From 03a616169d5648101cd2d97f99b079d93746b2e5 Mon Sep 17 00:00:00 2001
From: Michael Puehringer <michael.puehringer@datavisyn.io>
Date: Fri, 16 Jan 2026 08:31:37 +0100
Subject: [PATCH 1/3] feat: add SHA to all tagged images

---
 .github/workflows/build-docker-artifacts.yml | 34 +++++++++++++-------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/build-docker-artifacts.yml b/.github/workflows/build-docker-artifacts.yml
index ad78db8c..2228e53b 100644
--- a/.github/workflows/build-docker-artifacts.yml
+++ b/.github/workflows/build-docker-artifacts.yml
@@ -46,7 +46,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  WORKFLOW_BRANCH: "main"
+  WORKFLOW_BRANCH: "mp/retag_with_sha"
   DATAVISYN_PYTHON_BASE_IMAGE: "188237246440.dkr.ecr.eu-central-1.amazonaws.com/datavisyn/base/python:main"
   DATAVISYN_NGINX_BASE_IMAGE: "188237246440.dkr.ecr.eu-central-1.amazonaws.com/datavisyn/base/nginx:main"
 
@@ -126,6 +126,11 @@ jobs:
 
                   const imageTagAfterRetag = (component.image_tag_prefix || '') + "${{ github.ref }}".replace('refs/heads/', '').replace('refs/tags/', '').replace(/[^a-zA-Z0-9._-]/g, '-') + (component.image_tag_suffix || '');
                   const imageTagBeforeRetag = `tagged-${imageTagAfterRetag}-${buildTime}`;
+                  const imageTagsAfterRetag = [
+                    imageTagAfterRetag,
+                    // In addition, always add the github.sha as tag for easier identification
+                    '${{ github.sha }}'
+                  ];
 
                   return {
                     ...component,
@@ -138,7 +143,7 @@ jobs:
                     build_time: buildTime,
                     image_tag_before_retag: imageTagBeforeRetag,
                     image_ref: `${{ vars.DV_AWS_ECR_REGISTRY }}/${component.ecr_repository}:${imageTagBeforeRetag}`,
-                    image_tag_after_retag: imageTagAfterRetag,
+                    image_tags_after_retag: imageTagsAfterRetag,
                     formatted_build_args: formattedBuildArgs,
                   };
                 }),
@@ -430,17 +435,22 @@ jobs:
           for component in $(jq -c '.components[]' <<< "$FLAVOR"); do
             repository_name=$(jq -r '.ecr_repository' <<< "$component")
             image_tag_before_retag=$(jq -r '.image_tag_before_retag' <<< "$component")
-            image_tag_after_retag=$(jq -r '.image_tag_after_retag' <<< "$component")
 
-            echo "Processing repository: $repository_name, image_tag_before_retag: $image_tag_before_retag, image_tag_after_retag: $image_tag_after_retag"
-
-            IMAGE_META=$(aws ecr describe-images --repository-name "$repository_name" --image-ids imageTag="$image_tag_before_retag" --output json | jq --arg var "${image_tag_after_retag}" '.imageDetails[0].imageTags | index($var)')
-            if [[ -z "${IMAGE_META}" || "${IMAGE_META}" == "null" ]]; then
-              MANIFEST=$(aws ecr batch-get-image --repository-name "$repository_name" --image-ids imageTag="$image_tag_before_retag" --output json | jq --raw-output --join-output '.images[0].imageManifest')
-              aws ecr put-image --repository-name "$repository_name" --image-tag "$image_tag_after_retag" --image-manifest "$MANIFEST"
-            else
-              echo "Image already tagged for repository: $repository_name!"
-            fi
+            echo "Processing repository: $repository_name, image_tag_before_retag: $image_tag_before_retag"
+
+            MANIFEST=$(aws ecr batch-get-image --repository-name "$repository_name" --image-ids imageTag="$image_tag_before_retag" --output json | jq --raw-output --join-output '.images[0].imageManifest')
+            
+            # Loop through all image tags after retag
+            for image_tag_after_retag in $(jq -r '.image_tags_after_retag[]' <<< "$component"); do
+              echo "Tagging with: $image_tag_after_retag"
+              
+              IMAGE_META=$(aws ecr describe-images --repository-name "$repository_name" --image-ids imageTag="$image_tag_after_retag" --output json | jq --arg var "${image_tag_after_retag}" '.imageDetails[0].imageTags | index($var)' 2>/dev/null || echo "null")
+              if [[ -z "${IMAGE_META}" || "${IMAGE_META}" == "null" ]]; then
+                aws ecr put-image --repository-name "$repository_name" --image-tag "$image_tag_after_retag" --image-manifest "$MANIFEST"
+              else
+                echo "Image already tagged with $image_tag_after_retag for repository: $repository_name!"
+              fi
+            done
           done;
         env:
           FLAVOR: ${{ toJSON(matrix.flavor) }}

From d8044fc649ef2edc3004c4ec43c61b78f46ebfa8 Mon Sep 17 00:00:00 2001
From: Michael Puehringer <michael.puehringer@datavisyn.io>
Date: Fri, 16 Jan 2026 08:44:54 +0100
Subject: [PATCH 2/3] Add global trivy ignore

---
 .github/workflows/build-docker-artifacts.trivyignore | 2 ++
 .github/workflows/build-docker-artifacts.yml         | 1 +
 2 files changed, 3 insertions(+)
 create mode 100644 .github/workflows/build-docker-artifacts.trivyignore

diff --git a/.github/workflows/build-docker-artifacts.trivyignore b/.github/workflows/build-docker-artifacts.trivyignore
new file mode 100644
index 00000000..60275557
--- /dev/null
+++ b/.github/workflows/build-docker-artifacts.trivyignore
@@ -0,0 +1,2 @@
+# No fix available for this glibc vulnerability
+CVE-2026-0861
\ No newline at end of file
diff --git a/.github/workflows/build-docker-artifacts.yml b/.github/workflows/build-docker-artifacts.yml
index 2228e53b..5267de7a 100644
--- a/.github/workflows/build-docker-artifacts.yml
+++ b/.github/workflows/build-docker-artifacts.yml
@@ -305,6 +305,7 @@ jobs:
           vuln-type: "os,library"
           severity: ${{ steps.set_severity.outputs.severity }}
           skip-files: ${{ vars.TRIVY_SKIP_FILES }}
+          trivyignores: ".trivyignore,./tmp/github-workflows/.github/workflows/build-docker-artifacts.trivyignore"
           timeout: "10m0s"
           # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
           cache: "false"

From c55a67fd7c3fa57b6046520842653e822ebb73c4 Mon Sep 17 00:00:00 2001
From: Michael Puehringer <michael.puehringer@datavisyn.io>
Date: Fri, 16 Jan 2026 10:18:56 +0100
Subject: [PATCH 3/3] Rename to global.trivyignore

---
 .github/actions/build-node-python/action.yml         | 2 ++
 .github/workflows/build-docker-artifacts.trivyignore | 2 --
 .github/workflows/build-docker-artifacts.yml         | 4 ++--
 .github/workflows/global.trivyignore                 | 6 ++++++
 4 files changed, 10 insertions(+), 4 deletions(-)
 delete mode 100644 .github/workflows/build-docker-artifacts.trivyignore
 create mode 100644 .github/workflows/global.trivyignore

diff --git a/.github/actions/build-node-python/action.yml b/.github/actions/build-node-python/action.yml
index c1eb45b2..6df513da 100644
--- a/.github/actions/build-node-python/action.yml
+++ b/.github/actions/build-node-python/action.yml
@@ -315,6 +315,7 @@ runs:
         scanners: "vuln"
         severity: ${{ inputs.trivy_severity || 'CRITICAL' }}
         skip-files: ${{ inputs.trivy_skip_files }}
+        trivyignores: ".trivyignore,./tmp/github-workflows/.github/workflows/global.trivyignore"
         # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
         cache: "false"
       continue-on-error: false
@@ -329,6 +330,7 @@ runs:
         scanners: "vuln"
         severity: ${{ inputs.trivy_severity || 'CRITICAL' }}
         skip-files: ${{ inputs.trivy_skip_files }}
+        trivyignores: ".trivyignore,./tmp/github-workflows/.github/workflows/global.trivyignore"
         # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
         cache: "false"
       continue-on-error: false
diff --git a/.github/workflows/build-docker-artifacts.trivyignore b/.github/workflows/build-docker-artifacts.trivyignore
deleted file mode 100644
index 60275557..00000000
--- a/.github/workflows/build-docker-artifacts.trivyignore
+++ /dev/null
@@ -1,2 +0,0 @@
-# No fix available for this glibc vulnerability
-CVE-2026-0861
\ No newline at end of file
diff --git a/.github/workflows/build-docker-artifacts.yml b/.github/workflows/build-docker-artifacts.yml
index 5267de7a..c2378552 100644
--- a/.github/workflows/build-docker-artifacts.yml
+++ b/.github/workflows/build-docker-artifacts.yml
@@ -46,7 +46,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  WORKFLOW_BRANCH: "mp/retag_with_sha"
+  WORKFLOW_BRANCH: "main"
   DATAVISYN_PYTHON_BASE_IMAGE: "188237246440.dkr.ecr.eu-central-1.amazonaws.com/datavisyn/base/python:main"
   DATAVISYN_NGINX_BASE_IMAGE: "188237246440.dkr.ecr.eu-central-1.amazonaws.com/datavisyn/base/nginx:main"
 
@@ -305,7 +305,7 @@ jobs:
           vuln-type: "os,library"
           severity: ${{ steps.set_severity.outputs.severity }}
           skip-files: ${{ vars.TRIVY_SKIP_FILES }}
-          trivyignores: ".trivyignore,./tmp/github-workflows/.github/workflows/build-docker-artifacts.trivyignore"
+          trivyignores: ".trivyignore,./tmp/github-workflows/.github/workflows/global.trivyignore"
           timeout: "10m0s"
           # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
           cache: "false"
diff --git a/.github/workflows/global.trivyignore b/.github/workflows/global.trivyignore
new file mode 100644
index 00000000..142baea0
--- /dev/null
+++ b/.github/workflows/global.trivyignore
@@ -0,0 +1,6 @@
+# libc6 is detected as 2.31-13+deb11u10 but actually installed as 2.31-13+deb11u13 (fixed)
+CVE-2025-4802
+# Reason: nbconvert: nbconvert: Arbitrary code execution via malicious SVG to PDF conversion. This is a dep by lamindb, and there's no newer version with a fix...
+CVE-2025-53000
+# No fix available for this glibc vulnerability
+CVE-2026-0861
\ No newline at end of file