ci: Fix scans, prevent pvc files from ending up in the final image

Merge latest ci-tools-lib
Squashed '.ci/' changes from 67529a0..ca67be5
2025-05-24 13:39:22 +00:00 · 2025-05-24 13:38:17 +00:00 · 2025-05-24 13:38:17 +00:00
3 changed files with 5 additions and 1 deletions
--- a/.ci/podman.mk
+++ b/.ci/podman.mk
@ -29,6 +29,9 @@ ARCH ::= amd64
 ALL_ARCHS ::= amd64 arm64
 _ARCH = $(or $(filter $(ARCH),$(ALL_ARCHS)),$(error $$ARCH [$(ARCH)] must be exactly one of "$(ALL_ARCHS)"))

+ifneq ($(shell ls ./.trivyignore.yaml 2>/dev/null),)
+  TRIVY_IGNORE ::= --ignorefile ./.trivyignore.yaml
+endif
 ifneq ($(TRIVY_REMOTE),)
 	TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
 endif
@ -49,7 +52,7 @@ test:: ## test built artificats

 scan: ## Scan image using trivy
 	echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
-	trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
+	trivy image $(TRIVY_OPTS) --quiet --no-progress $(TRIVY_IGNORE) localhost/$(IMAGE):$(TAG)-$(_ARCH)

 # first tag and push all actual images
 # create new manifest for each tag and add all available TAG-ARCH before pushing
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
--- a/1
+++ b/1
@ -21,6 +21,7 @@ RUN apk add --no-cache \
 ENV VIRTUAL_ENV=/venv
 RUN python -m venv $VIRTUAL_ENV
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+ENV PYTHONPYCACHEPREFIX="$HOME/.cache/cpython/"

 # Install CloudBender
 WORKDIR /app
Author	SHA1	Message	Date
Stefan Reimer	316eba9d42	ci: Fix scans, prevent pvc files from ending up in the final image Some checks failed ZeroDownTime/CloudBender/pipeline/head There was a failure building this commit Details	2025-05-24 13:39:22 +00:00
Stefan Reimer	3d55b16e7b	Merge latest ci-tools-lib	2025-05-24 13:38:17 +00:00
Stefan Reimer	cd49e55a3b	Squashed '.ci/' changes from 67529a0..ca67be5 ca67be5 feat: only set TRIVY_IGNORE of file present git-subtree-dir: .ci git-subtree-split: ca67be57ee80e190ce07719b16bc0059267cbdb4	2025-05-24 13:38:17 +00:00