Skip to content

Pull in the auth fix in go-apk (#1145) #1916

Pull in the auth fix in go-apk (#1145)

Pull in the auth fix in go-apk (#1145) #1916

Workflow file for this run

name: Build Images
on:
pull_request:
branches: [ "main" ]
push:
branches: [ "main" ]
workflow_dispatch:
jobs:
# Build a single-arch nginx image for each arch.
build-nginx-on-all-arches:
name: build-nginx-all-arches
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
arch: [x86_64, "386", armv7, aarch64, riscv64, s390x, ppc64le]
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5
with:
go-version-file: 'go.mod'
- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- run: |
make apko
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx-${{ matrix.arch }}.tar --arch ${{ matrix.arch }}
- name: Check SBOM Conformance
run: |
set -euxo pipefail
if ! ls *.spdx.json; then
echo "no SBOMs found!"
exit 1
fi
for f in *.spdx.json; do
echo ::group::sbom.json
cat $f
echo ::endgroup::
docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json
done
# Build a multi-arch nginx image for all archs.
build-nginx-multiarch:
name: build-nginx-multiarch
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5
with:
go-version-file: 'go.mod'
- run: |
make apko
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx.tar
- name: Check SBOM Conformance
run: |
set -euxo pipefail
for f in *.spdx.json; do
echo ::group::sbom.json
cat $f
echo ::endgroup::
docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json
done
build-all-examples-one-arch:
name: build-all-examples-amd64
permissions:
contents: read
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.platform }}
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5
with:
go-version-file: 'go.mod'
- uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
- run: |
make apko
for cfg in $(find ./examples/ -name '*.yaml'); do
name=$(basename ${cfg} .yaml)
build_script=$(dirname ${cfg})/build.sh
if [ -f ${build_script} ]; then
${build_script} ./apko
else
./apko build ${cfg} ${name}:build /tmp/${name}.tar --arch amd64
fi
done
build-alpine-source-date-epoch:
name: source-date-epoch
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5
with:
go-version-file: 'go.mod'
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build image (w/ source date epoch)
env:
SOURCE_DATE_EPOCH: "0"
run: |
make apko
FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null)
for idx in {2..10}
do
NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null)
if [ "${FIRST}" = "${NEXT}" ]; then
echo "Build ${idx} matches."
else
echo "Build ${idx} differs: ${FIRST} and ${NEXT}"
exit 1
fi
done
build-alpine-build-date-epoch:
name: build-date-epoch
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5
with:
go-version-file: 'go.mod'
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build image (w/ build date epoch)
run: |
make apko
# Without SOURCE_DATE_EPOCH set, the timestamp of the image will be computed to be
# the maximum build date of the resolved APKs.
FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null)
for idx in {2..10}
do
NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null)
if [ "${FIRST}" = "${NEXT}" ]; then
echo "Build ${idx} matches."
else
echo "Build ${idx} differs: ${FIRST} and ${NEXT}"
exit 1
fi
done
annotations:
name: annotations
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v2.1.5
with:
go-version: "1.21"
check-latest: true
- uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- run: |
make apko
# Build image with annotations.
ref=$(./apko publish ./examples/nginx.yaml localhost:5000/nginx)
# Check index annotations.
crane manifest $ref | jq -r '.annotations.foo' | grep bar
# Check per-image annotations.
crane manifest --platform=linux/arm64 $ref | jq -r '.annotations.foo' | grep bar