build(deps): bump step-security/harden-runner from 2.10.1 to 2.10.2 (… #2543
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Images | |
on: | |
pull_request: | |
branches: [ "main" ] | |
push: | |
branches: [ "main" ] | |
workflow_dispatch: | |
jobs: | |
# Build a single-arch nginx image for each arch. | |
build-nginx-on-all-arches: | |
name: build-nginx-all-arches | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: [x86_64, "386", armv7, aarch64, riscv64, s390x, ppc64le] | |
steps: | |
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- run: | | |
make apko | |
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx-${{ matrix.arch }}.tar --arch ${{ matrix.arch }} | |
- name: Check SBOM Conformance | |
run: | | |
set -euxo pipefail | |
if ! ls *.spdx.json; then | |
echo "no SBOMs found!" | |
exit 1 | |
fi | |
for f in *.spdx.json; do | |
echo ::group::sbom.json | |
cat $f | |
echo ::endgroup:: | |
docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json | |
done | |
# Build a multi-arch nginx image for all archs. | |
build-nginx-multiarch: | |
name: build-nginx-multiarch | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- run: | | |
make apko | |
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx.tar --arch x86_64,386,armv7,aarch64,s390x,ppc64le | |
- name: Check SBOM Conformance | |
run: | | |
set -euxo pipefail | |
for f in *.spdx.json; do | |
echo ::group::sbom.json | |
cat $f | |
echo ::endgroup:: | |
docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json | |
done | |
build-all-examples-one-arch: | |
name: build-all-examples-amd64 | |
permissions: | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: [ubuntu-latest, macos-latest] | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
- run: | | |
make apko | |
for cfg in $(find ./examples/ -name '*.yaml'); do | |
name=$(basename ${cfg} .yaml) | |
echo "Building ${name}..." | |
build_script=$(dirname ${cfg})/build.sh | |
if [ -f ${build_script} ]; then | |
${build_script} ./apko | |
else | |
./apko build ${cfg} ${name}:build /tmp/${name}.tar --arch amd64 | |
fi | |
done | |
build-alpine-source-date-epoch: | |
name: source-date-epoch | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- uses: chainguard-dev/actions/setup-registry@main | |
with: | |
port: 5000 | |
- name: build image (w/ source date epoch) | |
env: | |
SOURCE_DATE_EPOCH: "0" | |
run: | | |
make apko | |
FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine --arch x86_64,386,armv7,aarch64,s390x,ppc64le 2> /dev/null) | |
for idx in {2..10} | |
do | |
NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine --arch x86_64,386,armv7,aarch64,s390x,ppc64le 2> /dev/null) | |
if [ "${FIRST}" = "${NEXT}" ]; then | |
echo "Build ${idx} matches." | |
else | |
echo "Build ${idx} differs: ${FIRST} and ${NEXT}" | |
exit 1 | |
fi | |
done | |
build-alpine-build-date-epoch: | |
name: build-date-epoch | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- uses: chainguard-dev/actions/setup-registry@main | |
with: | |
port: 5000 | |
- name: build image (w/ build date epoch) | |
run: | | |
make apko | |
# Without SOURCE_DATE_EPOCH set, the timestamp of the image will be computed to be | |
# the maximum build date of the resolved APKs. | |
FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine --arch x86_64,386,armv7,aarch64,s390x,ppc64le 2> /dev/null) | |
for idx in {2..10} | |
do | |
NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine --arch x86_64,386,armv7,aarch64,s390x,ppc64le 2> /dev/null) | |
if [ "${FIRST}" = "${NEXT}" ]; then | |
echo "Build ${idx} matches." | |
else | |
echo "Build ${idx} differs: ${FIRST} and ${NEXT}" | |
exit 1 | |
fi | |
done | |
annotations: | |
name: annotations | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
- uses: chainguard-dev/actions/setup-registry@main | |
with: | |
port: 5000 | |
- run: | | |
make apko | |
# Build image with annotations. | |
ref=$(./apko publish ./examples/nginx.yaml localhost:5000/nginx --arch x86_64,386,armv7,aarch64,s390x,ppc64le) | |
# Check index annotations. | |
crane manifest $ref | jq -r '.annotations.foo' | grep bar | |
# Check per-image annotations. | |
crane manifest --platform=linux/arm64 $ref | jq -r '.annotations.foo' | grep bar | |
# Check per-image config labels. | |
crane config --platform=linux/arm64 $ref | jq -r '.config.Labels' | grep bar |