Skip to content

Use templates instead of matrix jobs for component detection #6889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lbussell merged 2 commits into from
Dec 18, 2025
Merged

Use templates instead of matrix jobs for component detection #6889

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
43cfd5a
Use templates instead of matrix jobs for component detection
lbussell Dec 18, 2025
2a6ccb8
Remove unused parameter
lbussell Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 1 addition & 29 deletions eng/pipelines/cg-images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,32 +19,4 @@ extends:
template: /eng/docker-tools/templates/1es-official.yml@self
parameters:
stages:
- stage: cg
displayName: CG Detection (Docker Images)
jobs:
- job: ScanImages
displayName: Scan Images
strategy:
matrix:
amd64:
arch: amd64
arm32:
arch: arm
arm64:
arch: arm64
steps:
- template: /eng/docker-tools/templates/steps/init-docker-linux.yml@self
parameters:
cleanupDocker: true
- script: >
$(runImageBuilderCmd) pullImages
--architecture '$(arch)'
--manifest 'manifest.json'
--output-var 'pulledImages'
displayName: Pull Images
name: PullImages
- task: ComponentGovernanceComponentDetection@0
inputs:
dockerImagesToScan: $(PullImages.pulledImages)
displayName: Detect Components
- template: /eng/docker-tools/templates/steps/cleanup-docker-linux.yml@self
- template: /eng/pipelines/stages/cg-images.yml@self
54 changes: 54 additions & 0 deletions eng/pipelines/stages/cg-images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
parameters:
# Do not modify the architectures parameter. It is only used to create a job
# for each architecture at template expansion time.
# Running a CG scan with some architectures turned off will result in
# de-registration of all the images not scanned.
#
# Component governance snapshots are keyed by accountId/projectId/definitionId/phaseId.
# Phase ID refers to jobs. Running CG with a matrix job results in duplicate
# registrations for the same job since they will all have the same phaseId.
# Whichever job finishes first will be registered, and the others will be
# ignored as duplicated snapshots.
#
# We can avoid using a matrix job by looping over each arch to achieve the same
# effect using the pipeline templating system.
- name: architectures
type: object
default:
- name: amd64
arch: amd64
- name: arm32
arch: arm
- name: arm64
arch: arm64

stages:
- stage: cg
displayName: CG Detection (Docker Images)

jobs:
- ${{ each arch in parameters.architectures }}:
- job: ScanImages_${{ arch.name }}
displayName: Scan Images (${{ arch.name }})
variables:
arch: ${{ arch.arch }}

steps:
- template: /eng/docker-tools/templates/steps/init-docker-linux.yml@self
parameters:
cleanupDocker: true

- script: >
$(runImageBuilderCmd) pullImages
--architecture '$(arch)'
--manifest 'manifest.json'
--output-var 'pulledImages'
displayName: Pull Images
name: PullImages

- task: ComponentGovernanceComponentDetection@0
displayName: Detect Components
inputs:
dockerImagesToScan: $(PullImages.pulledImages)

- template: /eng/docker-tools/templates/steps/cleanup-docker-linux.yml@self