wombatu-kun opened a new pull request, #16660: URL: https://github.com/apache/iceberg/pull/16660
## Problem The CVE Scan workflow intermittently fails while pulling the Trivy scanner image. Recent examples are #16657 (job `flink-runtime-1.20`) and #16652 (job `open-api-test-fixtures-runtime`), which both failed the same way within hours of each other: ``` Running Trivy in sandboxed container (aquasec/trivy:0.69.3@sha256:bcc376...)... Unable to find image 'aquasec/trivy:...' locally docker: Error response from daemon: Get "https://registry-1.docker.io/v2/": context deadline exceeded ##[error]Process completed with exit code 125 ``` `lhotari/sandboxed-trivy-action` runs Trivy inside a Docker container. The scanner image is not cached on the runner, so Docker pulls it from Docker Hub, and that pull occasionally times out (`context deadline exceeded`, exit code 125), failing the job and blocking unrelated PRs. It hits different matrix entries on different PRs, which marks it as transient infrastructure flakiness rather than a code issue. This is a transient Docker Hub availability blip, not a rate limit: the error is a network timeout rather than an HTTP 429, and GitHub-hosted runners are exempt from Docker Hub's anonymous pull limits for public images. ## Change Pre-pull the scanner image before the scan, with a bounded retry and backoff. The action's `docker run` uses Docker's default `--pull=missing`, so once the image is present locally it is reused and the registry is not contacted again. The image is defined once as a job-level `TRIVY_IMAGE` env var and passed to the action via its `trivy-image` input, so the pre-pulled image and the scanned image are guaranteed identical (and the digest pin is preserved). The retry is bounded to 5 attempts with linear backoff, so it stays polite to the registry and fails cleanly if Docker Hub is genuinely down. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
