-
Notifications
You must be signed in to change notification settings - Fork 110
156 lines (131 loc) · 5.32 KB
/
wolfi-presubmit.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: ci
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build-melange:
name: Build melange and add to artifact cache
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: './go.mod'
check-latest: true
- name: build
run: |
make melange
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/melange
retention-days: 1
build-packages:
name: Build packages
needs:
- build-melange
# TODO: Set up a larger runner for this.
runs-on: ubuntu-latest
permissions:
contents: read
# This is a list of packages which covers basic and exotic uses of
# the built-in pipelines. Goal is to balance efficiency while also
# exercising Melange with real-world package builds.
# Feel free to add additional packages to this matrix which exercise
# Melange in new ways (e.g. new pipelines, etc.)
strategy:
fail-fast: false
matrix:
runner:
- bubblewrap
- qemu
package:
- hello-wolfi
- glibc
- tini
- lzo
- bubblewrap
# - gdk-pixbuf # Looks like this is broken again, see: https://gitlab.gnome.org/GNOME/gobject-introspection/-/issues/515
- gitsign
- guac
- mdbook
- s3cmd
- perl-yaml-syck
- ncurses
# TODO: https://github.com/wolfi-dev/os/issues/26442
#- xmlto
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
repository: wolfi-dev/os
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/.melange-dir
run-id: ${{ github.run_id }}
- run: |
sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange
sudo chmod a+x /usr/bin/melange
melange version
- if: matrix.runner == 'bubblewrap'
run: |
sudo apt-get -y install bubblewrap
- if: matrix.runner == 'bubblewrap'
run: |
make SHELL="/bin/bash" MELANGE="sudo melange" package/${{ matrix.package }}
- name: Download kernel for VMs
if: matrix.runner == 'qemu'
run: |
KERNEL_PKG="$(curl -sL https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | grep "linux-virt" | grep -v dev)"
curl -LSo linux-virt.apk "https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/$KERNEL_PKG"
mkdir -p /tmp/kernel
tar -xf ./linux-virt.apk -C /tmp/kernel/
- name: Install QEMU/KVM
if: matrix.runner == 'qemu'
run: |
sudo apt-get update
sudo apt-get -y install qemu-system qemu-kvm
- name: Enable KVM group perms
if: matrix.runner == 'qemu'
run: |
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
sudo udevadm control --reload-rules
sudo udevadm trigger --name-match=kvm
- name: Make package ${{matrix.package}} with QEMU Runner
if: matrix.runner == 'qemu'
run: |
make \
SHELL="/bin/bash" \
QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
MELANGE="/usr/bin/melange" \
MELANGE_EXTRA_OPTS="--runner qemu" \
package/${{ matrix.package }}
- name: "Retrieve Wolfi advisory data"
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
repository: "wolfi-dev/advisories"
path: "data/wolfi-advisories"
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
- name: Test installable and Scan for CVEs
run: |
docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base apk add --allow-untrusted packages/x86_64/${{ matrix.package }}-*.apk
# There is a huge fixed cost for every wolfictl scan invocation for grype DB init.
# Do this outside of the loop in one invocation with every package.
wolfictl scan \
--advisories-repo-dir 'data/wolfi-advisories' \
--advisory-filter 'resolved' \
--require-zero \
packages/x86_64/${{ matrix.package }}-*.apk \
2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout.