undo this

owenjones · owenjones · commit 13b4f9aead60 · 2026-03-05T16:20:46.000Z
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -264,60 +264,59 @@ jobs:
       - name: Fail if no images have been built
         run: if [ $(wc -l < ${{ matrix.distro.name }}-${{ matrix.distro.release }}-container-images) -le 1 ]; then exit 1; fi
 
-      # NOTE(owenjones): temp. disabled scanning while playing with RL10 container builds
-      # - name: Scan built container images
-      #   run: src/kayobe-config/tools/scan-images.sh ${{ matrix.distro.name }}-${{ matrix.distro.release }} ${{ steps.write-kolla-tag.outputs.kolla-tag }} ${{ inputs.sbom && '--sbom' }}
-
-      # - name: Move image scan logs to output artifact
-      #   run: mv image-scan-output image-build-logs/image-scan-output
-      #   if: ${{ !cancelled() }}
-
-      # - name: Fail if any images have critical vulnerabilities
-      #   run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then exit 1; fi
-      #   if: ${{ !inputs.push-critical }}
-
-      # - name: Copy clean images to push-attempt-images list
-      #   run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt
-      #   if: inputs.push
-
-      # # NOTE(seunghun1ee): This always appends dirty images with CVEs severity lower than critical.
-      # # This should be reverted when it's decided to filter high level CVEs as well.
-      # - name: Append dirty images to push list
-      #   run: |
-      #     cat image-build-logs/image-scan-output/high-images.txt >> image-build-logs/push-attempt-images.txt
-      #   if: ${{ inputs.push }}
-
-      # - name: Append images with critical vulnerabilities to push list
-      #   run: |
-      #     cat image-build-logs/image-scan-output/critical-images.txt >> image-build-logs/push-attempt-images.txt
-      #   if: ${{ inputs.push && inputs.push-critical }}
-
-      # - name: Push images
-      #   run: |
-      #     touch image-build-logs/push-failed-images.txt
-      #     source venvs/kayobe/bin/activate &&
-      #     source src/kayobe-config/kayobe-env --environment ci-builder &&
-      #     kayobe playbook run ${KAYOBE_CONFIG_PATH}/ansible/tools/docker-registry-login.yml &&
-
-      #     while read -r image; do
-      #       # Retries!
-      #       for i in {1..5}; do
-      #         if docker push $image; then
-      #           echo "Pushed $image"
-      #           break
-      #         elif [ $i -eq 5 ] ; then
-      #           echo "Failed to push $image"
-      #           echo $image >> image-build-logs/push-failed-images.txt
-      #         else
-      #           echo "Failed on retry $i"
-      #           sleep 5
-      #         fi;
-      #       done
-      #     done < image-build-logs/push-attempt-images.txt
-      #   shell: bash
-      #   env:
-      #     KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD_CI_BUILDER }}
-      #   if: inputs.push
+      - name: Scan built container images
+        run: src/kayobe-config/tools/scan-images.sh ${{ matrix.distro.name }}-${{ matrix.distro.release }} ${{ steps.write-kolla-tag.outputs.kolla-tag }} ${{ inputs.sbom && '--sbom' }}
+
+      - name: Move image scan logs to output artifact
+        run: mv image-scan-output image-build-logs/image-scan-output
+        if: ${{ !cancelled() }}
+
+      - name: Fail if any images have critical vulnerabilities
+        run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then exit 1; fi
+        if: ${{ !inputs.push-critical }}
+
+      - name: Copy clean images to push-attempt-images list
+        run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt
+        if: inputs.push
+
+      # NOTE(seunghun1ee): This always appends dirty images with CVEs severity lower than critical.
+      # This should be reverted when it's decided to filter high level CVEs as well.
+      - name: Append dirty images to push list
+        run: |
+          cat image-build-logs/image-scan-output/high-images.txt >> image-build-logs/push-attempt-images.txt
+        if: ${{ inputs.push }}
+
+      - name: Append images with critical vulnerabilities to push list
+        run: |
+          cat image-build-logs/image-scan-output/critical-images.txt >> image-build-logs/push-attempt-images.txt
+        if: ${{ inputs.push && inputs.push-critical }}
+
+      - name: Push images
+        run: |
+          touch image-build-logs/push-failed-images.txt
+          source venvs/kayobe/bin/activate &&
+          source src/kayobe-config/kayobe-env --environment ci-builder &&
+          kayobe playbook run ${KAYOBE_CONFIG_PATH}/ansible/tools/docker-registry-login.yml &&
+
+          while read -r image; do
+            # Retries!
+            for i in {1..5}; do
+              if docker push $image; then
+                echo "Pushed $image"
+                break
+              elif [ $i -eq 5 ] ; then
+                echo "Failed to push $image"
+                echo $image >> image-build-logs/push-failed-images.txt
+              else
+                echo "Failed on retry $i"
+                sleep 5
+              fi;
+            done
+          done < image-build-logs/push-attempt-images.txt
+        shell: bash
+        env:
+          KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD_CI_BUILDER }}
+        if: inputs.push
 
       - name: Upload output artifact
         uses: actions/upload-artifact@v6
