Update images digests #32060
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI build action | |
on: | |
pull_request: | |
branches: ['main'] | |
push: | |
branches: | |
- gh-readonly-queue/main/** | |
jobs: | |
changes: | |
permissions: | |
contents: read | |
name: Determine packages to test building | |
runs-on: ubuntu-latest | |
outputs: | |
packages: ${{steps.package-list.outputs.packages}} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Look for changed files | |
id: changes | |
uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f #tj-actions/changed-files@v41.0.1 | |
with: | |
files_yaml: | | |
melange: | |
- ./*.yaml # Only top level files without structure | |
- ./*/*/*.melange.yaml # Support recursive melange files with the new naming convention. | |
- name: "Install wolfictl onto PATH" | |
run: | | |
# Copy wolfictl out of the wolfictl image and onto PATH | |
TMP=$(mktemp -d) | |
docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:9bc0db73ea7d4b55b0aa73308c4525965ddd591cb6278475eba14463244ca635 -c "cp /usr/bin/wolfictl /out" | |
echo "$TMP" >> $GITHUB_PATH | |
# Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this | |
# strips the list down into `foo` and `bar`. | |
- name: Build package list | |
id: package-list | |
run: | | |
printf "packages=" >> $GITHUB_OUTPUT | |
wolfictl text -t name --pipeline-dir=./pipelines/ \ | |
-r https://packages.wolfi.dev/bootstrap/stage3 \ | |
-k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub > packages-list | |
while read pkg; do | |
for file in ${{ steps.changes.outputs.melange_all_changed_files }}; do | |
# Since the file is a path, we need to strip out only the file | |
# name from it. | |
base_file=$(basename $file) | |
base_file="${base_file%.melange.yaml}" | |
base_file="${base_file%.yaml}" | |
printf "base_file: $base_file" | |
[ "${base_file}" = "$pkg" ] && printf "%s " ${base_file} >> $GITHUB_OUTPUT | |
done | |
done < packages-list | |
printf "\n" >> $GITHUB_OUTPUT | |
build: | |
name: Test building of packages | |
strategy: | |
matrix: | |
arch: [ "x86_64", "aarch64" ] | |
fail-fast: false | |
runs-on: | |
group: wolfi-builder-${{ matrix.arch }} | |
needs: changes | |
container: | |
image: ghcr.io/wolfi-dev/sdk:latest@sha256:9bc0db73ea7d4b55b0aa73308c4525965ddd591cb6278475eba14463244ca635 | |
options: | | |
--cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined | |
outputs: | |
packages_were_built: ${{ steps.file_check.outputs.exists }} | |
permissions: | |
contents: read | |
pull-requests: write # so we have permission to comment on pull requests | |
steps: | |
- name: Free up runner disk space | |
run: | | |
set -x | |
rm -rf /usr/share/dotnet | |
rm -rf "$AGENT_TOOLSDIRECTORY" | |
- uses: actions/checkout@v4 | |
- name: 'Trust the github workspace' | |
run: | | |
# This is to avoid fatal errors about "dubious ownership" because we are | |
# running inside of a container action with the workspace mounted in. | |
git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: 'Generate local signing key' | |
run: | | |
make MELANGE="melange" local-melange.rsa | |
- name: 'Build Wolfi' | |
run: | | |
# Setup the melange cache dir on the host so we can use that in subsequent builds | |
mkdir ../.melangecache | |
for package in ${{needs.changes.outputs.packages}}; do | |
make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=$(pwd)/../.melangecache" REPO="$GITHUB_WORKSPACE/packages" package/$package -j1 | |
make REPO="$GITHUB_WORKSPACE/packages" test/$package -j1 | |
done | |
- name: "Check that packages can be installed with apk add" | |
run: | | |
# Create a fake linux fs under /tmp/emptyroot to pass to `apk --root`. | |
mkdir -p /tmp/emptyroot/etc/apk | |
cp -r /etc/apk/* /tmp/emptyroot/etc/apk/ | |
cat /dev/null > /tmp/emptyroot/etc/apk/world | |
mkdir -p /tmp/emptyroot/lib/apk/db | |
touch /tmp/emptyroot/lib/apk/db/{installed,lock,scripts.tar,triggers} | |
mkdir -p /tmp/emptyroot/var/cache/apk | |
apk update --root /tmp/emptyroot | |
# Find .apk files and add them to the string | |
for f in $(find packages -name '*.apk'); do | |
tar -Oxf $f .PKGINFO | |
apk add --root /tmp/emptyroot --repository "$GITHUB_WORKSPACE/packages" --allow-untrusted --simulate $f | |
done | |
- name: Check SBOMs | |
run: | | |
apk add py3-ntia-conformance-checker | |
for f in $(find packages -name '*.apk'); do | |
echo ==== Checking SBOM for $f ==== | |
tar -Oxf $f var/lib/db/sbom/ > sbom.json | |
echo ::group::sbom.json | |
cat sbom.json | |
echo ::endgroup:: | |
ntia-checker -v --file sbom.json | |
done | |
- name: Check for file | |
id: file_check | |
run: | | |
if test -f "packages.log"; then | |
cat packages.log | |
echo "exists=true" >> $GITHUB_OUTPUT | |
else | |
echo "exists=false" >> $GITHUB_OUTPUT | |
fi | |
touch packages.log | |
- name: Check diff | |
if: steps.file_check.outputs.exists == 'true' | |
# Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check | |
continue-on-error: true | |
run: | | |
wolfictl check diff | |
- name: Check for diff file | |
id: diff_file_check | |
run: | | |
if test -f "diff.log"; then | |
cat diff.log | |
echo "exists=true" >> $GITHUB_OUTPUT | |
else | |
echo "exists=false" >> $GITHUB_OUTPUT | |
fi | |
# Use the x86_64 build results for the comment for now so we don't have duplicates. | |
- name: PR comment diff | |
if: steps.diff_file_check.outputs.exists == 'true' && matrix.arch == 'x86_64' | |
uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 | |
# We're seeing jobs using merge queues fail | |
continue-on-error: true | |
with: | |
filePath: diff.log | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: 'Upload built packages to GitHub artifacts' | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
with: | |
path: | | |
./packages/${{ matrix.arch }} | |
./packages.log | |
name: packages-${{ matrix.arch }} | |
retention-days: 1 | |
if-no-files-found: warn | |
so_check: | |
permissions: | |
contents: read | |
name: "ABI Compatibility check" | |
runs-on: ubuntu-latest | |
container: | |
image: ghcr.io/wolfi-dev/sdk:latest@sha256:9bc0db73ea7d4b55b0aa73308c4525965ddd591cb6278475eba14463244ca635 | |
needs: build | |
if: needs.build.outputs.packages_were_built == 'true' | |
steps: | |
- name: 'Retrieve x86_64 packages' | |
uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 | |
with: | |
name: packages-x86_64 | |
path: /tmp/artifacts-1/ | |
- name: 'Retrieve aarch64 packages' | |
uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 | |
with: | |
name: packages-aarch64 | |
path: /tmp/artifacts-2/ | |
- name: 'Collect packages from all architectures into one place' | |
run: | | |
cd /tmp/artifacts-1 | |
# Put the packages into one place (if aarch64 logs exist) | |
if test -f "/tmp/artifacts-2/packages"; then | |
mv /tmp/artifacts-2/packages/* ./packages/ | |
# Merge the build log ("packages.log") files | |
cat /tmp/artifacts-2/packages.log >> ./packages.log | |
fi | |
- name: Soname check | |
run: | | |
wolfictl check so-name --packages-dir /tmp/artifacts-1/packages --package-list-file /tmp/artifacts-1/packages.log | |
scan: | |
permissions: | |
contents: read | |
name: "Scan packages for CVEs" | |
runs-on: ubuntu-latest | |
container: | |
image: ghcr.io/wolfi-dev/sdk:latest@sha256:9bc0db73ea7d4b55b0aa73308c4525965ddd591cb6278475eba14463244ca635 | |
needs: build | |
if: needs.build.outputs.packages_were_built == 'true' | |
steps: | |
- name: 'Retrieve x86_64 packages' | |
uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 | |
with: | |
name: packages-x86_64 | |
path: /tmp/artifacts-1/ | |
- name: 'Retrieve aarch64 packages' | |
uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 | |
with: | |
name: packages-aarch64 | |
path: /tmp/artifacts-2/ | |
- name: 'Collect packages from all architectures into one place' | |
run: | | |
cd /tmp/artifacts-1 | |
# Put the packages into one place (if aarch64 logs exist) | |
if test -f "/tmp/artifacts-2/packages"; then | |
mv /tmp/artifacts-2/packages/* ./packages/ | |
# Merge the build log ("packages.log") files | |
cat /tmp/artifacts-2/packages.log >> ./packages.log | |
fi | |
- name: 'Retrieve Wolfi advisory data' | |
uses: actions/checkout@v4 | |
with: | |
repository: 'wolfi-dev/advisories' | |
path: 'data/wolfi-advisories' | |
- name: Scan for CVEs | |
run: | | |
wolfictl scan \ | |
--build-log \ | |
--advisories-repo-dir 'data/wolfi-advisories' \ | |
--advisory-filter 'resolved' \ | |
--require-zero \ | |
/tmp/artifacts-1 \ | |
2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout. |