Update images digests #61861
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI build action | |
on: | |
pull_request: | |
branches: ["main"] | |
push: | |
branches: | |
- gh-readonly-queue/main/** | |
permissions: | |
contents: read | |
jobs: | |
changes: | |
permissions: | |
contents: read | |
name: Determine packages to test building | |
runs-on: ubuntu-latest | |
outputs: | |
packages: ${{steps.package-list.outputs.packages}} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Look for changed files | |
id: changes | |
uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3 | |
with: | |
files_yaml: | | |
melange: | |
- ./*.yaml # Only top level files without structure | |
- ./*/*/*.melange.yaml # Support recursive melange files with the new naming convention. | |
# this need to point to main to always get the latest action | |
- uses: wolfi-dev/actions/install-wolfictl@main # main | |
# Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this | |
# strips the list down into `foo` and `bar`. | |
- name: Build package list | |
id: package-list | |
run: | | |
set +f # disable pathname expansion | |
wolfictl text -t name --pipeline-dir=./pipelines/ \ | |
-r https://packages.wolfi.dev/bootstrap/stage3 \ | |
-k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub > all-packages-list | |
echo "all-packages-list has $(wc -l < all-packages-list)" | |
n=0 | |
for f in ${{ steps.changes.outputs.melange_all_changed_files }}; do | |
# filter anything not .yaml | |
case "$f" in | |
*/pipelines/*) continue;; | |
*.yaml) :;; | |
*) continue;; | |
esac | |
pkg=${f##*/} | |
pkg=${pkg%.yaml} | |
pkg=${pkg%.melange.yaml} | |
n=$((n+1)) | |
echo "$pkg" | |
done > changed-packages-list | |
echo "changed-packages-list has $n" | |
rc=0 | |
grep --fixed-strings --line-regexp \ | |
--file=changed-packages-list all-packages-list \ | |
> packages-to-build || rc=$? | |
tobuild=$(wc -l < packages-to-build) | |
if [ $rc -eq 0 ]; then | |
echo "build these $tobuild packages in order" | |
sed 's/^/> /' packages-to-build | |
set -- $(cat packages-to-build) | |
elif [ $rc -eq 1 ]; then | |
echo "packages-to-build is empty - did not find any changed packages" | |
set -- | |
else | |
echo "ERROR: unexpected error $rc from grep" | |
exit 1 | |
fi | |
printf "packages=%s\n" "$*" > "$GITHUB_OUTPUT" | |
build: | |
name: Test building of packages | |
strategy: | |
matrix: | |
arch: ["x86_64", "aarch64"] | |
include: | |
- arch: x86_64 | |
runner: ubuntu-latest-16-cores | |
oci: amd64 | |
- arch: aarch64 | |
runner: ubuntu-arm-16-cores | |
oci: arm64 | |
fail-fast: false | |
runs-on: ${{ matrix.runner }} | |
needs: changes | |
outputs: | |
packages_were_built: ${{ steps.file_check.outputs.exists }} | |
permissions: | |
contents: read | |
pull-requests: write # so we have permission to comment on pull requests | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: Free up runner disk space | |
run: | | |
set -x | |
printf "==> Available space before cleanup\n" | |
df -h | |
rm -rf /usr/share/dotnet | |
rm -rf "$AGENT_TOOLSDIRECTORY" | |
printf "==> Available space after cleanup\n" | |
df -h | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup Docker | |
run: | | |
# Add Docker's official GPG key: | |
sudo apt-get update -y | |
sudo apt-get install ca-certificates curl -y | |
sudo install -m 0755 -d /etc/apt/keyrings | |
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc | |
sudo chmod a+r /etc/apt/keyrings/docker.asc | |
# Add the repository to Apt sources: | |
echo \ | |
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ | |
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ | |
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
sudo apt-get update -y | |
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin | |
sudo usermod -aG docker $USER | |
sudo apt-get install acl | |
sudo setfacl --modify user:$USER:rw /var/run/docker.sock | |
- name: "Generate local signing key" | |
uses: ./.github/actions/docker-run | |
with: | |
run: | | |
make MELANGE="melange" local-melange.rsa | |
- name: "Build Wolfi" | |
uses: ./.github/actions/docker-run | |
with: | |
opts: "-v /temp:/temp -v /var/run/docker.sock:/var/run/docker.sock" | |
run: | | |
# Use a different shared $TMPDIR accessible and non-conflicting to | |
# both the host and container since we're running docker out of | |
# docker | |
export TMPDIR="/temp" | |
# This is to avoid fatal errors about "dubious ownership" because we are | |
# running inside of a container action with the workspace mounted in. | |
git config --global --add safe.directory . | |
mkdir -p .melangecache | |
for package in ${{needs.changes.outputs.packages}}; do | |
make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/$package -j1 | |
make MELANGE_EXTRA_OPTS="--runner docker" REPO="./packages" "test/$package" -j1 | |
done | |
- name: "Check that packages can be installed with apk add" | |
uses: ./.github/actions/docker-run | |
with: | |
run: | | |
# Create a fake linux fs under /tmp/emptyroot to pass to `apk --root`. | |
mkdir -p /tmp/emptyroot/etc/apk | |
cp -r /etc/apk/* /tmp/emptyroot/etc/apk/ | |
cat /dev/null > /tmp/emptyroot/etc/apk/world | |
mkdir -p /tmp/emptyroot/lib/apk/db | |
touch /tmp/emptyroot/lib/apk/db/{installed,lock,scripts.tar,triggers} | |
mkdir -p /tmp/emptyroot/var/cache/apk | |
apk update --root /tmp/emptyroot | |
# Find .apk files and add them to the string | |
for f in $(find packages -name '*.apk'); do | |
tar -Oxf "$f" .PKGINFO | |
apk add --root /tmp/emptyroot --repository "./packages" --allow-untrusted --simulate "$f" | |
done | |
- name: Reset file permissions | |
run: | | |
sudo chown -R $(id -u):$(id -g) . | |
- name: Check SBOMs | |
uses: ./.github/actions/docker-run | |
with: | |
run: | | |
apk add spdx-tools-java | |
for f in $(find packages -name '*.apk'); do | |
echo "==== Checking SBOM for $f ====" | |
tar -Oxf "$f" var/lib/db/sbom/ > sbom.json | |
echo ::group::sbom.json | |
cat sbom.json | |
echo ::endgroup:: | |
tools-java Verify sbom.json | |
done | |
- name: Check for file | |
id: file_check | |
run: | | |
if test -f "packages.log"; then | |
cat packages.log | |
echo "exists=true" >> $GITHUB_OUTPUT | |
else | |
echo "exists=false" >> $GITHUB_OUTPUT | |
fi | |
touch packages.log | |
- name: Check diff | |
if: steps.file_check.outputs.exists == 'true' | |
# Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check | |
continue-on-error: true | |
uses: ./.github/actions/docker-run | |
with: | |
run: | | |
wolfictl check diff | |
- name: Check for diff file | |
id: diff_file_check | |
run: | | |
if test -f "diff.log"; then | |
cat diff.log | |
echo "exists=true" >> $GITHUB_OUTPUT | |
else | |
echo "exists=false" >> $GITHUB_OUTPUT | |
fi | |
# Use the x86_64 build results for the comment for now so we don't have duplicates. | |
- name: PR comment diff | |
if: steps.diff_file_check.outputs.exists == 'true' && matrix.arch == 'x86_64' | |
uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 # v3.0.0 | |
# We're seeing jobs using merge queues fail | |
continue-on-error: true | |
with: | |
file-path: diff.log | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: "Upload built packages to GitHub artifacts" | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
path: | | |
./packages/${{ matrix.arch }} | |
./packages.log | |
name: packages-${{ matrix.arch }} | |
retention-days: 1 | |
if-no-files-found: warn | |
so_check: | |
permissions: | |
contents: read | |
name: "ABI Compatibility check" | |
runs-on: ubuntu-latest | |
needs: build | |
if: needs.build.outputs.packages_were_built == 'true' | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: "Retrieve x86_64 packages" | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: packages-x86_64 | |
path: /tmp/artifacts-1/ | |
- name: "Retrieve aarch64 packages" | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: packages-aarch64 | |
path: /tmp/artifacts-2/ | |
- name: "Collect packages from all architectures into one place" | |
run: | | |
cd /tmp/artifacts-1 | |
# Put the packages into one place (if aarch64 logs exist) | |
if test -f "/tmp/artifacts-2/packages"; then | |
mv /tmp/artifacts-2/packages/* ./packages/ | |
# Merge the build log ("packages.log") files | |
cat /tmp/artifacts-2/packages.log >> ./packages.log | |
fi | |
# this need to point to main to always get the latest action | |
- uses: wolfi-dev/actions/install-wolfictl@main # main | |
- name: Soname check | |
run: | | |
wolfictl check so-name --packages-dir /tmp/artifacts-1/packages --package-list-file /tmp/artifacts-1/packages.log | |
scan: | |
permissions: | |
contents: read | |
name: "Scan packages for CVEs" | |
runs-on: ubuntu-latest | |
needs: build | |
if: needs.build.outputs.packages_were_built == 'true' | |
timeout-minutes: 30 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: "Retrieve x86_64 packages" | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: packages-x86_64 | |
path: /tmp/artifacts-1/ | |
- name: "Retrieve aarch64 packages" | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: packages-aarch64 | |
path: /tmp/artifacts-2/ | |
- name: "Collect packages from all architectures into one place" | |
run: | | |
cd /tmp/artifacts-1 | |
# Put the packages into one place (if aarch64 logs exist) | |
if test -f "/tmp/artifacts-2/packages"; then | |
mv /tmp/artifacts-2/packages/* ./packages/ | |
# Merge the build log ("packages.log") files | |
cat /tmp/artifacts-2/packages.log >> ./packages.log | |
fi | |
- name: "Retrieve Wolfi advisory data" | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
repository: "wolfi-dev/advisories" | |
path: "data/wolfi-advisories" | |
# this need to point to main to always get the latest action | |
- uses: wolfi-dev/actions/install-wolfictl@main # main | |
- name: Scan for CVEs | |
run: | | |
stderrf="/tmp/scan.stderr" | |
wolfictl scan \ | |
--build-log \ | |
--advisories-repo-dir 'data/wolfi-advisories' \ | |
--advisory-filter 'resolved' \ | |
--require-zero \ | |
/tmp/artifacts-1 \ | |
2> "$stderrf" && rc=0 || rc=$? | |
# The error message renders strangely on GitHub Actions so it is | |
# captured and shown only if it does not match expected "vulnerabilities found" | |
if [ $rc -ne 0 ] && | |
! grep -qi "vulnerabilities found" "$stderrf"; then | |
echo "Unexpected error content" 1>&2 | |
sed 's,^,| ,' "$stderrf" 1>&2 | |
fi | |
rm -f "$stderrf" | |
exit $rc |