feat: add SHA to all tagged images

.github/actions/build-node-python/action.yml

@@ -315,6 +315,7 @@ runs:
         scanners: "vuln"
         severity: ${{ inputs.trivy_severity || 'CRITICAL' }}
         skip-files: ${{ inputs.trivy_skip_files }}
+        trivyignores: ".trivyignore,./tmp/github-workflows/.github/workflows/global.trivyignore"
         # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
         cache: "false"
       continue-on-error: false
@@ -329,6 +330,7 @@ runs:
         scanners: "vuln"
         severity: ${{ inputs.trivy_severity || 'CRITICAL' }}
         skip-files: ${{ inputs.trivy_skip_files }}
+        trivyignores: ".trivyignore,./tmp/github-workflows/.github/workflows/global.trivyignore"
         # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
         cache: "false"
       continue-on-error: false

.github/workflows/build-docker-artifacts.yml

@@ -126,6 +126,11 @@ jobs:
 
                   const imageTagAfterRetag = (component.image_tag_prefix || '') + "${{ github.ref }}".replace('refs/heads/', '').replace('refs/tags/', '').replace(/[^a-zA-Z0-9._-]/g, '-') + (component.image_tag_suffix || '');
                   const imageTagBeforeRetag = `tagged-${imageTagAfterRetag}-${buildTime}`;
+                  const imageTagsAfterRetag = [
+                    imageTagAfterRetag,
+                    // In addition, always add the github.sha as tag for easier identification
+                    '${{ github.sha }}'
+                  ];
 
                   return {
                     ...component,
@@ -138,7 +143,7 @@ jobs:
                     build_time: buildTime,
                     image_tag_before_retag: imageTagBeforeRetag,
                     image_ref: `${{ vars.DV_AWS_ECR_REGISTRY }}/${component.ecr_repository}:${imageTagBeforeRetag}`,
-                    image_tag_after_retag: imageTagAfterRetag,
+                    image_tags_after_retag: imageTagsAfterRetag,
                     formatted_build_args: formattedBuildArgs,
                   };
                 }),
@@ -300,6 +305,7 @@ jobs:
           vuln-type: "os,library"
           severity: ${{ steps.set_severity.outputs.severity }}
           skip-files: ${{ vars.TRIVY_SKIP_FILES }}
+          trivyignores: ".trivyignore,./tmp/github-workflows/.github/workflows/global.trivyignore"
           timeout: "10m0s"
           # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
           cache: "false"
@@ -430,17 +436,22 @@ jobs:
           for component in $(jq -c '.components[]' <<< "$FLAVOR"); do
             repository_name=$(jq -r '.ecr_repository' <<< "$component")
             image_tag_before_retag=$(jq -r '.image_tag_before_retag' <<< "$component")
-            image_tag_after_retag=$(jq -r '.image_tag_after_retag' <<< "$component")
 
-            echo "Processing repository: $repository_name, image_tag_before_retag: $image_tag_before_retag, image_tag_after_retag: $image_tag_after_retag"
-
-            IMAGE_META=$(aws ecr describe-images --repository-name "$repository_name" --image-ids imageTag="$image_tag_before_retag" --output json | jq --arg var "${image_tag_after_retag}" '.imageDetails[0].imageTags | index($var)')
-            if [[ -z "${IMAGE_META}" || "${IMAGE_META}" == "null" ]]; then
-              MANIFEST=$(aws ecr batch-get-image --repository-name "$repository_name" --image-ids imageTag="$image_tag_before_retag" --output json | jq --raw-output --join-output '.images[0].imageManifest')
-              aws ecr put-image --repository-name "$repository_name" --image-tag "$image_tag_after_retag" --image-manifest "$MANIFEST"
-            else
-              echo "Image already tagged for repository: $repository_name!"
-            fi
+            echo "Processing repository: $repository_name, image_tag_before_retag: $image_tag_before_retag"
+
+            MANIFEST=$(aws ecr batch-get-image --repository-name "$repository_name" --image-ids imageTag="$image_tag_before_retag" --output json | jq --raw-output --join-output '.images[0].imageManifest')
+
+            # Loop through all image tags after retag
+            for image_tag_after_retag in $(jq -r '.image_tags_after_retag[]' <<< "$component"); do
+              echo "Tagging with: $image_tag_after_retag"
+
+              IMAGE_META=$(aws ecr describe-images --repository-name "$repository_name" --image-ids imageTag="$image_tag_after_retag" --output json | jq --arg var "${image_tag_after_retag}" '.imageDetails[0].imageTags | index($var)' 2>/dev/null || echo "null")
+              if [[ -z "${IMAGE_META}" || "${IMAGE_META}" == "null" ]]; then
+                aws ecr put-image --repository-name "$repository_name" --image-tag "$image_tag_after_retag" --image-manifest "$MANIFEST"
+              else
+                echo "Image already tagged with $image_tag_after_retag for repository: $repository_name!"
+              fi
+            done
           done;
         env:
           FLAVOR: ${{ toJSON(matrix.flavor) }}

.github/workflows/global.trivyignore

@@ -0,0 +1,6 @@
+# libc6 is detected as 2.31-13+deb11u10 but actually installed as 2.31-13+deb11u13 (fixed)
+CVE-2025-4802
+# Reason: nbconvert: nbconvert: Arbitrary code execution via malicious SVG to PDF conversion. This is a dep by lamindb, and there's no newer version with a fix...
+CVE-2025-53000
+# No fix available for this glibc vulnerability
+CVE-2026-0861