From d55bb99e1f64eea881cf44641cc2114618c98f51 Mon Sep 17 00:00:00 2001
From: Noam Tsemah <ntsemah@nvidia.com>
Date: Sun, 26 Oct 2025 18:23:13 +0200
Subject: [PATCH] [CI] Issue: HPCINFRA-3441 move antivirus scan to release job

Move the antivirus scan step from the regular matrix file to the release matrix file

Signed-off-by: Noam Tsemah <ntsemah@nvidia.com>
---
 .ci/antivirus.sh                     | 56 ++++++++++++----------------
 .ci/do_release.sh                    | 20 +++++-----
 .ci/matrix_job.yaml                  | 13 -------
 .ci/opensource_jjb.yaml              |  4 --
 .ci/pipeline/release_jjb.yaml        |  4 ++
 .ci/pipeline/release_matrix_job.yaml | 14 ++++++-
 6 files changed, 49 insertions(+), 62 deletions(-)

diff --git a/.ci/antivirus.sh b/.ci/antivirus.sh
index 7a9873e22..502161651 100755
--- a/.ci/antivirus.sh
+++ b/.ci/antivirus.sh
@@ -1,47 +1,37 @@
-#!/bin/bash -Exel
+#!/bin/bash -uxe
 
 echo -e "\n\n**********************************"
 echo -e "\n\nStarting antivirus.sh script...\n\n"
 echo -e "**********************************\n\n"
 
-if [ -z "$1" ]; then
-    if [ -z "${release_folder}" ]; then
-        echo "ERROR: Please use the first script argument or env var 'release_folder'. Exit"
-    fi
-else
-    release_folder=$1
-fi
-if [ ! -e "${release_folder}" ] || [ ! -d "${release_folder}" ]; then
-    echo "ERROR: [${release_folder}] directory doesn't exist. Exit"
-    exit 1
-fi
+[[ -z "${WORKSPACE:-}" ]] && { echo "ERROR: WORKSPACE variable is empty."; exit 1; }
+[[ ! -d "${WORKSPACE}" ]] && { echo "ERROR: ${WORKSPACE} does not exist."; exit 1; }
+[[ -z "${release_folder:-}" ]] && { echo "ERROR: release_folder variable is empty."; exit 1; }
+[[ ! -d "${release_folder}" ]] && { echo "ERROR: ${release_folder} does not exist."; exit 1; }
+[[ -z "${release_tag:-}" ]] && { echo "ERROR: release_tag variable is empty."; exit 1; }
+[[ ! -d "${release_folder}/${release_tag}" ]] && { echo "ERROR: ${release_folder}/${release_tag} does not exist."; exit 1; }
 
-if [ -z "$2" ]; then
-    if [ -z "${release_version}" ]; then
-        echo "ERROR: Please use the second script argument or env var 'release_version'. Exit"
-    fi
-else
-    release_version=$2
-    echo "FULL_VERSION from script parameter: [${release_version}]"
-fi
-if [ -z "${release_version}" ]; then
-    release_version=$(git describe --tags $(git rev-list --tags --max-count=1))
+if [ -z "${revision:-}" ]; then
+    echo "WARN: 'revision' was not set, defaulting to 1"
+    revision=1
 fi
 
-mkdir -p logs
+mkdir -p "${WORKSPACE}/logs/"
+cd "${release_folder}/${release_tag}/"
 
-cd ${release_folder}/${release_version}/
-pkg_name=$(ls -1 libxlio-*.src.rpm)
+pkg_name="libxlio-${release_tag}-${revision}.src.rpm"
+tarball_name="libxlio-${release_tag}.tar.gz"
+rpm_log="${WORKSPACE}/logs/${pkg_name}_antivirus.log"
+tarball_log="${WORKSPACE}/logs/${tarball_name}_antivirus.log"
 
-export PROJECT_SRC_PATH=${release_folder}/${release_version}/$pkg_name
-LOG=$WORKSPACE/logs/${name}_antivirus.log
+[[ ! -e "${pkg_name}" ]] && { echo "ERROR: ${release_folder}/${release_tag}/${pkg_name} does not exist."; exit 1; }
+[[ ! -e "${tarball_name}" ]] && { echo "ERROR: ${release_folder}/${release_tag}/${tarball_name} does not exist."; exit 1; }
 
-sudo -E -u swx-jenkins /auto/GLIT/SCRIPTS/HELPERS/antivirus-scan.sh $PROJECT_SRC_PATH 2>&1 | tee $LOG
+/auto/GLIT/SCRIPTS/HELPERS/antivirus-scan.sh "${release_folder}/${release_tag}/${pkg_name}" |& tee "${rpm_log}"
+/auto/GLIT/SCRIPTS/HELPERS/antivirus-scan.sh "${release_folder}/${release_tag}/${tarball_name}" |& tee "${tarball_log}"
 
-cat $LOG | grep 'Possibly Infected:.............     0'
-if [ $? -ne 0 ];then
-    status=1
+if grep -q 'Possibly Infected:.............     0' "${rpm_log}" && grep -q 'Possibly Infected:.............     0' "${tarball_log}"; then
+    exit 0
 else
-    status=0
+    exit 1
 fi
-exit $status
diff --git a/.ci/do_release.sh b/.ci/do_release.sh
index 304a19064..2a32bbcbd 100755
--- a/.ci/do_release.sh
+++ b/.ci/do_release.sh
@@ -7,7 +7,7 @@ echo "**********************************"
 set -o pipefail
 
 print_help() {
-    set +xv  
+    set +xv
     echo -e "\n\n"
     echo "--------------------------------------------------"
     echo "Usage: release_folder=<release folder> release_tag=<release tag> [revision=<revision>] [do_release=<true|false>] $0"
@@ -50,7 +50,7 @@ configure_ac_version="${MAJOR_VERSION}.${MINOR_VERSION}.${REVISION_VERSION}"
 pkg_folder=pkg/packages
 pkg_name="libxlio-${release_tag}-${revision}.src.rpm"
 tarball_name="libxlio-${release_tag}.tar.gz"
-DST_DIR=${release_folder}/${release_tag}
+DST_DIR="${release_folder}/${release_tag}"
 echo "FULL_VERSION from configure.ac: [${configure_ac_version}]"
 
 # Creating both tarball and src.rpm
@@ -63,28 +63,28 @@ fi
 
 if [ "${do_release}" = true ] ; then
     echo "do_release is set to true, will release package into ${release_folder}/${release_tag}"
-    
+
     if [ ! -d "${pkg_folder}" ]; then
         echo "ERROR: pkg folder is missing, exiting..."
         exit 1
     fi
-    
-    if [[ -e "${DST_DIR}/${pkg_name}" || -e "${DST_DIR}/${tarball_name}" ]]; then 
+
+    if [[ -e "${DST_DIR}/${pkg_name}" || -e "${DST_DIR}/${tarball_name}" ]]; then
         echo "ERROR: [${DST_DIR}/${pkg_name}] or [${DST_DIR}/${tarball_name}] file already exist. Exit"
         exit 1
     fi
 
 	files_dir=$(pwd)
 	pushd "${release_folder}" || { echo "ERROR: Failed to pushd to ${release_folder}. Exit" ; exit 1; }
-    sudo -E -u swx-jenkins mkdir -p "$DST_DIR"
+    mkdir -p "${DST_DIR}"
     # Copy both the src.rpm and the tarball to the destination
-    sudo -E -u swx-jenkins cp -v "${files_dir}/${pkg_folder}/${pkg_name}" "${DST_DIR}"
-    sudo -E -u swx-jenkins cp -v "${files_dir}/${pkg_folder}/${tarball_name}" "${DST_DIR}"
+    cp -v "${files_dir}/${pkg_folder}/${pkg_name}" "${DST_DIR}"
+    cp -v "${files_dir}/${pkg_folder}/${tarball_name}" "${DST_DIR}"
 
-    sudo -E -u swx-jenkins ln -s "$DST_DIR/${pkg_name}" "${pkg_name}"
+    ln -s "${DST_DIR}/${pkg_name}" "${pkg_name}"
     popd || { echo "ERROR: Failed to popd from ${release_folder}. Exit" ; exit 1; }
 
-    echo "INFO: Release found at $DST_DIR"
+    echo "INFO: Release found at ${DST_DIR}"
 else
     echo "INFO: do_release is set to false, skipping package release."
 fi
diff --git a/.ci/matrix_job.yaml b/.ci/matrix_job.yaml
index 5cf352dec..f54d5143d 100644
--- a/.ci/matrix_job.yaml
+++ b/.ci/matrix_job.yaml
@@ -34,9 +34,6 @@ volumes:
   - {mountPath: /auto/sw_tools/Commercial, hostPath: /auto/sw_tools/Commercial}
   - {mountPath: /hpc/local/commercial, hostPath: /hpc/local/commercial}
   - {mountPath: /hpc/local/etc/modulefiles, hostPath: /hpc/local/etc/modulefiles}
-  # for Antivirus
-  - {mountPath: /auto/BACKUP/logs_of_LOGS, hostPath: /auto/BACKUP/logs_of_LOGS}
-  - {mountPath: /auto/GLIT/SCRIPTS/HELPERS, hostPath: /auto/GLIT/SCRIPTS/HELPERS}
   # Default release location
   - {mountPath: /auto/sw/release/sw_acceleration, hostPath: /auto/sw/release/sw_acceleration}
   # User profile for release
@@ -295,16 +292,6 @@ steps:
     archiveArtifacts-onfail: |
       jenkins/**/arch-*.tar.gz
 
-  - name: Antivirus
-    enable: ${do_antivirus}
-    containerSelector:
-      - "{name: 'rhel8.3-mofed-x86_64', category: 'base', variant: 1}"
-    agentSelector:
-      - "{nodeLabel: 'skip-agent'}"
-    run: |
-      env WORKSPACE=$PWD .ci/antivirus.sh ${release_folder}
-    archiveArtifacts: 'logs/'
-
   - name: Style
     enable: ${do_style}
     containerSelector:
diff --git a/.ci/opensource_jjb.yaml b/.ci/opensource_jjb.yaml
index 496f8b4ae..6b362a6a7 100644
--- a/.ci/opensource_jjb.yaml
+++ b/.ci/opensource_jjb.yaml
@@ -53,10 +53,6 @@
             name: "do_package"
             default: true
             description: "Check tar, source and binary packages."
-        - bool:
-            name: "do_antivirus"
-            default: false
-            description: "Run Antivirus."
         - bool:
             name: "do_cppcheck"
             default: true
diff --git a/.ci/pipeline/release_jjb.yaml b/.ci/pipeline/release_jjb.yaml
index 4622a7333..3d8b192dd 100644
--- a/.ci/pipeline/release_jjb.yaml
+++ b/.ci/pipeline/release_jjb.yaml
@@ -35,6 +35,10 @@
             name: "do_release"
             default: true
             description: "Release build packges into the release folder, set to false for debugging"
+        - bool:
+            name: "do_antivirus"
+            default: true
+            description: "Run Antivirus."
         - string:
             name: "notification_email"
             default: "{jjb_release_email}"
diff --git a/.ci/pipeline/release_matrix_job.yaml b/.ci/pipeline/release_matrix_job.yaml
index 2f27d2ef5..28ce839fb 100644
--- a/.ci/pipeline/release_matrix_job.yaml
+++ b/.ci/pipeline/release_matrix_job.yaml
@@ -25,6 +25,9 @@ volumes:
   - {mountPath: /auto/sw/release/sw_acceleration, hostPath: /auto/sw/release/sw_acceleration}
   # User profile for release
   - {mountPath: /var/home/swx-jenkins, hostPath: /labhome/swx-jenkins}
+  # for Antivirus
+  - {mountPath: /auto/BACKUP/logs_of_LOGS, hostPath: /auto/BACKUP/logs_of_LOGS}
+  - {mountPath: /auto/GLIT/SCRIPTS/HELPERS, hostPath: /auto/GLIT/SCRIPTS/HELPERS}
 
 runs_on_dockers:
   - {
@@ -33,10 +36,11 @@ runs_on_dockers:
       uri: '$arch/$name/release',
       build_args: '--no-cache --target release',
       arch: 'x86_64',
-      tag: '20250304'
+      tag: '20250304',
+      runAsUser: '6213',
+      runAsGroup: '101'
     }
 
-
 steps:
   - name: Build-dpcp
     parallel: false
@@ -51,6 +55,12 @@ steps:
      .ci/do_release.sh
     archiveArtifacts: "**/build_pkg.log,**/packages/*.rpm"
 
+  - name: Antivirus
+    enable: ${do_antivirus}
+    run: |
+      env WORKSPACE=$PWD .ci/antivirus.sh
+    archiveArtifacts: 'logs/'
+
 pipeline_start:
     shell: action
     module: groovy