Skip to content

build(deps): bump step-security/harden-runner from 2.10.1 to 2.10.2 (… #2543

build(deps): bump step-security/harden-runner from 2.10.1 to 2.10.2 (…

build(deps): bump step-security/harden-runner from 2.10.1 to 2.10.2 (… #2543

Workflow file for this run

name: Build Images
on:
pull_request:
branches: [ "main" ]
push:
branches: [ "main" ]
workflow_dispatch:
jobs:
# Build a single-arch nginx image for each arch.
build-nginx-on-all-arches:
name: build-nginx-all-arches
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
arch: [x86_64, "386", armv7, aarch64, riscv64, s390x, ppc64le]
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- name: Setup QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- run: |
make apko
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx-${{ matrix.arch }}.tar --arch ${{ matrix.arch }}
- name: Check SBOM Conformance
run: |
set -euxo pipefail
if ! ls *.spdx.json; then
echo "no SBOMs found!"
exit 1
fi
for f in *.spdx.json; do
echo ::group::sbom.json
cat $f
echo ::endgroup::
docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json
done
# Build a multi-arch nginx image for all archs.
build-nginx-multiarch:
name: build-nginx-multiarch
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- run: |
make apko
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx.tar --arch x86_64,386,armv7,aarch64,s390x,ppc64le
- name: Check SBOM Conformance
run: |
set -euxo pipefail
for f in *.spdx.json; do
echo ::group::sbom.json
cat $f
echo ::endgroup::
docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json
done
build-all-examples-one-arch:
name: build-all-examples-amd64
permissions:
contents: read
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.platform }}
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- run: |
make apko
for cfg in $(find ./examples/ -name '*.yaml'); do
name=$(basename ${cfg} .yaml)
echo "Building ${name}..."
build_script=$(dirname ${cfg})/build.sh
if [ -f ${build_script} ]; then
${build_script} ./apko
else
./apko build ${cfg} ${name}:build /tmp/${name}.tar --arch amd64
fi
done
build-alpine-source-date-epoch:
name: source-date-epoch
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build image (w/ source date epoch)
env:
SOURCE_DATE_EPOCH: "0"
run: |
make apko
FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine --arch x86_64,386,armv7,aarch64,s390x,ppc64le 2> /dev/null)
for idx in {2..10}
do
NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine --arch x86_64,386,armv7,aarch64,s390x,ppc64le 2> /dev/null)
if [ "${FIRST}" = "${NEXT}" ]; then
echo "Build ${idx} matches."
else
echo "Build ${idx} differs: ${FIRST} and ${NEXT}"
exit 1
fi
done
build-alpine-build-date-epoch:
name: build-date-epoch
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build image (w/ build date epoch)
run: |
make apko
# Without SOURCE_DATE_EPOCH set, the timestamp of the image will be computed to be
# the maximum build date of the resolved APKs.
FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine --arch x86_64,386,armv7,aarch64,s390x,ppc64le 2> /dev/null)
for idx in {2..10}
do
NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine --arch x86_64,386,armv7,aarch64,s390x,ppc64le 2> /dev/null)
if [ "${FIRST}" = "${NEXT}" ]; then
echo "Build ${idx} matches."
else
echo "Build ${idx} differs: ${FIRST} and ${NEXT}"
exit 1
fi
done
annotations:
name: annotations
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- run: |
make apko
# Build image with annotations.
ref=$(./apko publish ./examples/nginx.yaml localhost:5000/nginx --arch x86_64,386,armv7,aarch64,s390x,ppc64le)
# Check index annotations.
crane manifest $ref | jq -r '.annotations.foo' | grep bar
# Check per-image annotations.
crane manifest --platform=linux/arm64 $ref | jq -r '.annotations.foo' | grep bar
# Check per-image config labels.
crane config --platform=linux/arm64 $ref | jq -r '.config.Labels' | grep bar