This repository has been archived by the owner on May 7, 2024. It is now read-only.
chore(pkgs): automatic update of 3rd party packages #505
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- images/** | |
- '**.mk' | |
- .github/workflows/build.yaml | |
pull_request: | |
branches: | |
- main | |
paths: | |
- images/** | |
- '**.mk' | |
- .github/workflows/build.yaml | |
workflow_dispatch: | |
inputs: | |
folders: | |
description: 'Folders to build' | |
required: true | |
default: '' | |
permissions: read-all | |
jobs: | |
generate_build_input: | |
name: "Generate build input" | |
runs-on: ubuntu-latest | |
outputs: | |
folders_to_build: ${{ env.FOLDERS }} | |
steps: | |
- name: Check out source code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Read modified folders from parameters | |
if: ${{ github.event_name == 'workflow_dispatch' }} | |
run: | | |
echo "CANDIDATE_FOLDERS=${{ github.event.inputs.folders }}" >> $GITHUB_ENV | |
- name: Read modified files from commit | |
id: changed_files | |
if: ${{ github.event_name != 'workflow_dispatch' }} | |
uses: tj-actions/changed-files@v35 | |
with: | |
files: | | |
images/** | |
*.mk | |
- name: Identify modified folders from commit | |
if: ${{ github.event_name != 'workflow_dispatch' }} | |
run: | | |
set -x | |
cd ${GITHUB_WORKSPACE} | |
folders="" | |
for changed_file in ${{ steps.changed_files.outputs.all_modified_files }}; do | |
if [[ "${changed_file}" == *.mk ]]; then | |
# use make magic to identify which makefiles under images include a particular .mk under repo root | |
for folder in $(ls ./images/); do | |
if make -pn -C ./images/${folder} | grep $(basename ${changed_file}); then | |
folders="${folders} ${folder}" | |
fi | |
done | |
fi | |
folder=$(echo ${changed_file} | awk -F / '{print $2}') | |
folders="${folders} ${folder}" | |
done | |
folders=$(echo ${folders} | tr ' ' '\n' | sort -u | tr '\n' ' ') | |
echo CANDIDATE_FOLDERS="${folders}" >> $GITHUB_ENV | |
- name: Validate folders to build | |
run: | | |
set -x | |
for folder in ${CANDIDATE_FOLDERS}; do | |
[ -f "${GITHUB_WORKSPACE}/images/${folder}/stacker.yaml" ] && [ -f "${GITHUB_WORKSPACE}/images/${folder}/Makefile" ] && folders="${folders} ${folder}" | |
done | |
folders=$(echo ${folders} | xargs echo -n) | |
if [ -z "${folders}" ]; then | |
echo "No valid folders to build" | |
if [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then | |
echo "Manually triggered build needs valid folders to build" | |
exit 1 | |
else | |
echo "Build will not fail as it is triggered automatically" | |
echo "FOLDERS=" >> $GITHUB_ENV | |
exit 0 | |
fi | |
fi | |
# Obtain images modified indirectly | |
folders=$(make build-candidates SUBDIRS="${folders}" | tail -n 1) | |
echo "FOLDERS=${folders}" >> $GITHUB_ENV | |
build: | |
name: Build only | |
needs: [generate_build_input] | |
if: | | |
(github.ref != 'refs/heads/main') && | |
(needs.generate_build_input.outputs.folders_to_build != '') | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
strategy: | |
max-parallel: 3 | |
matrix: | |
os: | |
- linux | |
arch: | |
- amd64 | |
distro: | |
- debian-bullseye | |
- ubuntu-jammy | |
- rockylinux-9 | |
steps: | |
- name: Check out source code | |
uses: actions/checkout@v3 | |
- name: Setup env vars | |
run: | | |
distro=${{ matrix.distro }} | |
x=$(echo $distro | tr '-' ' ') | |
DISTRO=$(echo $x| awk '{print $1}') | |
echo DISTRO=$DISTRO >> $GITHUB_ENV | |
DISTRO_REL=$(echo $x| awk '{print $2}') | |
echo DISTRO_REL=$DISTRO_REL >> $GITHUB_ENV | |
echo ARCH=${{ matrix.arch }} >> $GITHUB_ENV | |
echo OS=${{ matrix.os }} >> $GITHUB_ENV | |
echo SUBDIRS="${{needs.generate_build_input.outputs.folders_to_build}}" >> $GITHUB_ENV | |
echo ZOT_VERSION="v2.0.0-rc3" >> $GITHUB_ENV | |
echo DEFAULT_BRANCH=origin/${{ github.event.repository.default_branch }} >> $GITHUB_ENV | |
- name: Run zot container image with podman | |
run: | | |
wget -N https://raw.githubusercontent.com/project-zot/zot/${ZOT_VERSION}/examples/config-cve.json | |
sed -i s/127\.0\.0\.1/0.0.0.0/g config-cve.json | |
sed -i s/8080/5000/g config-cve.json | |
podman run -d -p 5000:5000 -v $PWD/config-cve.json:/etc/zot/config.json ghcr.io/project-zot/zot-linux-amd64:${ZOT_VERSION} | |
- name: Fetch all commits | |
run: | | |
# Needed in order to check commit order later | |
cd ${GITHUB_WORKSPACE} | |
git fetch --all | |
- name: Build container images | |
run: | | |
cd ${GITHUB_WORKSPACE} | |
echo "Building ${SUBDIRS}" | |
# for building PRs PUBLISH_URL points to the public server, so we can download unchanged images | |
make build \ | |
SUBDIRS="${SUBDIRS}" \ | |
PUBLISH_URL=docker://zothub.io/c3 | |
- name: Test container images | |
run: | | |
cd ${GITHUB_WORKSPACE} | |
echo "Testing ${SUBDIRS}" | |
make test SUBDIRS="${SUBDIRS}" | |
- name: Push container images | |
run: | | |
cd ${GITHUB_WORKSPACE} | |
echo "Pushing ${SUBDIRS}" | |
# for publishing PRs PUBLISH_URL points to the local server so we can later run the CVE scanner | |
# without having to push images to the public server | |
make publish \ | |
SUBDIRS="${SUBDIRS}" \ | |
PUBLISH_URL=docker://localhost:5000/c3 \ | |
PUBLISH_EXTRA_ARGS="--skip-tls" \ | |
PULL_EXTRA_ARGS="--src-tls-verify=false" | |
- name: Scan container images | |
run: | | |
set -x | |
cd ${GITHUB_WORKSPACE} | |
# download zli | |
wget -N https://github.com/project-zot/zot/releases/download/${ZOT_VERSION}/zli-linux-amd64 -O hack/tools/bin/zli | |
chmod +x hack/tools/bin/zli | |
hack/tools/bin/zli config add local http://localhost:5000 | |
hack/tools/bin/zli config local verify-tls false | |
hack/tools/bin/zli config local showspinner false | |
# there is an assumption that every folder contains a single image defined | |
# in the stacker yaml, having the same name as the folder | |
for folder in ${SUBDIRS}; do | |
tags="$(make -C images/${folder} --no-print-directory tags)" | |
for tag in ${tags}; do | |
hack/tools/bin/zli cve local -I c3/${DISTRO}/${folder}-${ARCH}:${tag} | |
done | |
done | |
build_publish: | |
name: Build and publish | |
needs: [generate_build_input] | |
if: | | |
(github.ref == 'refs/heads/main') && | |
(needs.generate_build_input.outputs.folders_to_build != '') | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
env: | |
DOCKER_CONFIG: $HOME/.docker | |
strategy: | |
max-parallel: 3 | |
matrix: | |
os: | |
- linux | |
arch: | |
- amd64 | |
distro: | |
- debian-bullseye | |
- ubuntu-jammy | |
- rockylinux-9 | |
steps: | |
- name: Check out source code | |
uses: actions/checkout@v3 | |
- name: Setup env vars | |
run: | | |
distro=${{ matrix.distro }} | |
x=$(echo $distro | tr '-' ' ') | |
DISTRO=$(echo $x| awk '{print $1}') | |
echo DISTRO=$DISTRO >> $GITHUB_ENV | |
DISTRO_REL=$(echo $x| awk '{print $2}') | |
echo DISTRO_REL=$DISTRO_REL >> $GITHUB_ENV | |
echo ARCH=${{ matrix.arch }} >> $GITHUB_ENV | |
echo OS=${{ matrix.os }} >> $GITHUB_ENV | |
echo SUBDIRS="${{needs.generate_build_input.outputs.folders_to_build}}" >> $GITHUB_ENV | |
echo ZOT_VERSION="v1.4.3" >> $GITHUB_ENV | |
echo DEFAULT_BRANCH=origin/${{ github.event.repository.default_branch }} >> $GITHUB_ENV | |
- name: Fetch all commits | |
run: | | |
cd ${GITHUB_WORKSPACE} | |
# Needed in order to check commit order later | |
git fetch --all | |
- name: Build container images | |
run: | | |
cd ${GITHUB_WORKSPACE} | |
echo "Building ${SUBDIRS}" | |
make build \ | |
SUBDIRS="${SUBDIRS}" \ | |
PUBLISH_URL=docker://zothub.io/c3 | |
- name: Test container images | |
run: | | |
cd ${GITHUB_WORKSPACE} | |
echo "Testing ${SUBDIRS}" | |
make test SUBDIRS="${SUBDIRS}" | |
- name: Push container images | |
env: | |
PUBLISH_USERNAME: ${{ secrets.ZOTHUB_USERNAME }} | |
PUBLISH_PASSWORD: ${{ secrets.ZOTHUB_PASSWORD }} | |
run: | | |
cd ${GITHUB_WORKSPACE} | |
echo "Pushing ${SUBDIRS}" | |
make publish \ | |
SUBDIRS="${SUBDIRS}" \ | |
PUBLISH_URL=docker://zothub.io/c3 | |
- name: Scan container images | |
run: | | |
set -x | |
cd ${GITHUB_WORKSPACE} | |
# download zli | |
wget -N https://github.com/project-zot/zot/releases/download/${ZOT_VERSION}/zli-linux-amd64 -O hack/tools/bin/zli | |
chmod +x hack/tools/bin/zli | |
hack/tools/bin/zli config add zothub https://zothub.io | |
hack/tools/bin/zli config zothub showspinner false | |
# there is an assumption that every folder contains a single image defined | |
# in the stacker yaml, having the same name as the folder | |
for folder in ${SUBDIRS}; do | |
tags="$(make -C images/${folder} --no-print-directory tags)" | |
for tag in ${tags}; do | |
hack/tools/bin/zli cve zothub -I c3/${DISTRO}/${folder}-${ARCH}:${tag} | |
done | |
done | |
- name: Login to zothub.io Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: zothub.io | |
username: ${{ secrets.ZOTHUB_USERNAME }} | |
password: ${{ secrets.ZOTHUB_PASSWORD }} | |
- name: Install go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: 1.18 | |
check-latest: true | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@main | |
with: | |
cosign-release: main | |
- name: Check cosign install! | |
run: cosign version | |
- name: Sign image with a key | |
run: | | |
# there is an assumption that every folder contains a single image defined | |
# in the stacker yaml, having the same name as the folder | |
for folder in ${SUBDIRS}; do | |
tags="$(make -C images/${folder} --no-print-directory tags)" | |
for tag in ${tags}; do | |
cosign sign --key env://COSIGN_PRIVATE_KEY zothub.io/c3/${DISTRO}/${folder}-${ARCH}:${tag} | |
# Need to retest squashfs builds, getting some errors locally | |
# cosign sign --key env://COSIGN_PRIVATE_KEY zothub.io/c3/${DISTRO}/${folder}-${ARCH}:${tag}-squashfs | |
done | |
done | |
env: | |
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | |
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} |