Make solving multi-architecture aware #2011
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Images | |
| on: | |
| pull_request: | |
| branches: [ "main" ] | |
| push: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| jobs: | |
| # Build a single-arch nginx image for each arch. | |
| build-nginx-on-all-arches: | |
| name: build-nginx-all-arches | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [x86_64, "386", armv7, aarch64, riscv64, s390x, ppc64le] | |
| steps: | |
| - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
| - run: | | |
| make apko | |
| ./apko build ./examples/nginx.yaml nginx:build /tmp/nginx-${{ matrix.arch }}.tar --arch ${{ matrix.arch }} | |
| - name: Check SBOM Conformance | |
| run: | | |
| set -euxo pipefail | |
| if ! ls *.spdx.json; then | |
| echo "no SBOMs found!" | |
| exit 1 | |
| fi | |
| for f in *.spdx.json; do | |
| echo ::group::sbom.json | |
| cat $f | |
| echo ::endgroup:: | |
| docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json | |
| done | |
| # Build a multi-arch nginx image for all archs. | |
| build-nginx-multiarch: | |
| name: build-nginx-multiarch | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - run: | | |
| make apko | |
| ./apko build ./examples/nginx.yaml nginx:build /tmp/nginx.tar | |
| - name: Check SBOM Conformance | |
| run: | | |
| set -euxo pipefail | |
| for f in *.spdx.json; do | |
| echo ::group::sbom.json | |
| cat $f | |
| echo ::endgroup:: | |
| docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json | |
| done | |
| build-all-examples-one-arch: | |
| name: build-all-examples-amd64 | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: [ubuntu-latest, macos-latest] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
| - run: | | |
| make apko | |
| for cfg in $(find ./examples/ -name '*.yaml'); do | |
| name=$(basename ${cfg} .yaml) | |
| build_script=$(dirname ${cfg})/build.sh | |
| if [ -f ${build_script} ]; then | |
| ${build_script} ./apko | |
| else | |
| ./apko build ${cfg} ${name}:build /tmp/${name}.tar --arch amd64 | |
| fi | |
| done | |
| build-alpine-source-date-epoch: | |
| name: source-date-epoch | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - uses: chainguard-dev/actions/setup-registry@main | |
| with: | |
| port: 5000 | |
| - name: build image (w/ source date epoch) | |
| env: | |
| SOURCE_DATE_EPOCH: "0" | |
| run: | | |
| make apko | |
| FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null) | |
| for idx in {2..10} | |
| do | |
| NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null) | |
| if [ "${FIRST}" = "${NEXT}" ]; then | |
| echo "Build ${idx} matches." | |
| else | |
| echo "Build ${idx} differs: ${FIRST} and ${NEXT}" | |
| exit 1 | |
| fi | |
| done | |
| build-alpine-build-date-epoch: | |
| name: build-date-epoch | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - uses: chainguard-dev/actions/setup-registry@main | |
| with: | |
| port: 5000 | |
| - name: build image (w/ build date epoch) | |
| run: | | |
| make apko | |
| # Without SOURCE_DATE_EPOCH set, the timestamp of the image will be computed to be | |
| # the maximum build date of the resolved APKs. | |
| FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null) | |
| for idx in {2..10} | |
| do | |
| NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null) | |
| if [ "${FIRST}" = "${NEXT}" ]; then | |
| echo "Build ${idx} matches." | |
| else | |
| echo "Build ${idx} differs: ${FIRST} and ${NEXT}" | |
| exit 1 | |
| fi | |
| done | |
| annotations: | |
| name: annotations | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5 | |
| with: | |
| go-version: "1.21" | |
| check-latest: true | |
| - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
| - uses: chainguard-dev/actions/setup-registry@main | |
| with: | |
| port: 5000 | |
| - run: | | |
| make apko | |
| # Build image with annotations. | |
| ref=$(./apko publish ./examples/nginx.yaml localhost:5000/nginx) | |
| # Check index annotations. | |
| crane manifest $ref | jq -r '.annotations.foo' | grep bar | |
| # Check per-image annotations. | |
| crane manifest --platform=linux/arm64 $ref | jq -r '.annotations.foo' | grep bar |