RHOAIENG-16076: tests(gha): pre-pull trivy vulnerabilities db to prevent failures to download later (#777)

* RHOAIENG-16076: tests(gha): pre-pull trivy vulnerabilities db to prevent failures to download later

* fix from review; use the only true condition to check if trivy should run

Author: jiridanek

.github/workflows/build-notebooks-TEMPLATE.yaml

@@ -22,6 +22,7 @@ jobs:
     env:
       # GitHub image registry used for storing $(CONTAINER_ENGINE)'s cache
       CACHE: "ghcr.io/${{ github.repository }}/workbench-images/build-cache"
+      TRIVY_VERSION: 0.57.1
       # Targets (and their folder) that should be scanned using FS instead of IMAGE scan due to resource constraints
       TRIVY_SCAN_FS_JSON: '{}'
 
@@ -114,34 +115,6 @@ jobs:
           systemctl --user start homebrew.podman.service
           echo "PODMAN_SOCK=/run/user/${UID}/podman/podman.sock" >> $GITHUB_ENV
 
-      # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push
-      - name: "push|schedule: make ${{ inputs.target }}"
-        run: |
-          SANITIZED_REF_NAME=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9._-]/_/g')
-          export IMAGE_TAG="${SANITIZED_REF_NAME}_${{ github.sha }}"
-          make ${{ inputs.target }}
-        if: ${{ fromJson(inputs.github).event_name == 'push' || fromJson(inputs.github).event_name == 'schedule' }}
-        env:
-          IMAGE_REGISTRY: "ghcr.io/${{ github.repository }}/workbench-images"
-          CONTAINER_BUILD_CACHE_ARGS: "--cache-from ${{ env.CACHE }} --cache-to ${{ env.CACHE }}"
-          # dependent images were already built and pushed, so just let podman pull it
-          BUILD_DEPENDENT_IMAGES: "no"
-
-      # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
-      - name: "pull_request: make ${{ inputs.target }}"
-        run: |
-          make ${{ inputs.target }}
-        if: "${{ fromJson(inputs.github).event_name == 'pull_request' }}"
-        env:
-          IMAGE_TAG: "${{ github.sha }}"
-          IMAGE_REGISTRY: "ghcr.io/${{ github.repository }}/workbench-images"
-          CONTAINER_BUILD_CACHE_ARGS: "--cache-from ${{ env.CACHE }}"
-          # We don't have access to image registry, so disable pushing
-          PUSH_IMAGES: "no"
-
-      - name: "Show podman images information"
-        run: podman images --digests
-
       - name: "pull_request|schedule: resolve target if Trivy scan should run"
         id: resolve-target
         if: ${{ fromJson(inputs.github).event_name == 'pull_request' || fromJson(inputs.github).event_name == 'schedule' }}
@@ -176,10 +149,57 @@ jobs:
             echo "Trivy scan won't run"
           fi
 
+      # only one db can be downloaded in one call https://github.com/aquasecurity/trivy/issues/3616
+      - name: Pre-pull Trivy vulnerabilities DB
+        if: ${{ steps.resolve-target.outputs.target }}
+        run: |
+          mkdir trivy_db
+          podman run --rm \
+            --env PODMAN_SOCK \
+            -v ${PWD}/trivy_db:/cache \
+            docker.io/aquasec/trivy:$TRIVY_VERSION \
+              --cache-dir /cache \
+              image \
+              --download-db-only
+          podman run --rm \
+            --env PODMAN_SOCK \
+            -v ${PWD}/trivy_db:/cache \
+            docker.io/aquasec/trivy:$TRIVY_VERSION \
+              --cache-dir /cache \
+              image \
+              --download-java-db-only
+
+      # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push
+      - name: "push|schedule: make ${{ inputs.target }}"
+        run: |
+          SANITIZED_REF_NAME=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9._-]/_/g')
+          export IMAGE_TAG="${SANITIZED_REF_NAME}_${{ github.sha }}"
+          make ${{ inputs.target }}
+        if: ${{ fromJson(inputs.github).event_name == 'push' || fromJson(inputs.github).event_name == 'schedule' }}
+        env:
+          IMAGE_REGISTRY: "ghcr.io/${{ github.repository }}/workbench-images"
+          CONTAINER_BUILD_CACHE_ARGS: "--cache-from ${{ env.CACHE }} --cache-to ${{ env.CACHE }}"
+          # dependent images were already built and pushed, so just let podman pull it
+          BUILD_DEPENDENT_IMAGES: "no"
+
+      # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
+      - name: "pull_request: make ${{ inputs.target }}"
+        run: |
+          make ${{ inputs.target }}
+        if: "${{ fromJson(inputs.github).event_name == 'pull_request' }}"
+        env:
+          IMAGE_TAG: "${{ github.sha }}"
+          IMAGE_REGISTRY: "ghcr.io/${{ github.repository }}/workbench-images"
+          CONTAINER_BUILD_CACHE_ARGS: "--cache-from ${{ env.CACHE }}"
+          # We don't have access to image registry, so disable pushing
+          PUSH_IMAGES: "no"
+
+      - name: "Show podman images information"
+        run: podman images --digests
+
       - name: Run Trivy vulnerability scanner
         if: ${{ steps.resolve-target.outputs.target }}
         run: |
-          TRIVY_VERSION=0.53.0
           REPORT_FOLDER=${{ github.workspace }}/report
           REPORT_FILE=trivy-report.md
           REPORT_TEMPLATE=trivy-markdown.tpl
@@ -205,9 +225,12 @@ jobs:
           podman run --rm \
               $PODMAN_ARGS \
               -v ${REPORT_FOLDER}:/report \
+              -v ${PWD}/trivy_db:/cache \
               docker.io/aquasec/trivy:$TRIVY_VERSION \
+                --cache-dir /cache \
                 $SCAN_TYPE \
                 $SCAN_ARGS \
+                --skip-db-update \
                 --scanners vuln --ignore-unfixed \
                 --exit-code 0 --timeout 30m \
                 --format template --template "@/report/$REPORT_TEMPLATE" -o /report/$REPORT_FILE \