Remove trivy scanning

assumptionsandg · assumptionsandg · commit 417c0f47cea4 · 2025-11-25T14:58:33.000Z
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -250,32 +250,6 @@ jobs:
       - name: Fail if no images have been built
         run: if [ $(wc -l < ${{ matrix.distro.name }}-${{ matrix.distro.release }}-container-images) -le 1 ]; then exit 1; fi
 
-      - name: Scan built container images
-        run: src/kayobe-config/tools/scan-images.sh ${{ matrix.distro.name }}-${{ matrix.distro.release }} ${{ steps.write-kolla-tag.outputs.kolla-tag }} ${{ inputs.sbom && '--sbom' }}
-
-      - name: Move image scan logs to output artifact
-        run: mv image-scan-output image-build-logs/image-scan-output
-
-      - name: Fail if any images have critical vulnerabilities
-        run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then exit 1; fi
-        if: ${{ !inputs.push-critical }}
-
-      - name: Copy clean images to push-attempt-images list
-        run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt
-        if: inputs.push
-
-      # NOTE(seunghun1ee): This always appends dirty images with CVEs severity lower than critical.
-      # This should be reverted when it's decided to filter high level CVEs as well.
-      - name: Append dirty images to push list
-        run: |
-          cat image-build-logs/image-scan-output/high-images.txt >> image-build-logs/push-attempt-images.txt
-        if: ${{ inputs.push }}
-
-      - name: Append images with critical vulnerabilities to push list
-        run: |
-          cat image-build-logs/image-scan-output/critical-images.txt >> image-build-logs/push-attempt-images.txt
-        if: ${{ inputs.push && inputs.push-critical }}
-
       - name: Push images
         run: |
           touch image-build-logs/push-failed-images.txt
@@ -326,10 +300,6 @@ jobs:
       #   run: if [ $(wc -l < image-build-logs/image-scan-output/high-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/high-images.txt && exit 1; fi
       #   if: ${{ !inputs.push-critical && !cancelled() }}
 
-      - name: Fail when critical vulnerabilities are found
-        run: if [ $(wc -l < image-build-logs/image-scan-output/critical-images.txt) -gt 0 ]; then cat image-build-logs/image-scan-output/critical-images.txt && exit 1; fi
-        if: ${{ !inputs.push-critical && !cancelled() }}
-
       - name: Remove locally built images for this run
         if: always() && runner.arch == 'ARM64'
         run: |
