Merge latest ci-tools-lib

Squashed '.ci/' changes from 15e4d1f..67529a0
67529a0 Fix: revert to std trivyignore file due to new flag handling 9725c2e fix: ensure we dont remove rc builds a5cd89d feat: improve tag parsing, ensure dirty is added if needed git-subtree-dir: .ci git-subtree-split: 67529a07cfa28b3324b87f7d56dcaa3673ff987a
2025-05-23 18:09:37 +00:00 · 2025-05-23 18:09:37 +00:00 · 2025-05-23 18:09:30 +00:00
4 changed files with 5 additions and 7 deletions
--- a/.ci/ecr_public_lifecycle.py
+++ b/.ci/ecr_public_lifecycle.py
@ -41,7 +41,8 @@ for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
        _delete = True
        for tag in image["imageTags"]:
            # Look for at least one tag NOT beign a SemVer dev tag
-            if "-" not in tag:
+            # untagged dev builds get tagged as <tag>-g<commit>
+            if "-g" not in tag and "dirty" not in tag:
                _delete = False
        if _delete:
            print("Deleting development image {}".format(image["imageTags"]))
--- a/.ci/podman.mk
+++ b/.ci/podman.mk
@ -8,8 +8,8 @@ SHELL := bash
 .PHONY: all # All targets are accessible for user
 .DEFAULT: help # Running Make will run the help target

-# Parse version from latest git semver tag
-GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
+# Parse version from latest git semver tag, use short commit otherwise
+GIT_TAG ?= $(shell git describe --tags --match v*.*.* --dirty 2>/dev/null || git describe --match="" --always --dirty 2>/dev/null)
 GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)

 TAG ::= $(GIT_TAG)
@ -49,7 +49,7 @@ test:: ## test built artificats

 scan: ## Scan image using trivy
 	echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
-	trivy image $(TRIVY_OPTS) --quiet --no-progress --ignorefile ./.trivyignore.yaml localhost/$(IMAGE):$(TAG)-$(_ARCH)
+	trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)

 # first tag and push all actual images
 # create new manifest for each tag and add all available TAG-ARCH before pushing
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
--- a/3
+++ b/3
@ -33,9 +33,6 @@ RUN curl -fsSL https://get.pulumi.com/ | sh -s -- --version $(pip show pulumi --
 # minimal pulumi
 RUN cd /root/.pulumi/bin && rm -f *dotnet *yaml *go *java && strip pulumi* || true

-# Remove AWS keys from docstring to prevent trivy alerts later
-RUN sed -i -e 's/AKIA.*//' /venv/lib/python${RUNTIME_VERSION}/site-packages/pulumi_aws/lightsail/bucket_access_key.py
-
 # Now build the final runtime, incl. running rootless containers
 FROM python:${RUNTIME_VERSION}-alpine${DISTRO_VERSION}
Author	SHA1	Message	Date
Stefan Reimer	9d8e0ea01f	Merge latest ci-tools-lib Some checks failed ZeroDownTime/CloudBender/pipeline/head There was a failure building this commit Details	2025-05-23 18:09:37 +00:00
Stefan Reimer	a32bab422f	Squashed '.ci/' changes from 15e4d1f..67529a0 67529a0 Fix: revert to std trivyignore file due to new flag handling 9725c2e fix: ensure we dont remove rc builds a5cd89d feat: improve tag parsing, ensure dirty is added if needed git-subtree-dir: .ci git-subtree-split: 67529a07cfa28b3324b87f7d56dcaa3673ff987a	2025-05-23 18:09:37 +00:00
Stefan Reimer	3cf3450b58	ci: make trivy work again	2025-05-23 18:09:30 +00:00