Skip to content

CI: Retry Trivy scanner image pull to absorb transient Docker Hub timeouts #16660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kevinjqliu merged 2 commits into from
Jun 12, 2026
+22 −0
Merged

CI: Retry Trivy scanner image pull to absorb transient Docker Hub timeouts #16660

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
14f049d
CI: Retry Trivy scanner image pull to absorb transient Docker Hub tim…
Jun 2, 2026
f146fb2
CI: Pull Trivy image from GHCR and skip the final retry sleep
Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/cve-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,11 @@ jobs:
# ------------------------------------------------------------------
cve-scan:
runs-on: ubuntu-24.04
env:
# Trivy scanner image, pinned by digest. Pulled from GHCR (ghcr.io), which serves the
# identical manifest digest as Docker Hub but is more reliable on GitHub-hosted runners.
# Pre-pulled with retry below to absorb transient registry pull timeouts (exit code 125).
TRIVY_IMAGE: ghcr.io/aquasecurity/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c
permissions:
contents: read
security-events: write
Expand Down Expand Up @@ -142,6 +147,22 @@ jobs:
else
cp ${{ matrix.scan-path }}/iceberg-${{ matrix.distribution }}-*.jar /tmp/cve-scan/
fi
- name: Pull Trivy image (with retry)
# Pre-pull the scanner image so the action's docker run finds it locally and never hits
# the registry. Retrying with backoff absorbs transient registry pull timeouts (exit 125).
run: |
for attempt in 1 2 3 4 5; do

@kevinjqliu kevinjqliu Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the loop sleeps after the 5th failed pull even though there is no 6th retry, and the log says "retrying" on the final failed attempt.

Could we avoid the final sleep / misleading message? For example:

for attempt in 1 2 3 4 5; do
  if docker pull "${TRIVY_IMAGE}"; then
    exit 0
  fi

  if [ "${attempt}" = "5" ]; then
    break
  fi

  echo "docker pull failed (attempt ${attempt}/5); retrying in $((attempt * 10))s..." >&2
  sleep "$((attempt * 10))"
done

echo "Failed to pull ${TRIVY_IMAGE} after 5 attempts" >&2
exit 1

@wombatu-kun wombatu-kun Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done f146fb2

if docker pull "${TRIVY_IMAGE}"; then
exit 0
fi
if [ "${attempt}" = "5" ]; then
break
fi
echo "docker pull failed (attempt ${attempt}/5); retrying in $((attempt * 10))s..." >&2
sleep "$((attempt * 10))"
done
echo "Failed to pull ${TRIVY_IMAGE} after 5 attempts" >&2
exit 1
- name: Run Trivy vulnerability scan
uses: lhotari/sandboxed-trivy-action@f01374b6cc3bf7264ab238293e94f6db7ada6dd0 # v1.0.2
with:
Expand All @@ -155,6 +176,7 @@ jobs:
exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }}
format: 'sarif'
output: 'trivy-results.sarif'
trivy-image: ${{ env.TRIVY_IMAGE }}
- name: Print Trivy scan results
if: always()
run: |
Expand Down