Skip to content

Commit

Permalink
Updates for custom v0.17.2 lifecycle and deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
@cormacpayne
cormacpayne committed Nov 8, 2023
1 parent 0b0bd4f commit 0b3d994
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 74 deletions.
30 changes: 13 additions & 17 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ on:
branches:
- main
- 'release/**'
- v0.17.2-custom
pull_request:
branches:
- main
Expand Down Expand Up @@ -186,6 +187,7 @@ jobs:
- uses: azure/docker-login@v1
if: github.event_name == 'push'
with:
login-server: cormtestacr.azurecr.io
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- uses: actions/download-artifact@v2
Expand Down Expand Up @@ -214,33 +216,27 @@ jobs:
DOCKER_CLI_EXPERIMENTAL=enabled
LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)
LINUX_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.x86-64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64 | awk '{print $NF}')
LINUX_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.x86-64.tgz -tag cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64 | awk '{print $NF}')
echo "LINUX_AMD64_SHA: $LINUX_AMD64_SHA"
LINUX_ARM64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.arm64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64 -arch arm64 | awk '{print $NF}')
LINUX_ARM64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.arm64.tgz -tag cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64 -arch arm64 | awk '{print $NF}')
echo "LINUX_ARM64_SHA: $LINUX_ARM64_SHA"
WINDOWS_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+windows.x86-64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows -os windows | awk '{print $NF}')
WINDOWS_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+windows.x86-64.tgz -tag cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows -os windows | awk '{print $NF}')
echo "WINDOWS_AMD64_SHA: $WINDOWS_AMD64_SHA"
docker manifest create buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG} \
buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64@${LINUX_AMD64_SHA} \
buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64@${LINUX_ARM64_SHA} \
buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows@${WINDOWS_AMD64_SHA}
docker manifest create cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG} \
cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64@${LINUX_AMD64_SHA} \
cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64@${LINUX_ARM64_SHA} \
cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows@${WINDOWS_AMD64_SHA}
MANIFEST_SHA=$(docker manifest push buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG})
MANIFEST_SHA=$(docker manifest push cormtestacr.azurecr.io/oryx/lifecycle:${LIFECYCLE_IMAGE_TAG})
echo "MANIFEST_SHA: $MANIFEST_SHA"
COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} cosign sign -r \
-key <(echo -n "${{ secrets.COSIGN_PRIVATE_KEY }}" | base64 --decode) \
-a tag=${LIFECYCLE_IMAGE_TAG} \
buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}@${MANIFEST_SHA}
cosign verify -key cosign.pub -a tag=${LIFECYCLE_IMAGE_TAG} buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}
- name: Scan image
if: github.event_name == 'push'
uses: anchore/scan-action@v3
with:
image: buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}
image: cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}
pack-acceptance-linux:
if: github.event_name == 'push'
needs: build-and-publish
Expand Down Expand Up @@ -275,7 +271,7 @@ jobs:
cd pack
git checkout v0.28.0 # FIXME: let the pack version float again when pack 0.30.0-pre2 is out
LIFECYCLE_PATH="../lifecycle-v${{ env.LIFECYCLE_VERSION }}+linux.x86-64.tgz" \
LIFECYCLE_IMAGE="buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}" \
LIFECYCLE_IMAGE="cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}" \
make acceptance
pack-acceptance-windows:
if: github.event_name == 'push'
Expand Down Expand Up @@ -346,6 +342,6 @@ jobs:
cd pack
git checkout v0.28.0 # FIXME: let the pack version float again when pack 0.30.0-pre2 is out
$env:LIFECYCLE_PATH="..\lifecycle-v${{ env.LIFECYCLE_VERSION }}+windows.x86-64.tgz"
$env:LIFECYCLE_IMAGE="buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}"
$env:LIFECYCLE_IMAGE="cormtestacr.azurecr.io/oryx/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}"
make acceptance
19 changes: 2 additions & 17 deletions cmd/lifecycle/analyzer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,23 +80,8 @@ func (a *analyzeCmd) Args(nargs int, args []string) error {

// Privileges validates the needed privileges.
func (a *analyzeCmd) Privileges() error {
var err error
a.keychain, err = auth.DefaultKeychain(a.RegistryImages()...)
if err != nil {
return cmd.FailErr(err, "resolve keychain")
}
if a.UseDaemon {
a.docker, err = priv.DockerClient()
if err != nil {
return cmd.FailErr(err, "initialize docker client")
}
}
if err = priv.EnsureOwner(a.UID, a.GID, a.LayersDir, a.CacheDir, a.LaunchCacheDir); err != nil {
return cmd.FailErr(err, "chown volumes")
}
if err = priv.RunAs(a.UID, a.GID); err != nil {
return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", a.UID, a.GID))
}
// Temporarily skip Privileges() call when used inside ACA builder
cmd.DefaultLogger.Debugf("Skipping Privileges() call inside analyzer.")
return nil
}

Expand Down
6 changes: 2 additions & 4 deletions cmd/lifecycle/detector.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,8 @@ func (d *detectCmd) Args(nargs int, _ []string) error {
}

func (d *detectCmd) Privileges() error {
// detector should never be run with privileges
if priv.IsPrivileged() {
return cmd.FailErr(errors.New("refusing to run as root"), "detect")
}
// Temporarily skip Privileges() call when used inside ACA builder
cmd.DefaultLogger.Debugf("Skipping Privileges() call inside detector.")
return nil
}

Expand Down
20 changes: 2 additions & 18 deletions cmd/lifecycle/exporter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,24 +104,8 @@ func (e *exportCmd) Args(nargs int, args []string) error {
}

func (e *exportCmd) Privileges() error {
var err error
e.keychain, err = auth.DefaultKeychain(e.registryImages()...)
if err != nil {
return cmd.FailErr(err, "resolve keychain")
}
if e.UseDaemon {
var err error
e.docker, err = priv.DockerClient()
if err != nil {
return cmd.FailErr(err, "initialize docker client")
}
}
if err = priv.EnsureOwner(e.UID, e.GID, e.CacheDir, e.LaunchCacheDir); err != nil {
return cmd.FailErr(err, "chown volumes")
}
if err = priv.RunAs(e.UID, e.GID); err != nil {
return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", e.UID, e.GID))
}
// Temporarily skip Privileges() call when used inside ACA builder
cmd.DefaultLogger.Debugf("Skipping Privileges() call inside exporter.")
return nil
}

Expand Down
20 changes: 2 additions & 18 deletions cmd/lifecycle/restorer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,24 +70,8 @@ func (r *restoreCmd) Args(nargs int, _ []string) error {
}

func (r *restoreCmd) Privileges() error {
var err error
r.keychain, err = auth.DefaultKeychain(r.RegistryImages()...)
if err != nil {
return cmd.FailErr(err, "resolve keychain")
}
if r.UseDaemon {
var err error
r.docker, err = priv.DockerClient()
if err != nil {
return cmd.FailErr(err, "initialize docker client")
}
}
if err = priv.EnsureOwner(r.UID, r.GID, r.LayersDir, r.CacheDir, r.KanikoDir); err != nil {
return cmd.FailErr(err, "chown volumes")
}
if err = priv.RunAs(r.UID, r.GID); err != nil {
return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", r.UID, r.GID))
}
// Temporarily skip Privileges() call when used inside ACA builder
cmd.DefaultLogger.Debugf("Skipping Privileges() call inside restorer.")
return nil
}

Expand Down

0 comments on commit 0b3d994

Please sign in to comment.