Try to gate all jobs with trivy cache job

to avoid failing later. Also, since jobs run in parallel, they may start
populating the cache at the same time which will result in multiple
requests for the trivy database, making the caching mechanism useless.
Doing it once before everything should solve this.

Signed-off-by: Dimitris Karakasilis <[email protected]>

.github/workflows/image-pr.yaml

@@ -12,9 +12,31 @@ env:
   FORCE_COLOR: 1
   EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }}
 jobs:
+  # Populate the trivy cache once for all later jobs to use
+  trivy-cache:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        with:
+          fetch-depth: 0
+      - name: Install earthly
+        uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
+        with:
+          repository: quay.io/kairos/packages
+          packages: utils/earthly
+      - name: Restore trivy cache
+        uses: yogeshlonkar/trivy-cache-action@v0
+        with:
+          gh-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Populate trivy Cache
+        run: |
+          [ ! -d ".trivy" ] && mkdir -p ".trivy"
+          earthly +trivy-download-db --DIR .trivy
   core-ubuntu-22-lts:
     uses: ./.github/workflows/reusable-build-flavor.yaml
     secrets: inherit
+    needs:
+      - trivy-cache
     permissions:
       contents: write
       security-events: write
@@ -42,6 +64,8 @@ jobs:
   core-ubuntu-24-lts:
     uses: ./.github/workflows/reusable-build-flavor.yaml
     secrets: inherit
+    needs:
+      - trivy-cache
     permissions:
       contents: write
       security-events: write
@@ -69,6 +93,8 @@ jobs:
   core-alpine:
     uses: ./.github/workflows/reusable-build-flavor.yaml
     secrets: inherit
+    needs:
+      - trivy-cache
     permissions:
       contents: write
       security-events: write
@@ -96,6 +122,8 @@ jobs:
   standard:
     uses: ./.github/workflows/reusable-build-provider.yaml
     secrets: inherit
+    needs:
+      - trivy-cache
     permissions:
       id-token: write  # OIDC support
       contents: write
@@ -128,6 +156,7 @@ jobs:
       flavor_release: "24.04"
       secureboot: false
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   install-target:
@@ -138,6 +167,7 @@ jobs:
       flavor_release: "24.04"
       secureboot: false
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   install-secureboot:
@@ -148,6 +178,7 @@ jobs:
       flavor_release: "24.04"
       secureboot: true
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   install-alpine:
@@ -157,6 +188,7 @@ jobs:
       flavor: alpine
       flavor_release: "3.19"
     needs:
+      - trivy-cache
       - core-alpine
 
   zfs:
@@ -166,6 +198,7 @@ jobs:
       flavor: ubuntu
       flavor_release: "22.04"
     needs:
+      - trivy-cache
       - core-ubuntu-22-lts
 
   acceptance:
@@ -175,6 +208,7 @@ jobs:
       flavor: ubuntu
       flavor_release: "24.04"
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   acceptance-alpine:
@@ -184,6 +218,7 @@ jobs:
       flavor: alpine
       flavor_release: "3.19"
     needs:
+      - trivy-cache
       - core-alpine
 
   bundles:
@@ -193,6 +228,7 @@ jobs:
       flavor: ubuntu
       flavor_release: "24.04"
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   reset:
@@ -202,6 +238,7 @@ jobs:
       flavor: ubuntu
       flavor_release: "24.04"
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   reset-alpine:
@@ -211,6 +248,7 @@ jobs:
       flavor: alpine
       flavor_release: "3.19"
     needs:
+      - trivy-cache
       - core-alpine
 
   netboot:
@@ -224,6 +262,7 @@ jobs:
       model: generic
       variant: core
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   netboot-alpine:
@@ -237,6 +276,7 @@ jobs:
       model: generic
       variant: core
     needs:
+      - trivy-cache
       - core-alpine
 
   upgrade:
@@ -246,6 +286,7 @@ jobs:
       flavor: ubuntu
       flavor_release: "24.04"
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   upgrade-alpine:
@@ -255,6 +296,7 @@ jobs:
       flavor: alpine
       flavor_release: "3.19"
     needs:
+      - trivy-cache
       - core-alpine
 
   upgrade-latest:
@@ -266,6 +308,7 @@ jobs:
       family: "ubuntu"
       # release_matcher: "23.10"  # introduced so tests can be green while we wait for the kairos release with the latest flavor release
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
 
   # enable once the first alpine only release is out as it currently cannot find the latest alpine release properly
@@ -275,6 +318,7 @@ jobs:
   #     flavor: alpine
   #     flavor_release: "3.19"
   #   needs:
+  #     - trivy-cache
   #     - core-alpine
 
   custom-partitioning:
@@ -299,6 +343,7 @@ jobs:
       flavor: ${{ matrix.flavor }}
       flavor_release: ${{ matrix.flavorRelease }}
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
     strategy:
       fail-fast: true
@@ -315,6 +360,7 @@ jobs:
       flavor_release: "24.04"
       label: ${{ matrix.label }}
     needs:
+      - trivy-cache
       - core-ubuntu-24-lts
     strategy:
       fail-fast: true
@@ -334,6 +380,7 @@ jobs:
       flavor_release: "3.19"
       label: ${{ matrix.label }}
     needs:
+      - trivy-cache
       - core-alpine
     strategy:
       fail-fast: true