failed (attempt ${attempt}/5); retrying in $((attempt * 10))s..." >&2 + sleep "$((attempt * 10))" + done + echo "Failed to pull ${TRIVY_IMAGE} after 5 attempts" >&2 + exit 1 - name: Run Trivy vulnerability scan uses: lhotari/sandboxed-trivy-action@f01374b6cc3bf7264ab238293e94f6db7ada6dd0 # v1.0.2 with: @@ -155,6 +173,7 @@ jobs: exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }} format: 'sarif' output: 'trivy-results.sarif' + trivy-image: ${{ env.TRIVY_IMAGE }} - name: Print Trivy scan results if: always() run: | From f146fb22f0da641474dafb1a5839c776c0c36269 Mon Sep 17 00:00:00 2001 From: Vova Kolmakov Date: Fri, 12 Jun 2026 12:43:19 +0700 Subject: [PATCH 2/2] CI: Pull Trivy image from GHCR and skip the final retry sleep Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/cve-scan.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml index 238c96e69b7d..22a55db552cc 100644 --- a/.github/workflows/cve-scan.yml +++ b/.github/workflows/cve-scan.yml @@ -52,10 +52,10 @@ jobs: cve-scan: runs-on: ubuntu-24.04 env: - # Trivy scanner image, pinned by digest (matches lhotari/sandboxed-trivy-action's - # default at the pinned ref). Pre-pulled with retry below to absorb transient Docker - # Hub (registry-1.docker.io) timeouts that otherwise fail the job with exit code 125. - TRIVY_IMAGE: aquasec/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c + # Trivy scanner image, pinned by digest. Pulled from GHCR (ghcr.io), which serves the + # identical manifest digest as Docker Hub but is more reliable on GitHub-hosted runners. + # Pre-pulled with retry below to absorb transient registry pull timeouts (exit code 125). + TRIVY_IMAGE: ghcr.io/aquasecurity/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c permissions: contents: read security-events: write @@ -149,12 +149,15 @@ jobs: fi - name: Pull Trivy image (with retry) # Pre-pull the scanner image so the action's docker run finds it locally and never hits - # the registry. Retrying with backoff absorbs transient Docker Hub timeouts (exit 125). + # the registry. Retrying with backoff absorbs transient registry pull timeouts (exit 125). run: | for attempt in 1 2 3 4 5; do if docker pull "${TRIVY_IMAGE}"; then exit 0 fi + if [ "${attempt}" = "5" ]; then + break + fi echo "docker pull failed (attempt ${attempt}/5); retrying in $((attempt * 10))s..." >&2 sleep "$((attempt * 10))" done