From 24a4988e8586d201bcd567d0e824f3ab7d36df40 Mon Sep 17 00:00:00 2001
From: Pietro Abate <pietro.abate@nomadic-labs.com>
Date: Mon, 8 Sep 2025 10:53:23 +0200
Subject: [PATCH] base images: add new stable releases for all distribuitons

---
 .gitlab/ci/pipelines/base_images.yml          |   5 +
 .../ci/pipelines/schedule_security_scans.yml  | 165 ++++++++++++++++++
 .../ci/pipelines/security-scans-master.yml    | 165 ++++++++++++++++++
 ci/bin/base_images.ml                         |   8 +-
 4 files changed, 339 insertions(+), 4 deletions(-)

diff --git a/.gitlab/ci/pipelines/base_images.yml b/.gitlab/ci/pipelines/base_images.yml
index 13523cca0a25..e1143e0db583 100644
--- a/.gitlab/ci/pipelines/base_images.yml
+++ b/.gitlab/ci/pipelines/base_images.yml
@@ -64,6 +64,7 @@ oc.base-images.debian:
     - RELEASE:
       - unstable
       - bookworm
+      - trixie
 
 oc.base-images.ubuntu:
   image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.13.0
@@ -99,6 +100,7 @@ oc.base-images.ubuntu:
     - RELEASE:
       - noble
       - jammy
+      - plucky
 
 oc.base-images.fedora:
   image: ${GCP_REGISTRY}/tezos/docker-images/ci-docker:v1.13.0
@@ -133,6 +135,7 @@ oc.base-images.fedora:
     matrix:
     - RELEASE:
       - "39"
+      - "41"
       - "42"
 
 oc.base-images.rockylinux:
@@ -167,4 +170,6 @@ oc.base-images.rockylinux:
   parallel:
     matrix:
     - RELEASE:
+      - "9.3"
       - "9.6"
+      - "10.0"
diff --git a/.gitlab/ci/pipelines/schedule_security_scans.yml b/.gitlab/ci/pipelines/schedule_security_scans.yml
index 960bb6091ee9..64e497450183 100644
--- a/.gitlab/ci/pipelines/schedule_security_scans.yml
+++ b/.gitlab/ci/pipelines/schedule_security_scans.yml
@@ -207,6 +207,37 @@ container_scanning_tezos-debian-bookworm-master:
     paths:
     - gl-container-scanning-report-tezos-debian-bookworm-master.json
 
+container_scanning_tezos-debian-trixie-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/debian:trixie
+    REPORT: gl-container-scanning-report-tezos-debian-trixie-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-debian-trixie-master.json
+
 container_scanning_tezos-ubuntu-noble-master:
   image: aquasec/trivy:latest
   stage: test
@@ -269,6 +300,37 @@ container_scanning_tezos-ubuntu-jammy-master:
     paths:
     - gl-container-scanning-report-tezos-ubuntu-jammy-master.json
 
+container_scanning_tezos-ubuntu-plucky-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/ubuntu:plucky
+    REPORT: gl-container-scanning-report-tezos-ubuntu-plucky-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-ubuntu-plucky-master.json
+
 container_scanning_tezos-fedora-39-master:
   image: aquasec/trivy:latest
   stage: test
@@ -300,6 +362,37 @@ container_scanning_tezos-fedora-39-master:
     paths:
     - gl-container-scanning-report-tezos-fedora-39-master.json
 
+container_scanning_tezos-fedora-41-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/fedora:41
+    REPORT: gl-container-scanning-report-tezos-fedora-41-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-fedora-41-master.json
+
 container_scanning_tezos-fedora-42-master:
   image: aquasec/trivy:latest
   stage: test
@@ -331,6 +424,37 @@ container_scanning_tezos-fedora-42-master:
     paths:
     - gl-container-scanning-report-tezos-fedora-42-master.json
 
+container_scanning_tezos-rockylinux-9.3-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/rockylinux:9.3
+    REPORT: gl-container-scanning-report-tezos-rockylinux-9.3-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-rockylinux-9.3-master.json
+
 container_scanning_tezos-rockylinux-9.6-master:
   image: aquasec/trivy:latest
   stage: test
@@ -362,6 +486,37 @@ container_scanning_tezos-rockylinux-9.6-master:
     paths:
     - gl-container-scanning-report-tezos-rockylinux-9.6-master.json
 
+container_scanning_tezos-rockylinux-10.0-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/rockylinux:10.0
+    REPORT: gl-container-scanning-report-tezos-rockylinux-10.0-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-rockylinux-10.0-master.json
+
 container_scanning_merge_reports:
   image: ${ci_image_name}/monitoring:${ci_image_tag}
   stage: test
@@ -374,11 +529,16 @@ container_scanning_merge_reports:
   - container_scanning_tezos-tezos-master
   - container_scanning_tezos-debian-unstable-master
   - container_scanning_tezos-debian-bookworm-master
+  - container_scanning_tezos-debian-trixie-master
   - container_scanning_tezos-ubuntu-noble-master
   - container_scanning_tezos-ubuntu-jammy-master
+  - container_scanning_tezos-ubuntu-plucky-master
   - container_scanning_tezos-fedora-39-master
+  - container_scanning_tezos-fedora-41-master
   - container_scanning_tezos-fedora-42-master
+  - container_scanning_tezos-rockylinux-9.3-master
   - container_scanning_tezos-rockylinux-9.6-master
+  - container_scanning_tezos-rockylinux-10.0-master
   dependencies:
   - oc.docker:ci:amd64
   - container_scanning_tezos-tezos-latest
@@ -386,11 +546,16 @@ container_scanning_merge_reports:
   - container_scanning_tezos-tezos-master
   - container_scanning_tezos-debian-unstable-master
   - container_scanning_tezos-debian-bookworm-master
+  - container_scanning_tezos-debian-trixie-master
   - container_scanning_tezos-ubuntu-noble-master
   - container_scanning_tezos-ubuntu-jammy-master
+  - container_scanning_tezos-ubuntu-plucky-master
   - container_scanning_tezos-fedora-39-master
+  - container_scanning_tezos-fedora-41-master
   - container_scanning_tezos-fedora-42-master
+  - container_scanning_tezos-rockylinux-9.3-master
   - container_scanning_tezos-rockylinux-9.6-master
+  - container_scanning_tezos-rockylinux-10.0-master
   timeout: 60 minutes
   before_script:
   - SCRIPT_STEP_BEGIN=$(date +%s)
diff --git a/.gitlab/ci/pipelines/security-scans-master.yml b/.gitlab/ci/pipelines/security-scans-master.yml
index 0683e5acb54a..0d41819d2f74 100644
--- a/.gitlab/ci/pipelines/security-scans-master.yml
+++ b/.gitlab/ci/pipelines/security-scans-master.yml
@@ -212,6 +212,37 @@ container_scanning_tezos-debian-bookworm-master:
     paths:
     - gl-container-scanning-report-tezos-debian-bookworm-master.json
 
+container_scanning_tezos-debian-trixie-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/debian:trixie
+    REPORT: gl-container-scanning-report-tezos-debian-trixie-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-debian-trixie-master.json
+
 container_scanning_tezos-ubuntu-noble-master:
   image: aquasec/trivy:latest
   stage: test
@@ -274,6 +305,37 @@ container_scanning_tezos-ubuntu-jammy-master:
     paths:
     - gl-container-scanning-report-tezos-ubuntu-jammy-master.json
 
+container_scanning_tezos-ubuntu-plucky-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/ubuntu:plucky
+    REPORT: gl-container-scanning-report-tezos-ubuntu-plucky-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-ubuntu-plucky-master.json
+
 container_scanning_tezos-fedora-39-master:
   image: aquasec/trivy:latest
   stage: test
@@ -305,6 +367,37 @@ container_scanning_tezos-fedora-39-master:
     paths:
     - gl-container-scanning-report-tezos-fedora-39-master.json
 
+container_scanning_tezos-fedora-41-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/fedora:41
+    REPORT: gl-container-scanning-report-tezos-fedora-41-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-fedora-41-master.json
+
 container_scanning_tezos-fedora-42-master:
   image: aquasec/trivy:latest
   stage: test
@@ -336,6 +429,37 @@ container_scanning_tezos-fedora-42-master:
     paths:
     - gl-container-scanning-report-tezos-fedora-42-master.json
 
+container_scanning_tezos-rockylinux-9.3-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/rockylinux:9.3
+    REPORT: gl-container-scanning-report-tezos-rockylinux-9.3-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-rockylinux-9.3-master.json
+
 container_scanning_tezos-rockylinux-9.6-master:
   image: aquasec/trivy:latest
   stage: test
@@ -367,6 +491,37 @@ container_scanning_tezos-rockylinux-9.6-master:
     paths:
     - gl-container-scanning-report-tezos-rockylinux-9.6-master.json
 
+container_scanning_tezos-rockylinux-10.0-master:
+  image: aquasec/trivy:latest
+  stage: test
+  tags:
+  - gcp
+  needs: []
+  dependencies: []
+  timeout: 60 minutes
+  cache:
+    key: trivy
+    paths:
+    - .trivycache/
+    policy: pull-push
+  before_script:
+  - SCRIPT_STEP_BEGIN=$(date +%s)
+  - . ./scripts/ci/datadog_send_job_info.sh
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'before'
+  script:
+  - . ./scripts/ci/container_scanning_generate_reports.sh
+  - . ./scripts/ci/datadog_send_job_script_step_time.sh || true
+  after_script:
+  - . ./scripts/ci/datadog_send_job_cache_info.sh 'after'
+  variables:
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: .trivycache/
+    FULL_IMAGE_NAME: ${GCP_PROTECTED_REGISTRY}/tezos/tezos/rockylinux:10.0
+    REPORT: gl-container-scanning-report-tezos-rockylinux-10.0-master.json
+  artifacts:
+    paths:
+    - gl-container-scanning-report-tezos-rockylinux-10.0-master.json
+
 container_scanning_merge_reports:
   image: ${ci_image_name}/monitoring:${ci_image_tag}
   stage: test
@@ -379,11 +534,16 @@ container_scanning_merge_reports:
   - container_scanning_tezos-tezos-master
   - container_scanning_tezos-debian-unstable-master
   - container_scanning_tezos-debian-bookworm-master
+  - container_scanning_tezos-debian-trixie-master
   - container_scanning_tezos-ubuntu-noble-master
   - container_scanning_tezos-ubuntu-jammy-master
+  - container_scanning_tezos-ubuntu-plucky-master
   - container_scanning_tezos-fedora-39-master
+  - container_scanning_tezos-fedora-41-master
   - container_scanning_tezos-fedora-42-master
+  - container_scanning_tezos-rockylinux-9.3-master
   - container_scanning_tezos-rockylinux-9.6-master
+  - container_scanning_tezos-rockylinux-10.0-master
   dependencies:
   - oc.docker:ci:amd64
   - container_scanning_tezos-tezos-latest
@@ -391,11 +551,16 @@ container_scanning_merge_reports:
   - container_scanning_tezos-tezos-master
   - container_scanning_tezos-debian-unstable-master
   - container_scanning_tezos-debian-bookworm-master
+  - container_scanning_tezos-debian-trixie-master
   - container_scanning_tezos-ubuntu-noble-master
   - container_scanning_tezos-ubuntu-jammy-master
+  - container_scanning_tezos-ubuntu-plucky-master
   - container_scanning_tezos-fedora-39-master
+  - container_scanning_tezos-fedora-41-master
   - container_scanning_tezos-fedora-42-master
+  - container_scanning_tezos-rockylinux-9.3-master
   - container_scanning_tezos-rockylinux-9.6-master
+  - container_scanning_tezos-rockylinux-10.0-master
   timeout: 60 minutes
   before_script:
   - SCRIPT_STEP_BEGIN=$(date +%s)
diff --git a/ci/bin/base_images.ml b/ci/bin/base_images.ml
index 8bfad45b4353..a5d00ed43183 100644
--- a/ci/bin/base_images.ml
+++ b/ci/bin/base_images.ml
@@ -9,19 +9,19 @@ open Gitlab_ci.Types
 open Gitlab_ci.Util
 open Tezos_ci
 
-let debian_releases = ["unstable"; "bookworm"]
+let debian_releases = ["unstable"; "bookworm"; "trixie"]
 
 let debian_matrix = [[("RELEASE", debian_releases)]]
 
-let ubuntu_releases = ["noble"; "jammy"]
+let ubuntu_releases = ["noble"; "jammy"; "plucky"]
 
 let ubuntu_matrix = [[("RELEASE", ubuntu_releases)]]
 
-let rockylinux_releases = ["9.6"]
+let rockylinux_releases = ["9.3"; "9.6"; "10.0"]
 
 let rockylinux_matrix = [[("RELEASE", rockylinux_releases)]]
 
-let fedora_releases = ["39"; "42"]
+let fedora_releases = ["39"; "41"; "42"]
 
 let fedora_matrix = [[("RELEASE", fedora_releases)]]
 
-- 
GitLab