Backport image scan patch

MaxBed4d · MaxBed4d · commit 93ee56281791 · 2025-12-18T14:02:42.000Z
diff --git a/.github/workflows/runner-selector.yml b/.github/workflows/runner-selector.yml
@@ -0,0 +1,48 @@
+---
+name: Create output for `runs-on` variable
+
+on:
+  workflow_call:
+    inputs:
+      runner_env:
+        description: 'The environment input from caller workflow'
+        default: 'SMS Lab'
+        required: True
+        type: string
+    outputs:
+      runner_name_image_build:
+        description: "Image builder runner name"
+        value: ${{ jobs.define_runner.outputs.image-build-runner }}
+      runner_name_container_image_build:
+        description: "Container image build runner name"
+        value: ${{ jobs.define_runner.outputs.container-image-build-runner }}
+      runner_name_aio:
+        description: "AiO runner name"
+        value: ${{ jobs.define_runner.outputs.aio-runner }}
+
+jobs:
+  define_runner:
+    environment: ${{ inputs.runner_env }}
+    runs-on: ubuntu-latest
+    outputs:
+      image-build-runner: ${{ steps.builder-runner.outputs.runner_name_image_build }}
+      container-image-build-runner: ${{ steps.container-image-build-runner.outputs.runner_name_container_image_build }}
+      aio-runner: ${{ steps.aio-runner.outputs.runner_name_aio }}
+    steps:
+      - name: Set output for image builder runner
+        run: echo "Setting runner for ${{ inputs.runner_env }} -> ${{ vars.RUNS_ON_TARGET_IMAGE_BUILDER }}"
+
+      - id: builder-runner
+        run: echo "runner_name_image_build=${{ vars.RUNS_ON_TARGET_IMAGE_BUILDER }}" >> $GITHUB_OUTPUT
+
+      - name: Set output for container image build runner
+        run: echo "Setting runner for ${{ inputs.runner_env }} -> ${{ vars.RUNS_ON_TARGET_CONTAINER_IMAGE_BUILDER }}"
+
+      - id: container-image-build-runner
+        run: echo "runner_name_container_image_build=${{ vars.RUNS_ON_TARGET_CONTAINER_IMAGE_BUILDER }}" >> $GITHUB_OUTPUT
+
+      - name: Set output for aio runner
+        run: echo "Setting runner for ${{ inputs.runner_env }} -> ${{ vars.RUNS_ON_TARGET_AIO }}"
+
+      - id: aio-runner
+        run: echo "runner_name_aio=${{ vars.RUNS_ON_TARGET_AIO }}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -38,6 +38,13 @@ on:
         type: boolean
         required: false
         default: false
+      runner_env:
+        description: Which cloud to run on?
+        type: choice
+        default: SMS Lab
+        options:
+          - SMS Lab
+          - Leafcloud
 
 env:
   ANSIBLE_FORCE_COLOR: True
@@ -82,29 +89,42 @@ jobs:
       # Dynamically define job matrix.
       # We need a separate matrix entry for each distribution, when the relevant input is true.
       # https://stackoverflow.com/questions/65384420/how-do-i-make-a-github-action-matrix-element-conditional
+      # NOTE(bbezak): Both amd64 and aarch64 need to be built in a single workflow to create a multi-architecture manifest.
+      # For now include only RL9 in aarch64
       - name: Generate build matrix
         id: set-matrix
         run: |
-          comma=""
-          echo -n "matrix={\"distro\": [" >> $GITHUB_OUTPUT
+          output="{'distro': ["
           if [[ ${{ inputs.rocky-linux-9 }} == 'true' ]]; then
-            echo -n "$comma\"rocky\"" >> $GITHUB_OUTPUT
-            comma=", "
+              output+="{'name': 'rocky', 'release': 9, 'arch': 'amd64'},"
+              output+="{'name': 'rocky', 'release': 9, 'arch': 'aarch64'},"
           fi
           if [[ ${{ inputs.ubuntu-jammy }} == 'true' ]]; then
-            echo -n "$comma\"ubuntu\"" >> $GITHUB_OUTPUT
-            comma=", "
+              output+="{'name': 'ubuntu', 'release': 'jammy', 'arch': 'amd64'},"
           fi
-          echo "]}" >> $GITHUB_OUTPUT
+          if [[ ${{ inputs.ubuntu-noble }} == 'true' ]]; then
+              output+="{'name': 'ubuntu', 'release': 'noble', 'arch': 'amd64'},"
+          fi
+          # remove trailing comma
+          output="${output%,}"
+          output+="]}"
+          echo "matrix=$output" >> $GITHUB_OUTPUT
 
       - name: Display container datetime tag
         run: |
           echo "${{ steps.datetime_tag.outputs.datetime_tag }}"
 
+  runner-selection:
+    uses: ./.github/workflows/runner-selector.yml
+    with:
+      runner_env: ${{ inputs.runner_env }}
+
   container-image-build:
     name: Build Kolla container images
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
-    runs-on: arc-skc-container-image-builder-runner
+    runs-on: ${{ matrix.distro.arch == 'aarch64'
+      && fromJson('["self-hosted","sms","arm64"]')
+      || needs.runner-selection.outputs.runner_name_container_image_build }}
     timeout-minutes: 720
     permissions: {}
     strategy:
@@ -144,7 +164,7 @@ jobs:
 
       - name: Install Trivy
         run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.67.2
 
       - name: Install yq
         run: |
@@ -164,7 +184,7 @@ jobs:
       - name: Install Docker Python SDK
         run: |
           sudo pip install docker 'requests<2.32.0'
-      
+
       - name: Get Kolla tag
         id: write-kolla-tag
         run: echo "kolla-tag=${{ needs.generate-tag.outputs.openstack_release }}-${{ matrix.distro }}-${{ matrix.distro == 'rocky' && '9' || 'jammy' }}-${{ needs.generate-tag.outputs.datetime_tag }}"  >> $GITHUB_OUTPUT
diff --git a/tools/scan-images.sh b/tools/scan-images.sh
@@ -11,7 +11,7 @@ set -u
 
 # Check that trivy is installed
 if ! trivy --version; then
-  echo 'Please install trivy: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.49.1'
+  echo 'Please install trivy: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.67.2'
 fi
 
 # Clear any previous outputs
@@ -21,10 +21,12 @@ rm -rf image-scan-output
 mkdir -p image-scan-output
 
 # Get built container images
-docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/*:$2" > $1-scanned-container-images.txt
+images=$(docker image ls \
+  --filter "reference=ark.stackhpc.com/stackhpc-dev/*:$2*" \
+  --format "{{.Repository}}:{{.Tag}}")
 
-# Make a file of imagename:tag
-images=$(grep --invert-match --no-filename ^REPOSITORY $1-scanned-container-images.txt | sed 's/ \+/:/g' | cut -f 1,2 -d:)
+# Save list of images to file
+echo "$images" > "$1-scanned-container-images.txt"
 
 # Ensure output files exist
 touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt image-scan-output/critical-images.txt
