Skip ensuring registry access for the analyzer #6

Workflow file for this run

	name: build

	on:
	push:
	branches:
	- main
	- 'release/**'
	- v0.17.2-custom
	pull_request:
	branches:
	- main
	- 'release/**'

	jobs:
	test-linux-amd64:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v2
	with:
	fetch-depth: '0'
	- name: Set up go
	uses: actions/setup-go@v3
	with:
	check-latest: true
	go-version-file: 'go.mod'
	- name: Install jq
	run: \|
	mkdir -p deps/bin
	curl -s -L -o deps/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
	chmod +x deps/bin/jq
	echo "${PWD}/deps/bin" >> $GITHUB_PATH
	test-windows:
	runs-on: windows-2019
	steps:
	- name: Set git to use LF and symlinks
	run: \|
	git config --global core.autocrlf false
	git config --global core.eol lf
	git config --global core.symlinks true
	- uses: actions/checkout@v2
	with:
	fetch-depth: '0'
	- name: Set up go
	uses: actions/setup-go@v3
	with:
	check-latest: true
	go-version-file: 'go.mod'
	- name: Add runner IP to daemon insecure-registries and firewall
	shell: powershell
	run: \|
	# Get IP from default gateway interface
	$IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress

	# Allow container-to-host registry traffic (from public interface, to the same interface)
	New-NetfirewallRule -DisplayName test-registry -LocalAddress $IPAddress -RemoteAddress $IPAddress

	# create or update daemon config to allow host as insecure-registry
	$config=@{}
	if (Test-Path C:\ProgramData\docker\config\daemon.json) {
	$config=(Get-Content C:\ProgramData\docker\config\daemon.json \| ConvertFrom-json)
	}
	$config \| Add-Member -Force -Name "insecure-registries" -value @("$IPAddress/32") -MemberType NoteProperty
	$config \| Add-Member -Force -Name "allow-nondistributable-artifacts" -value @("$IPAddress/32") -MemberType NoteProperty
	ConvertTo-json $config \| Out-File -Encoding ASCII C:\ProgramData\docker\config\daemon.json

	Restart-Service docker

	# dump docker info for auditing
	docker version
	docker info
	build-and-publish:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v2
	with:
	fetch-depth: 0 # fetch all history for all branches and tags
	- name: Set up go
	uses: actions/setup-go@v3
	with:
	check-latest: true
	go-version-file: 'go.mod'
	- name: Install Cosign
	uses: sigstore/cosign-installer@v1.0.0
	with:
	cosign-release: 'v1.0.0'
	- name: Set version
	run: \|
	echo "LIFECYCLE_VERSION=$(go run tools/version/main.go)" \| tee -a $GITHUB_ENV version.txt
	- uses: actions/upload-artifact@v2
	with:
	name: version
	path: version.txt
	- name: Set tag
	run: \|
	echo "LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)" >> tag.txt
	- uses: actions/upload-artifact@v2
	with:
	name: tag
	path: tag.txt
	- name: Build
	run: \|
	make clean
	make build
	make package
	- uses: actions/upload-artifact@v2
	with:
	name: lifecycle-linux-x86-64
	path: out/lifecycle-v*+linux.x86-64.tgz
	- uses: actions/upload-artifact@v2
	with:
	name: lifecycle-linux-x86-64-sha256
	path: out/lifecycle-v*+linux.x86-64.tgz.sha256
	- uses: actions/upload-artifact@v2
	with:
	name: lifecycle-windows-x86-64
	path: out/lifecycle-v*+windows.x86-64.tgz
	- uses: actions/upload-artifact@v2
	with:
	name: lifecycle-windows-x86-64-sha256
	path: out/lifecycle-v*+windows.x86-64.tgz.sha256
	- name: Generate SBOM JSON
	uses: CycloneDX/gh-gomod-generate-sbom@v1
	with:
	args: mod -licenses -json -output lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json
	version: ^v1
	- uses: actions/upload-artifact@v2
	with:
	name: lifecycle-bom-cdx
	path: lifecycle-v*-bom.cdx.json
	- name: Calculate SBOM sha
	run: \|
	shasum -a 256 lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json > lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json.sha256
	- uses: actions/upload-artifact@v2
	with:
	name: lifecycle-bom-cdx-sha256
	path: lifecycle-v*-bom.cdx.json.sha256
	- uses: docker/login-action@v2
	if: github.event_name == 'push'
	with:
	registry: cormtestacr.azurecr.io
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	- uses: actions/download-artifact@v2
	with:
	name: tag
	- name: Set env
	run: \|
	cat tag.txt >> $GITHUB_ENV
	- name: Rename cosign public key
	run: \|
	cp cosign.pub lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub
	- uses: actions/upload-artifact@v2
	with:
	name: lifecycle-cosign-public-key
	path: lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub
	- name: Calculate cosign sha
	run: \|
	shasum -a 256 lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub > lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub.sha256
	- uses: actions/upload-artifact@v2
	with:
	name: lifecycle-cosign-public-key-sha256
	path: lifecycle-v${{ env.LIFECYCLE_VERSION }}-cosign.pub.sha256
	- name: Publish images
	if: github.event_name == 'push'
	run: \|
	DOCKER_CLI_EXPERIMENTAL=enabled
	LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)

	LINUX_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.x86-64.tgz -tag cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64 \| awk '{print $NF}')
	echo "LINUX_AMD64_SHA: $LINUX_AMD64_SHA"

	WINDOWS_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+windows.x86-64.tgz -tag cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows -os windows \| awk '{print $NF}')
	echo "WINDOWS_AMD64_SHA: $WINDOWS_AMD64_SHA"

	docker manifest create cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG} \
	cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64@${LINUX_AMD64_SHA} \
	cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows@${WINDOWS_AMD64_SHA}

	MANIFEST_SHA=$(docker manifest push cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG})
	echo "MANIFEST_SHA: $MANIFEST_SHA"
	- name: Scan image
	if: github.event_name == 'push'
	uses: anchore/scan-action@v3
	with:
	image: cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}
	pack-acceptance-linux:
	if: github.event_name == 'push'
	needs: build-and-publish
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v2
	with:
	repository: 'buildpacks/pack'
	path: 'pack'
	ref: 'main'
	fetch-depth: 0 # fetch all history for all branches and tags
	- name: Set up go
	uses: actions/setup-go@v3
	with:
	go-version: '1.20.5'
	- uses: actions/download-artifact@v2
	with:
	name: version
	- uses: actions/download-artifact@v2
	with:
	name: tag
	- name: Set env
	run: \|
	cat version.txt >> $GITHUB_ENV
	cat tag.txt >> $GITHUB_ENV
	- uses: actions/download-artifact@v2
	with:
	name: lifecycle-linux-x86-64
	path: pack
	- name: Run pack acceptance
	run: \|
	cd pack
	git checkout v0.28.0 # FIXME: let the pack version float again when pack 0.30.0-pre2 is out
	LIFECYCLE_PATH="../lifecycle-v${{ env.LIFECYCLE_VERSION }}+linux.x86-64.tgz" \
	LIFECYCLE_IMAGE="cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}" \
	make acceptance
	pack-acceptance-windows:
	if: github.event_name == 'push'
	needs: build-and-publish
	runs-on: windows-2019
	steps:
	- name: Set git to use LF and symlinks
	run: \|
	git config --global core.autocrlf false
	git config --global core.eol lf
	git config --global core.symlinks true
	- uses: actions/checkout@v2
	with:
	repository: 'buildpacks/pack'
	path: 'pack'
	ref: 'main'
	fetch-depth: 0 # fetch all history for all branches and tags
	- name: Set up go
	uses: actions/setup-go@v3
	with:
	go-version: '1.20.5'
	- name: Add runner IP to daemon insecure-registries and firewall
	shell: powershell
	run: \|
	# Get IP from default gateway interface
	$IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress

	# Allow container-to-host registry traffic (from public interface, to the same interface)
	New-NetfirewallRule -DisplayName test-registry -LocalAddress $IPAddress -RemoteAddress $IPAddress

	# create or update daemon config to allow host as insecure-registry
	$config=@{}
	if (Test-Path C:\ProgramData\docker\config\daemon.json) {
	$config=(Get-Content C:\ProgramData\docker\config\daemon.json \| ConvertFrom-json)
	}
	$config \| Add-Member -Force -Name "insecure-registries" -value @("$IPAddress/32") -MemberType NoteProperty
	ConvertTo-json $config \| Out-File -Encoding ASCII C:\ProgramData\docker\config\daemon.json

	Restart-Service docker

	# dump docker info for auditing
	docker version
	docker info
	- name: Modify etc\hosts to include runner IP
	shell: powershell
	run: \|
	$IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
	"# Modified by CNB: https://github.com/buildpacks/ci/tree/main/gh-runners/windows
	${IPAddress} host.docker.internal
	${IPAddress} gateway.docker.internal
	" \| Out-File -Filepath C:\Windows\System32\drivers\etc\hosts -Encoding utf8
	- uses: actions/download-artifact@v2
	with:
	name: version
	- uses: actions/download-artifact@v2
	with:
	name: tag
	- name: Set env
	run: \|
	cat version.txt >> $env:GITHUB_ENV
	cat tag.txt >> $env:GITHUB_ENV
	- uses: actions/download-artifact@v2
	with:
	name: lifecycle-windows-x86-64
	path: pack
	- name: Run pack acceptance
	run: \|
	cd pack
	git checkout v0.28.0 # FIXME: let the pack version float again when pack 0.30.0-pre2 is out
	$env:LIFECYCLE_PATH="..\lifecycle-v${{ env.LIFECYCLE_VERSION }}+windows.x86-64.tgz"
	$env:LIFECYCLE_IMAGE="cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}"
	make acceptance

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Skip ensuring registry access for the analyzer #6

Workflow file

Skip ensuring registry access for the analyzer #6

Jobs

Run details

Workflow file for this run