kevinjqliu commented on code in PR #16660:
URL: https://github.com/apache/iceberg/pull/16660#discussion_r3400837186
##########
.github/workflows/cve-scan.yml:
##########
@@ -51,6 +51,11 @@ jobs:
# ------------------------------------------------------------------
cve-scan:
runs-on: ubuntu-24.04
+ env:
+ # Trivy scanner image, pinned by digest (matches
lhotari/sandboxed-trivy-action's
+ # default at the pinned ref). Pre-pulled with retry below to absorb
transient Docker
+ # Hub (registry-1.docker.io) timeouts that otherwise fail the job with
exit code 125.
+ TRIVY_IMAGE:
aquasec/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c
Review Comment:
```suggestion
# Trivy scanner image. Use Aqua's official GHCR image instead of
Docker Hub
# to avoid transient registry-1.docker.io pull timeouts on
GitHub-hosted runners.
TRIVY_IMAGE:
ghcr.io/aquasecurity/trivy:0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c
```
it looks like trivy also publishes to ghcr, with the same digest. this can
also help with the timeout issue
##########
.github/workflows/cve-scan.yml:
##########
@@ -142,6 +147,19 @@ jobs:
else
cp ${{ matrix.scan-path }}/iceberg-${{ matrix.distribution }}-*.jar
/tmp/cve-scan/
fi
+ - name: Pull Trivy image (with retry)
+ # Pre-pull the scanner image so the action's docker run finds it locally
and never hits
+ # the registry. Retrying with backoff absorbs transient Docker Hub
timeouts (exit 125).
+ run: |
+ for attempt in 1 2 3 4 5; do
Review Comment:
nit: the loop sleeps after the 5th failed pull even though there is no 6th
retry, and the log says "retrying" on the final failed attempt.
Could we avoid the final sleep / misleading message? For example:
```bash
for attempt in 1 2 3 4 5; do
if docker pull "${TRIVY_IMAGE}"; then
exit 0
fi
if [ "${attempt}" = "5" ]; then
break
fi
echo "docker pull failed (attempt ${attempt}/5); retrying in $((attempt *
10))s..." >&2
sleep "$((attempt * 10))"
done
echo "Failed to pull ${TRIVY_IMAGE} after 5 attempts" >&2
exit 1
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
