test noscan reason

.github/workflows/Readme.md

@@ -190,8 +190,8 @@ This job builds the Docker image using Docker Buildx and saves it for later use.
    - Image is tagged using the format: `{dockerfile_name}-{platform_tag}:{date}`.
    - Specifies the target platform (`linux/arm64` or `linux/amd64`).
    - Uses caching mechanisms:
-     - `cache-from: type=gha` to pull cache from GitHub Actions cache.
-     - `cache-to: type=gha,mode=max` to save build cache layers.
+     - `cache-from: type=local,src=${{env.CACHELOC}}` to pull cache from local storage cache.
+     - `cache-to: type=local,dest=${{env.CACHELOC}},mode=max` to save build cache layers to the local storage.
 
 5. **Save Docker Image**:
    - Saves the built Docker image to `image.tar`.
@@ -290,6 +290,19 @@ F  - The workflow reads the `org.opencontainers.image.arch` label in the Dockerf
 
 This comprehensive workflow automates the building, scanning, and deployment of Docker images in a secure and efficient manner. By incorporating caching mechanisms and cross-platform capabilities, it ensures that images are built quickly and are compatible with various architectures. The inclusion of a vulnerability scanning step enhances security, while the manual approval process before deployment adds an extra layer of control. This workflow is a robust solution for continuous integration and deployment pipelines involving Docker images.
 
+## Issues
+1. Proposal for org.opencontainers.image.notar=true Functionality (**to be discussed**)
+
+Q: Should we add a org.opencontainers.image.notar=true functionality similar to noscan for large OCI images?
+A: The use of TAR files in the current workflow is designed to accelerate data (image) transfer. Each job is stateless and relies on artifacts for communication. However, uploading and downloading artifacts via GitHub for each job is too slow. By packaging OCI images into TAR files, we achieve two key benefits:
+
+- **Faster Scanning**: While Trivy supports scanning OCI images, pulling them via Docker is slow. Using TAR files speeds up this process.
+- **Efficient Deployment**: TAR files allow rapid deployment to platforms like Ella or Setonix via Acacia, avoiding the slower process of uploading to Quay.io and re-downloading for various tasks.
+For example, without TAR, a 10GB image takes about 1.5 hours for scanning and deployment. With TAR, the same process completes in just 4 minutes, enabling us to handle 20-30 versions per day.
+
+Adding a notar functionality might conflict with the current workflow since it would likely require removing scanning and automated deployment features, making the process slower and less efficient. While adding notar could be considered, it should be **aligned with the workflow’s clearly defined steps to avoid unnecessary slowdowns**.
+
+
 ## License
 This project is licensed under the GNU GPL 3.0 License.
 

.github/workflows/docker-ci.yml

@@ -143,8 +143,16 @@ jobs:
           
            # check Dockerfile includes org.opencontainers.image.noscan=true
           if grep -q -E '^[^#]*LABEL\s+org\.opencontainers\.image\.noscan\s*=\s*true' "$file"; then
-            echo "Dockerfile contains org.opencontainers.image.noscan=true. Setting trivy to noscan."
-            echo "noscan=true" >> $GITHUB_OUTPUT
+            if grep -q -E '^[^#]*LABEL\s+org\.opencontainers\.image\.noscanreason\s*' "$file"; then 
+              echo "Dockerfile contains org.opencontainers.image.noscan=true. Setting trivy to noscan as a reason is provided."
+              echo "noscan=true" >> $GITHUB_OUTPUT
+              reason=$(grep -E '^[^#]*LABEL\s+org\.opencontainers\.image\.noscanreason\s*' "$file")
+              echo "noscanreason=${reason}" >> $GITHUB_OUTPUT
+            else
+              echo "Dockerfile does not contain reason for no scan, please set org.opencontainers.image.noscanreason."
+              echo "Setting proceed_valid to false."
+              echo "proceed_valid=false" >> $GITHUB_OUTPUT
+            fi
           else
             echo "Dockerfile does not contain org.opencontainers.image.noscan=true. Setting trivy to default."
             echo "noscan=false" >> $GITHUB_OUTPUT

arm/ex1.dockerfile

@@ -6,7 +6,7 @@ LABEL org.opencontainers.image.arch=arm
 LABEL org.opencontainers.image.compilation=auto
 LABEL org.opencontainers.image.devmode=false
 LABEL org.opencontainers.image.noscan=true
-LABEL org.opencontainers.image.minversion="0.0.5"
+LABEL org.opencontainers.image.minversion="0.0.6"
 
 ENV MYVALUE="VALUE2"
 # Install curl package