Skip to content

fix(bubblewrap_runner): run as build 1000 by default #4267

fix(bubblewrap_runner): run as build 1000 by default

fix(bubblewrap_runner): run as build 1000 by default #4267

Workflow file for this run

name: e2e melange bootstrap + build
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
env:
SOURCE_DATE_EPOCH: 1669683910
jobs:
examples:
name: build examples
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
example:
- git-checkout.yaml
- gnu-hello.yaml
- mbedtls.yaml
- minimal.yaml
- sshfs.yaml
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: "go.mod"
- name: Build package
run: |
sudo apt-get update -y
sudo apt-get install -y bubblewrap
make melange
./melange keygen
./melange build --pipeline-dir=pipelines examples/${{matrix.example}} --arch=x86_64 --empty-workspace
- name: Check SBOM Conformance
run: |
set -euxo pipefail
for f in packages/x86_64/*.apk; do
tar -Oxf "$f" var/lib/db/sbom > sbom.json
echo ::group::sbom.json
cat sbom.json
echo ::endgroup::
docker run --rm -v $(pwd)/sbom.json:/sbom.json cgr.dev/chainguard/ntia-conformance-checker --file /sbom.json
# TODO: Make this an image.
docker run --rm -v $(pwd)/sbom.json:/sbom.json --entrypoint "sh" cgr.dev/chainguard/wolfi-base -c "apk add spdx-tools-java && tools-java Verify /sbom.json"
done
- name: Verify SBOM External Refs (git-checkout)
if: matrix.example == 'git-checkout.yaml'
run: |
set -euxo pipefail
tar -Oxf packages/x86_64/git-checkout*.apk var/lib/db/sbom > git-checkout.sbom.json
# Verify APK ref
grep '"pkg:apk/unknown/git-checkout@v0.0.1-r0?arch=x86_64"' git-checkout.sbom.json
# Verify github tag ref
grep '"pkg:github/puerco/hello.git@v0.0.1"' sbom.json git-checkout.sbom.json
# Verify github sha ref
grep '"pkg:github/puerco/hello.git@a73c4feb284dc6ed1e5758740f717f99dcd4c9d7"' git-checkout.sbom.json
# Verify generic git ref
grep '"pkg:generic/hello@v0.0.1?vcs_url=git%2Bhttps%3A%2F%2Fgitlab.com%2Fxnox%2Fhello.git%40a73c4feb284dc6ed1e5758740f717f99dcd4c9d7"' git-checkout.sbom.json
# Verify ConfigFile ref
grep '"pkg:github/chainguard-dev/melange@${{github.sha}}#examples/git-checkout.yaml"' git-checkout.sbom.json
- name: Verify SBOM External Refs (gnu-hello)
if: matrix.example == 'gnu-hello.yaml'
run: |
set -euxo pipefail
tar -Oxf packages/x86_64/hello-2*.apk var/lib/db/sbom > hello.sbom.json
# Verify generic fetch ref
grep '"pkg:generic/hello@2.12?checksum=sha256%3Acf04af86dc085268c5f4470fbae49b18afbc221b78096aab842d934a76bad0ab\\u0026download_url=https%3A%2F%2Fftp.gnu.org%2Fgnu%2Fhello%2Fhello-2.12.tar.gz"' hello.sbom.json
- name: Check packages can be installed with apk
run: |
set -euxo pipefail
for f in packages/x86_64/*.apk; do
docker run --rm -v $(pwd):/work cgr.dev/chainguard/wolfi-base apk add --allow-untrusted /work/$f
done
bootstrap:
name: bootstrap package
runs-on: ubuntu-latest
permissions:
contents: read
container:
image: alpine:latest
options: |
--cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
steps:
- name: Fetch dependencies
run: |
cat >/etc/apk/repositories <<_EOF_
https://dl-cdn.alpinelinux.org/alpine/edge/main
https://dl-cdn.alpinelinux.org/alpine/edge/community
https://dl-cdn.alpinelinux.org/alpine/edge/testing
_EOF_
apk upgrade -Ua
apk add go cosign build-base git bubblewrap
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: "go.mod"
- name: Mark workspace as a safe repository
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
- name: Build bootstrap melange tool (stage1)
run: make melange
- name: Generate a package signing keypair
run: |
./melange keygen
mv melange.rsa.pub /etc/apk/keys
- name: Prepare build workspace for stage2
run: |
git clone . workspace-stage2/x86_64
- name: Build stage2 melange package with bootstrap melange
run: ./melange build --pipeline-dir=pipelines/ --signing-key=melange.rsa --arch x86_64 --workspace-dir ${{github.workspace}}/workspace-stage2/
- name: Install stage2 melange package
run: apk add ./packages/x86_64/melange-*.apk
- name: Move stage2 artifacts to stage2 directory
run: |
mv packages stage2
- name: Verify operation of stage2 melange
run: melange version
- name: Prepare build workspace for stage3
run: |
git clone . workspace-stage3/x86_64
- name: Build stage3 melange package with stage2 melange
run: melange build --signing-key=melange.rsa --arch x86_64 --workspace-dir ${{github.workspace}}/workspace-stage3/
- name: Install stage3 melange package
run: apk add ./packages/x86_64/melange-*.apk
- name: Move stage3 artifacts to stage3 directory
run: |
mv packages stage3
- name: Ensure melange package is reproducible
run: |
sha256sum stage2/x86_64/*.apk | sed -e 's:stage2/:stage3/:g' | sha256sum -c
- name: Verify operation of stage3 melange
run: melange version