Backport image scan patch

Author: MaxBed4d

.github/workflows/runner-selector.yml

@@ -0,0 +1,48 @@
+---
+name: Create output for `runs-on` variable
+
+on:
+  workflow_call:
+    inputs:
+      runner_env:
+        description: 'The environment input from caller workflow'
+        default: 'SMS Lab'
+        required: True
+        type: string
+    outputs:
+      runner_name_image_build:
+        description: "Image builder runner name"
+        value: ${{ jobs.define_runner.outputs.image-build-runner }}
+      runner_name_container_image_build:
+        description: "Container image build runner name"
+        value: ${{ jobs.define_runner.outputs.container-image-build-runner }}
+      runner_name_aio:
+        description: "AiO runner name"
+        value: ${{ jobs.define_runner.outputs.aio-runner }}
+
+jobs:
+  define_runner:
+    environment: ${{ inputs.runner_env }}
+    runs-on: ubuntu-latest
+    outputs:
+      image-build-runner: ${{ steps.builder-runner.outputs.runner_name_image_build }}
+      container-image-build-runner: ${{ steps.container-image-build-runner.outputs.runner_name_container_image_build }}
+      aio-runner: ${{ steps.aio-runner.outputs.runner_name_aio }}
+    steps:
+      - name: Set output for image builder runner
+        run: echo "Setting runner for ${{ inputs.runner_env }} -> ${{ vars.RUNS_ON_TARGET_IMAGE_BUILDER }}"
+
+      - id: builder-runner
+        run: echo "runner_name_image_build=${{ vars.RUNS_ON_TARGET_IMAGE_BUILDER }}" >> $GITHUB_OUTPUT
+
+      - name: Set output for container image build runner
+        run: echo "Setting runner for ${{ inputs.runner_env }} -> ${{ vars.RUNS_ON_TARGET_CONTAINER_IMAGE_BUILDER }}"
+
+      - id: container-image-build-runner
+        run: echo "runner_name_container_image_build=${{ vars.RUNS_ON_TARGET_CONTAINER_IMAGE_BUILDER }}" >> $GITHUB_OUTPUT
+
+      - name: Set output for aio runner
+        run: echo "Setting runner for ${{ inputs.runner_env }} -> ${{ vars.RUNS_ON_TARGET_AIO }}"
+
+      - id: aio-runner
+        run: echo "runner_name_aio=${{ vars.RUNS_ON_TARGET_AIO }}" >> $GITHUB_OUTPUT

.github/workflows/stackhpc-container-image-build.yml

@@ -38,6 +38,13 @@ on:
         type: boolean
         required: false
         default: false
+      runner_env:
+        description: Which cloud to run on?
+        type: choice
+        default: SMS Lab
+        options:
+          - SMS Lab
+          - Leafcloud
 
 env:
   ANSIBLE_FORCE_COLOR: True
@@ -101,10 +108,15 @@ jobs:
         run: |
           echo "${{ steps.datetime_tag.outputs.datetime_tag }}"
 
+  runner-selection:
+    uses: ./.github/workflows/runner-selector.yml
+    with:
+      runner_env: ${{ inputs.runner_env }}
+
   container-image-build:
     name: Build Kolla container images
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
-    runs-on: arc-skc-container-image-builder-runner
+    runs-on: ${{ needs.runner-selection.outputs.runner_name_container_image_build }}
     timeout-minutes: 720
     permissions: {}
     strategy:
@@ -144,7 +156,7 @@ jobs:
 
       - name: Install Trivy
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.67.2
 
       - name: Install yq
         run: |
@@ -164,7 +176,7 @@ jobs:
       - name: Install Docker Python SDK
         run: |
           sudo pip install docker 'requests<2.32.0'
-      
+
       - name: Get Kolla tag
         id: write-kolla-tag
         run: echo "kolla-tag=${{ needs.generate-tag.outputs.openstack_release }}-${{ matrix.distro }}-${{ matrix.distro == 'rocky' && '9' || 'jammy' }}-${{ needs.generate-tag.outputs.datetime_tag }}"  >> $GITHUB_OUTPUT

tools/scan-images.sh

@@ -11,7 +11,7 @@ set -u
 
 # Check that trivy is installed
 if ! trivy --version; then
-  echo 'Please install trivy: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.49.1'
+  echo 'Please install trivy: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.67.2'
 fi
 
 # Clear any previous outputs
@@ -21,10 +21,12 @@ rm -rf image-scan-output
 mkdir -p image-scan-output
 
 # Get built container images
-docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/*:$2" > $1-scanned-container-images.txt
+images=$(docker image ls \
+  --filter "reference=ark.stackhpc.com/stackhpc-dev/*:$2*" \
+  --format "{{.Repository}}:{{.Tag}}")
 
-# Make a file of imagename:tag
-images=$(grep --invert-match --no-filename ^REPOSITORY $1-scanned-container-images.txt | sed 's/ \+/:/g' | cut -f 1,2 -d:)
+# Save list of images to file
+echo "$images" > "$1-scanned-container-images.txt"
 
 # Ensure output files exist
 touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt image-scan-output/critical-images.txt