Best practices: Add section showing how to configure grype #5377
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| pull_request: # TODO: pull_request_target | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| actions: read | |
| env: | |
| TF_VAR_target_repository: registry.local:5000/testing | |
| TF_APKO_DISABLE_VERSION_TAGS: true # Disable version tags. | |
| TF_COSIGN_DISABLE: true # Don't sign in presubmit. | |
| concurrency: | |
| group: presubmit-build-${{ github.head_ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| shard: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| - run: make init # Initialize modules. | |
| - run: terraform fmt -check -recursive -diff | |
| - run: ./lint.sh | |
| - name: Enforce YAML formatting | |
| uses: docker://ghcr.io/wolfi-dev/wolfictl:latest@sha256:4c9087d2c2fccf2c0f3470cfa695c605bc0dcd7bcbb1ee9c64f80f62d8e1cfdc | |
| with: | |
| entrypoint: wolfictl | |
| args: lint yam images/ | |
| - id: changed | |
| uses: tj-actions/changed-files@v42 | |
| with: | |
| dir_names: "true" | |
| # Truncates (not ignores) the path of changed files to 2 (ie: images/flux/tests/main.tf -> images/flux) | |
| dir_names_max_depth: "2" | |
| files_separator: "\n" # This is the default, but ensure we keep it such so the below discover steps work | |
| files_yaml: | | |
| base: | |
| - .github/actions/** | |
| - ./tflib/** | |
| images: | |
| - ./images/** | |
| - '!./images/**.md' | |
| - id: discover-base | |
| name: Discovered modified base files | |
| shell: bash # bash math foo required | |
| if: steps.changed.outputs.base_any_changed == 'true' | |
| run: | | |
| images=($(find ./images -maxdepth 1 -type d -not -path "./images/TEMPLATE" | awk -F'/' '{print $3}' | sort -uR)) # randomize | |
| n=50 # buckets to shard into | |
| total=${#images[@]} | |
| base_size=$((total / n)) | |
| remainder=$((total % n)) | |
| declare -a bins | |
| # Sequentially fill up each bin, and append any remainders to the last bin | |
| for ((i = 0; i < total; i++)); do | |
| idx=$((i < (total - remainder) ? i / base_size : n - 1)) | |
| bins[$idx]+="${images[$i]} " | |
| done | |
| matrix=$(printf "%s\n" "${bins[@]}" | jq -cRnjr '[inputs] | [ range(0; length) as $i | { "index": $i | tostring, "images": .[$i] } ]') | |
| echo "matrix=${matrix}" >> $GITHUB_ENV | |
| - id: discover-images | |
| name: Discover modified images | |
| if: steps.changed.outputs.base_any_changed != 'true' && steps.changed.outputs.images_any_changed == 'true' | |
| run: | | |
| # Randomize and shard into bins of 5 images each | |
| n=5 | |
| bins=$(echo "${{ steps.changed.outputs.images_all_changed_files }}" | sed 's/images\///g' | sed 's/ /\n/g' | sort -uR | tr '\n' ' ' | xargs -n $n | jq -cRnjr '[inputs] | [ range(0; length) as $i | { "index": $i | tostring, "images": .[$i] } ]') | |
| echo "matrix=${bins}" >> $GITHUB_ENV | |
| - id: set-matrix | |
| run: | | |
| out='${{ env.matrix }}' | |
| echo "shard_matrix=${out}" >> $GITHUB_OUTPUT | |
| - name: Shard Results | |
| run: echo '${{ steps.set-matrix.outputs.shard_matrix }}' | jq . | |
| outputs: | |
| # This is of the format [{"index": 0, "images": "a b c"}, {"index": 1, "images": "d e f"}, ...], or empty ([]) when nothing relevant has changed | |
| shard_matrix: ${{ steps.set-matrix.outputs.shard_matrix }} | |
| build-the-world: | |
| runs-on: ubuntu-latest | |
| needs: shard | |
| if: ${{ needs.shard.outputs.shard_matrix != '' }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| shard: ${{ fromJson(needs.shard.outputs.shard_matrix) }} | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3 | |
| with: | |
| terraform_version: '1.3.*' | |
| terraform_wrapper: false | |
| # Make cosign/crane CLI available to the tests | |
| - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 | |
| - uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 | |
| - uses: chainguard-dev/actions/setup-k3d@main | |
| with: | |
| k3s-image: cgr.dev/chainguard/k3s:latest@sha256:0ef62d22d89f611f9df50b9cc86d1f23d3d92d39062d4d13e500736f4e29d0d9 | |
| - name: Build | |
| timeout-minutes: 60 | |
| run: | | |
| set -eo pipefail | |
| make init | |
| targets="" | |
| for image in ${{ matrix.shard.images }}; do | |
| targets+=' -target='module."${image}"'' | |
| done | |
| terraform apply ${targets} -auto-approve --parallelism=$(nproc) -json | tee /tmp/mega-module.tf.json | jq -r '.["@message"]' | |
| - name: Collect TF diagnostics | |
| if: ${{ always() }} | |
| uses: chainguard-dev/actions/terraform-diag@main | |
| with: | |
| json-file: /tmp/mega-module.tf.json | |
| - name: Upload terraform logs | |
| if: always() | |
| uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v3 | |
| with: | |
| name: "mega-module-${{ matrix.shard.index }}.tf.json" | |
| path: /tmp/mega-module.tf.json | |
| - name: Collect diagnostics and upload | |
| if: ${{ failure() }} | |
| uses: chainguard-dev/actions/k8s-diag@main | |
| with: | |
| cluster-type: k3d | |
| namespace-resources: deploy,ds,sts,pods | |
| presubmit-roundup: | |
| needs: build-the-world | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3 | |
| - if: ${{ env.WORKFLOW_CONCLUSION == 'success' }} | |
| working-directory: /tmp | |
| run: echo ${{ env.WORKFLOW_CONCLUSION }} && exit 0 | |
| - if: ${{ env.WORKFLOW_CONCLUSION == 'failure' }} | |
| working-directory: /tmp | |
| run: echo ${{ env.WORKFLOW_CONCLUSION }} && exit 1 |