Skip to content
This repository has been archived by the owner on May 7, 2024. It is now read-only.

chore(pkgs): automatic update of 3rd party packages #504

chore(pkgs): automatic update of 3rd party packages

chore(pkgs): automatic update of 3rd party packages #504

Workflow file for this run

name: build
on:
push:
branches:
- main
paths:
- images/**
- '**.mk'
- .github/workflows/build.yaml
pull_request:
branches:
- main
paths:
- images/**
- '**.mk'
- .github/workflows/build.yaml
workflow_dispatch:
inputs:
folders:
description: 'Folders to build'
required: true
default: ''
permissions: read-all
jobs:
generate_build_input:
name: "Generate build input"
runs-on: ubuntu-latest
outputs:
folders_to_build: ${{ env.FOLDERS }}
steps:
- name: Check out source code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Read modified folders from parameters
if: ${{ github.event_name == 'workflow_dispatch' }}
run: |
echo "CANDIDATE_FOLDERS=${{ github.event.inputs.folders }}" >> $GITHUB_ENV
- name: Read modified files from commit
id: changed_files
if: ${{ github.event_name != 'workflow_dispatch' }}
uses: tj-actions/changed-files@v35
with:
files: |
images/**
*.mk
- name: Identify modified folders from commit
if: ${{ github.event_name != 'workflow_dispatch' }}
run: |
set -x
cd ${GITHUB_WORKSPACE}
folders=""
for changed_file in ${{ steps.changed_files.outputs.all_modified_files }}; do
if [[ "${changed_file}" == *.mk ]]; then
# use make magic to identify which makefiles under images include a particular .mk under repo root
for folder in $(ls ./images/); do
if make -pn -C ./images/${folder} | grep $(basename ${changed_file}); then
folders="${folders} ${folder}"
fi
done
fi
folder=$(echo ${changed_file} | awk -F / '{print $2}')
folders="${folders} ${folder}"
done
folders=$(echo ${folders} | tr ' ' '\n' | sort -u | tr '\n' ' ')
echo CANDIDATE_FOLDERS="${folders}" >> $GITHUB_ENV
- name: Validate folders to build
run: |
set -x
for folder in ${CANDIDATE_FOLDERS}; do
[ -f "${GITHUB_WORKSPACE}/images/${folder}/stacker.yaml" ] && [ -f "${GITHUB_WORKSPACE}/images/${folder}/Makefile" ] && folders="${folders} ${folder}"
done
folders=$(echo ${folders} | xargs echo -n)
if [ -z "${folders}" ]; then
echo "No valid folders to build"
if [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then
echo "Manually triggered build needs valid folders to build"
exit 1
else
echo "Build will not fail as it is triggered automatically"
echo "FOLDERS=" >> $GITHUB_ENV
exit 0
fi
fi
# Obtain images modified indirectly
folders=$(make build-candidates SUBDIRS="${folders}" | tail -n 1)
echo "FOLDERS=${folders}" >> $GITHUB_ENV
build:
name: Build only
needs: [generate_build_input]
if: |
(github.ref != 'refs/heads/main') &&
(needs.generate_build_input.outputs.folders_to_build != '')
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
max-parallel: 3
matrix:
os:
- linux
arch:
- amd64
distro:
- debian-bullseye
- ubuntu-jammy
- rockylinux-9
steps:
- name: Check out source code
uses: actions/checkout@v3
- name: Setup env vars
run: |
distro=${{ matrix.distro }}
x=$(echo $distro | tr '-' ' ')
DISTRO=$(echo $x| awk '{print $1}')
echo DISTRO=$DISTRO >> $GITHUB_ENV
DISTRO_REL=$(echo $x| awk '{print $2}')
echo DISTRO_REL=$DISTRO_REL >> $GITHUB_ENV
echo ARCH=${{ matrix.arch }} >> $GITHUB_ENV
echo OS=${{ matrix.os }} >> $GITHUB_ENV
echo SUBDIRS="${{needs.generate_build_input.outputs.folders_to_build}}" >> $GITHUB_ENV
echo ZOT_VERSION="v2.0.0-rc3" >> $GITHUB_ENV
echo DEFAULT_BRANCH=origin/${{ github.event.repository.default_branch }} >> $GITHUB_ENV
- name: Run zot container image with podman
run: |
wget -N https://raw.githubusercontent.com/project-zot/zot/${ZOT_VERSION}/examples/config-cve.json
sed -i s/127\.0\.0\.1/0.0.0.0/g config-cve.json
sed -i s/8080/5000/g config-cve.json
podman run -d -p 5000:5000 -v $PWD/config-cve.json:/etc/zot/config.json ghcr.io/project-zot/zot-linux-amd64:${ZOT_VERSION}
- name: Fetch all commits
run: |
# Needed in order to check commit order later
cd ${GITHUB_WORKSPACE}
git fetch --all
- name: Build container images
run: |
cd ${GITHUB_WORKSPACE}
echo "Building ${SUBDIRS}"
# for building PRs PUBLISH_URL points to the public server, so we can download unchanged images
make build \
SUBDIRS="${SUBDIRS}" \
PUBLISH_URL=docker://zothub.io/c3
- name: Test container images
run: |
cd ${GITHUB_WORKSPACE}
echo "Testing ${SUBDIRS}"
make test SUBDIRS="${SUBDIRS}"
- name: Push container images
run: |
cd ${GITHUB_WORKSPACE}
echo "Pushing ${SUBDIRS}"
# for publishing PRs PUBLISH_URL points to the local server so we can later run the CVE scanner
# without having to push images to the public server
make publish \
SUBDIRS="${SUBDIRS}" \
PUBLISH_URL=docker://localhost:5000/c3 \
PUBLISH_EXTRA_ARGS="--skip-tls" \
PULL_EXTRA_ARGS="--src-tls-verify=false"
- name: Scan container images
run: |
set -x
cd ${GITHUB_WORKSPACE}
# download zli
wget -N https://github.com/project-zot/zot/releases/download/${ZOT_VERSION}/zli-linux-amd64 -O hack/tools/bin/zli
chmod +x hack/tools/bin/zli
hack/tools/bin/zli config add local http://localhost:5000
hack/tools/bin/zli config local verify-tls false
hack/tools/bin/zli config local showspinner false
# there is an assumption that every folder contains a single image defined
# in the stacker yaml, having the same name as the folder
for folder in ${SUBDIRS}; do
tags="$(make -C images/${folder} --no-print-directory tags)"
for tag in ${tags}; do
hack/tools/bin/zli cve local -I c3/${DISTRO}/${folder}-${ARCH}:${tag}
done
done
build_publish:
name: Build and publish
needs: [generate_build_input]
if: |
(github.ref == 'refs/heads/main') &&
(needs.generate_build_input.outputs.folders_to_build != '')
runs-on: ubuntu-latest
timeout-minutes: 30
env:
DOCKER_CONFIG: $HOME/.docker
strategy:
max-parallel: 3
matrix:
os:
- linux
arch:
- amd64
distro:
- debian-bullseye
- ubuntu-jammy
- rockylinux-9
steps:
- name: Check out source code
uses: actions/checkout@v3
- name: Setup env vars
run: |
distro=${{ matrix.distro }}
x=$(echo $distro | tr '-' ' ')
DISTRO=$(echo $x| awk '{print $1}')
echo DISTRO=$DISTRO >> $GITHUB_ENV
DISTRO_REL=$(echo $x| awk '{print $2}')
echo DISTRO_REL=$DISTRO_REL >> $GITHUB_ENV
echo ARCH=${{ matrix.arch }} >> $GITHUB_ENV
echo OS=${{ matrix.os }} >> $GITHUB_ENV
echo SUBDIRS="${{needs.generate_build_input.outputs.folders_to_build}}" >> $GITHUB_ENV
echo ZOT_VERSION="v1.4.3" >> $GITHUB_ENV
echo DEFAULT_BRANCH=origin/${{ github.event.repository.default_branch }} >> $GITHUB_ENV
- name: Fetch all commits
run: |
cd ${GITHUB_WORKSPACE}
# Needed in order to check commit order later
git fetch --all
- name: Build container images
run: |
cd ${GITHUB_WORKSPACE}
echo "Building ${SUBDIRS}"
make build \
SUBDIRS="${SUBDIRS}" \
PUBLISH_URL=docker://zothub.io/c3
- name: Test container images
run: |
cd ${GITHUB_WORKSPACE}
echo "Testing ${SUBDIRS}"
make test SUBDIRS="${SUBDIRS}"
- name: Push container images
env:
PUBLISH_USERNAME: ${{ secrets.ZOTHUB_USERNAME }}
PUBLISH_PASSWORD: ${{ secrets.ZOTHUB_PASSWORD }}
run: |
cd ${GITHUB_WORKSPACE}
echo "Pushing ${SUBDIRS}"
make publish \
SUBDIRS="${SUBDIRS}" \
PUBLISH_URL=docker://zothub.io/c3
- name: Scan container images
run: |
set -x
cd ${GITHUB_WORKSPACE}
# download zli
wget -N https://github.com/project-zot/zot/releases/download/${ZOT_VERSION}/zli-linux-amd64 -O hack/tools/bin/zli
chmod +x hack/tools/bin/zli
hack/tools/bin/zli config add zothub https://zothub.io
hack/tools/bin/zli config zothub showspinner false
# there is an assumption that every folder contains a single image defined
# in the stacker yaml, having the same name as the folder
for folder in ${SUBDIRS}; do
tags="$(make -C images/${folder} --no-print-directory tags)"
for tag in ${tags}; do
hack/tools/bin/zli cve zothub -I c3/${DISTRO}/${folder}-${ARCH}:${tag}
done
done
- name: Login to zothub.io Registry
uses: docker/login-action@v2
with:
registry: zothub.io
username: ${{ secrets.ZOTHUB_USERNAME }}
password: ${{ secrets.ZOTHUB_PASSWORD }}
- name: Install go
uses: actions/setup-go@v3
with:
go-version: 1.18
check-latest: true
- name: Install Cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: main
- name: Check cosign install!
run: cosign version
- name: Sign image with a key
run: |
# there is an assumption that every folder contains a single image defined
# in the stacker yaml, having the same name as the folder
for folder in ${SUBDIRS}; do
tags="$(make -C images/${folder} --no-print-directory tags)"
for tag in ${tags}; do
cosign sign --key env://COSIGN_PRIVATE_KEY zothub.io/c3/${DISTRO}/${folder}-${ARCH}:${tag}
# Need to retest squashfs builds, getting some errors locally
# cosign sign --key env://COSIGN_PRIVATE_KEY zothub.io/c3/${DISTRO}/${folder}-${ARCH}:${tag}-squashfs
done
done
env:
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}