Skip to content

test: use aquasecurity repository for test images #8677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 7, 2025
Merged

test: use aquasecurity repository for test images #8677

merged 3 commits into from
Apr 7, 2025

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Apr 3, 2025
edited
Loading

Description

We used ghcr.io/knqyf263/trivy-test-vm-images and ghcr.io/knqyf263/trivy-test-images to avoid 429 errors.
But our error avoidance guide is working.
Therefore, I suggest returning to aquasecurity.

This will also avoid unexpected errors when the fork was changed without changes in aquasecurity, like this:
https://github.com/aquasecurity/trivy-test/actions/runs/14240065387/job/39909316221?pr=24#step:7:1750
trivy-test-images:busybox-with-lockfile. has been changed, so if tests don't use cache we will get error.

Changes

  1. use ghcr.io/aquasecurity/trivy-test-images instead of ghcr.io/knqyf263/trivy-test-images
  2. use ghcr.io/aquasecurity/trivy-test-vm-images instead of ghcr.io/knqyf263/trivy-test-vm-images
  3. Don't use restore-keys to restore images from cache
  4. Use full output of skopeo list-tags (with repository) to calc Digest for cache key.

About 3 and 4 points:
We removed repository for cache key in #7816 (see #7816 (comment) for reason)
But i found case when we don't need to do that.
When we add image archive into conteinerd (for tests)- it saves image (with name, repository,registry).
To prevent this information from affecting the tests, we are deleting it:

trivy/pkg/fanal/test/integration/containerd_test.go

Lines 241 to 245 in 6018461

// Remove the image by its original name, to ensure the image
// is known only by the tag we have given it.
err = client.ImageService().Delete(ctx, importedImageOriginalName, images.SynchronousDelete())
require.NoError(t, err)
}

But if repository of image archive != repository from testimages.ini we will see image "xxx/xxxx/trivy-test-images:xxx": not found error.

Example:
We get image ghcr.io/knqyf263/trivy-test-images:alpine-310 image from cache, but testimages.ini contains ghcr.io/aquasecurity/trivy-test-images:alpine-310.
When we try to remove ghcr.io/aquasecurity/trivy-test-images - we get error, because we added ghcr.io/knqyf263/trivy-test-images:alpine-310 into containerd.
изображение

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Apr 3, 2025
@DmitriyLewen DmitriyLewen marked this pull request as ready for review April 3, 2025 10:39
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner April 3, 2025 10:39
@DmitriyLewen DmitriyLewen changed the title test: use aquasecurity repositroy for test images test: use aquasecurity repository for test images Apr 3, 2025
@DmitriyLewen DmitriyLewen marked this pull request as draft April 3, 2025 11:15
@DmitriyLewen DmitriyLewen marked this pull request as ready for review April 4, 2025 09:01
@knqyf263 knqyf263 requested a review from Copilot April 7, 2025 06:24
Copilot
Copilot AI reviewed Apr 7, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

Files not reviewed (1)
  • integration/testimages.ini: Language not supported
Comments suppressed due to low confidence (2)

.github/workflows/test.yaml:89

  • Please verify that the updated jq expression using the in-place sort (|= sort) produces an identical sorted tag list as the previous approach to ensure the computed cache key remains consistent.
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)

.github/workflows/cache-test-images.yaml:30

  • Ensure that the change to using the in-place sort operator (|= sort) in the jq command maintains the expected behavior for cache key generation, matching the previous sorting technique.
DIGEST=$(echo "$IMAGE_LIST" | jq '.Tags += ["containerd"] | .Tags |= sort' | sha256sum | cut -d' ' -f1)

@knqyf263 knqyf263 added this pull request to the merge queue Apr 7, 2025
Merged via the queue into aquasecurity:main with commit c5e03f7 Apr 7, 2025
13 checks passed
@knqyf263 knqyf263 mentioned this pull request Apr 8, 2025
Merged
6 tasks
@DmitriyLewen DmitriyLewen deleted the chore/use-aquasecurity-test-images branch April 8, 2025 04:45
@afdesk
Copy link
Contributor

afdesk commented Apr 8, 2025

@aqua-bot backport release/v0.61

github-actions bot pushed a commit that referenced this pull request Apr 8, 2025
@DmitriyLewen @actions-user
test: use aquasecurity repository for test images (#8677)
c8e67ac
@aqua-bot aqua-bot mentioned this pull request Apr 8, 2025
Merged
@aqua-bot
Copy link
Contributor

aqua-bot commented Apr 8, 2025

Backport PR created: #8698

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DmitriyLewen @afdesk @aqua-bot @knqyf263