Skip to content

Update images digests #61861

Update images digests

Update images digests #61861

Workflow file for this run

name: CI build action
on:
pull_request:
branches: ["main"]
push:
branches:
- gh-readonly-queue/main/**
permissions:
contents: read
jobs:
changes:
permissions:
contents: read
name: Determine packages to test building
runs-on: ubuntu-latest
outputs:
packages: ${{steps.package-list.outputs.packages}}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Look for changed files
id: changes
uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3
with:
files_yaml: |
melange:
- ./*.yaml # Only top level files without structure
- ./*/*/*.melange.yaml # Support recursive melange files with the new naming convention.
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
# Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
# strips the list down into `foo` and `bar`.
- name: Build package list
id: package-list
run: |
set +f # disable pathname expansion
wolfictl text -t name --pipeline-dir=./pipelines/ \
-r https://packages.wolfi.dev/bootstrap/stage3 \
-k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub > all-packages-list
echo "all-packages-list has $(wc -l < all-packages-list)"
n=0
for f in ${{ steps.changes.outputs.melange_all_changed_files }}; do
# filter anything not .yaml
case "$f" in
*/pipelines/*) continue;;
*.yaml) :;;
*) continue;;
esac
pkg=${f##*/}
pkg=${pkg%.yaml}
pkg=${pkg%.melange.yaml}
n=$((n+1))
echo "$pkg"
done > changed-packages-list
echo "changed-packages-list has $n"
rc=0
grep --fixed-strings --line-regexp \
--file=changed-packages-list all-packages-list \
> packages-to-build || rc=$?
tobuild=$(wc -l < packages-to-build)
if [ $rc -eq 0 ]; then
echo "build these $tobuild packages in order"
sed 's/^/> /' packages-to-build
set -- $(cat packages-to-build)
elif [ $rc -eq 1 ]; then
echo "packages-to-build is empty - did not find any changed packages"
set --
else
echo "ERROR: unexpected error $rc from grep"
exit 1
fi
printf "packages=%s\n" "$*" > "$GITHUB_OUTPUT"
build:
name: Test building of packages
strategy:
matrix:
arch: ["x86_64", "aarch64"]
include:
- arch: x86_64
runner: ubuntu-latest-16-cores
oci: amd64
- arch: aarch64
runner: ubuntu-arm-16-cores
oci: arm64
fail-fast: false
runs-on: ${{ matrix.runner }}
needs: changes
outputs:
packages_were_built: ${{ steps.file_check.outputs.exists }}
permissions:
contents: read
pull-requests: write # so we have permission to comment on pull requests
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Free up runner disk space
run: |
set -x
printf "==> Available space before cleanup\n"
df -h
rm -rf /usr/share/dotnet
rm -rf "$AGENT_TOOLSDIRECTORY"
printf "==> Available space after cleanup\n"
df -h
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Docker
run: |
# Add Docker's official GPG key:
sudo apt-get update -y
sudo apt-get install ca-certificates curl -y
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update -y
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo usermod -aG docker $USER
sudo apt-get install acl
sudo setfacl --modify user:$USER:rw /var/run/docker.sock
- name: "Generate local signing key"
uses: ./.github/actions/docker-run
with:
run: |
make MELANGE="melange" local-melange.rsa
- name: "Build Wolfi"
uses: ./.github/actions/docker-run
with:
opts: "-v /temp:/temp -v /var/run/docker.sock:/var/run/docker.sock"
run: |
# Use a different shared $TMPDIR accessible and non-conflicting to
# both the host and container since we're running docker out of
# docker
export TMPDIR="/temp"
# This is to avoid fatal errors about "dubious ownership" because we are
# running inside of a container action with the workspace mounted in.
git config --global --add safe.directory .
mkdir -p .melangecache
for package in ${{needs.changes.outputs.packages}}; do
make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/$package -j1
make MELANGE_EXTRA_OPTS="--runner docker" REPO="./packages" "test/$package" -j1
done
- name: "Check that packages can be installed with apk add"
uses: ./.github/actions/docker-run
with:
run: |
# Create a fake linux fs under /tmp/emptyroot to pass to `apk --root`.
mkdir -p /tmp/emptyroot/etc/apk
cp -r /etc/apk/* /tmp/emptyroot/etc/apk/
cat /dev/null > /tmp/emptyroot/etc/apk/world
mkdir -p /tmp/emptyroot/lib/apk/db
touch /tmp/emptyroot/lib/apk/db/{installed,lock,scripts.tar,triggers}
mkdir -p /tmp/emptyroot/var/cache/apk
apk update --root /tmp/emptyroot
# Find .apk files and add them to the string
for f in $(find packages -name '*.apk'); do
tar -Oxf "$f" .PKGINFO
apk add --root /tmp/emptyroot --repository "./packages" --allow-untrusted --simulate "$f"
done
- name: Reset file permissions
run: |
sudo chown -R $(id -u):$(id -g) .
- name: Check SBOMs
uses: ./.github/actions/docker-run
with:
run: |
apk add spdx-tools-java
for f in $(find packages -name '*.apk'); do
echo "==== Checking SBOM for $f ===="
tar -Oxf "$f" var/lib/db/sbom/ > sbom.json
echo ::group::sbom.json
cat sbom.json
echo ::endgroup::
tools-java Verify sbom.json
done
- name: Check for file
id: file_check
run: |
if test -f "packages.log"; then
cat packages.log
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "exists=false" >> $GITHUB_OUTPUT
fi
touch packages.log
- name: Check diff
if: steps.file_check.outputs.exists == 'true'
# Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check
continue-on-error: true
uses: ./.github/actions/docker-run
with:
run: |
wolfictl check diff
- name: Check for diff file
id: diff_file_check
run: |
if test -f "diff.log"; then
cat diff.log
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "exists=false" >> $GITHUB_OUTPUT
fi
# Use the x86_64 build results for the comment for now so we don't have duplicates.
- name: PR comment diff
if: steps.diff_file_check.outputs.exists == 'true' && matrix.arch == 'x86_64'
uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9 # v3.0.0
# We're seeing jobs using merge queues fail
continue-on-error: true
with:
file-path: diff.log
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Upload built packages to GitHub artifacts"
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
path: |
./packages/${{ matrix.arch }}
./packages.log
name: packages-${{ matrix.arch }}
retention-days: 1
if-no-files-found: warn
so_check:
permissions:
contents: read
name: "ABI Compatibility check"
runs-on: ubuntu-latest
needs: build
if: needs.build.outputs.packages_were_built == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: "Retrieve x86_64 packages"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: packages-x86_64
path: /tmp/artifacts-1/
- name: "Retrieve aarch64 packages"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: packages-aarch64
path: /tmp/artifacts-2/
- name: "Collect packages from all architectures into one place"
run: |
cd /tmp/artifacts-1
# Put the packages into one place (if aarch64 logs exist)
if test -f "/tmp/artifacts-2/packages"; then
mv /tmp/artifacts-2/packages/* ./packages/
# Merge the build log ("packages.log") files
cat /tmp/artifacts-2/packages.log >> ./packages.log
fi
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
- name: Soname check
run: |
wolfictl check so-name --packages-dir /tmp/artifacts-1/packages --package-list-file /tmp/artifacts-1/packages.log
scan:
permissions:
contents: read
name: "Scan packages for CVEs"
runs-on: ubuntu-latest
needs: build
if: needs.build.outputs.packages_were_built == 'true'
timeout-minutes: 30
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: "Retrieve x86_64 packages"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: packages-x86_64
path: /tmp/artifacts-1/
- name: "Retrieve aarch64 packages"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: packages-aarch64
path: /tmp/artifacts-2/
- name: "Collect packages from all architectures into one place"
run: |
cd /tmp/artifacts-1
# Put the packages into one place (if aarch64 logs exist)
if test -f "/tmp/artifacts-2/packages"; then
mv /tmp/artifacts-2/packages/* ./packages/
# Merge the build log ("packages.log") files
cat /tmp/artifacts-2/packages.log >> ./packages.log
fi
- name: "Retrieve Wolfi advisory data"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: "wolfi-dev/advisories"
path: "data/wolfi-advisories"
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
- name: Scan for CVEs
run: |
stderrf="/tmp/scan.stderr"
wolfictl scan \
--build-log \
--advisories-repo-dir 'data/wolfi-advisories' \
--advisory-filter 'resolved' \
--require-zero \
/tmp/artifacts-1 \
2> "$stderrf" && rc=0 || rc=$?
# The error message renders strangely on GitHub Actions so it is
# captured and shown only if it does not match expected "vulnerabilities found"
if [ $rc -ne 0 ] &&
! grep -qi "vulnerabilities found" "$stderrf"; then
echo "Unexpected error content" 1>&2
sed 's,^,| ,' "$stderrf" 1>&2
fi
rm -f "$stderrf"
exit $rc