Bundle Build Wolfi Packages #100
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Bundle Build Wolfi Packages | |
| on: | |
| schedule: | |
| # Deploy at 7:23 AM (PST) every day. | |
| - cron: "23 15 * * *" | |
| workflow_dispatch: | |
| inputs: | |
| package_names: | |
| required: false | |
| type: string | |
| default: "" | |
| description: "comma separated list of package names to build. If empty, build all packages." | |
| checkout_ref: | |
| required: false | |
| type: string | |
| default: "" | |
| description: "Ref to checkout before building" | |
| # Only run one build at a time to prevent out of sync signatures. | |
| concurrency: 'bundle-runner-a' | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: Build packages | |
| if: github.repository == 'wolfi-dev/os' | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/wolfi-dev/sdk:latest@sha256:0385b70eda5f4cec8f6f71063e95c6f3c5b80578cd2218a12e609cf35f5dba04 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.inputs.checkout_ref }} | |
| - name: 'Trust the github workspace' | |
| run: | | |
| # This is to avoid fatal errors about "dubious ownership" because we are | |
| # running inside of a container action with the workspace mounted in. | |
| git config --global --add safe.directory "$(pwd)" | |
| - name: Authenticate to Google Cloud | |
| uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa" # v2.1.3 | |
| with: | |
| workload_identity_provider: "projects/567187841907/locations/global/workloadIdentityPools/bundle-post-wolfi/providers/github-provider" | |
| service_account: "bundle-runner-post-wolfi@staging-images-183e.iam.gserviceaccount.com" | |
| - name: Setup G Cloud SDK | |
| uses: "google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200" # v2.0.11 | |
| with: | |
| install_components: 'gke-gcloud-auth-plugin' | |
| - name: Print gcloud info | |
| shell: bash | |
| run: "gcloud info" | |
| - name: Configure GCR auth | |
| shell: bash | |
| run: gcloud auth configure-docker | |
| - name: Configure AR auth | |
| shell: bash | |
| run: gcloud auth configure-docker us-central1-docker.pkg.dev | |
| - name: Install sudo for gke-auth | |
| shell: bash | |
| run: apk add cmd:sudo | |
| - name: Make parent dir for gke-auth | |
| shell: bash | |
| run: mkdir -p /usr/local/bin | |
| - name: Connect to cluster | |
| uses: "imjasonh/gke-auth@31f5c5f16489a15037d46b08903d983889c46ddf" # v0.2.0 | |
| with: | |
| cluster: "bundle-runner-a" | |
| location: "us-central1" | |
| project: "staging-images-183e" | |
| - name: kubectl test | |
| shell: bash | |
| run: | | |
| apk add kubectl | |
| kubectl get namespace kube-system | |
| - name: "Generate local signing key" | |
| run: | | |
| make local-melange.rsa | |
| - name: "bundle build" | |
| shell: bash | |
| env: | |
| BUNDLE_REPO: us-central1-docker.pkg.dev/staging-images-183e/bundles | |
| BUCKET: "wolfi-registry-destination/${{ github.run_id }}" | |
| run: | | |
| set -x | |
| set -v | |
| COMMON_FLAGS=$(cat <<-END | |
| --keyring-append ./local-melange.rsa.pub \ | |
| --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub | |
| --repository-append https://packages.wolfi.dev/os | |
| END | |
| ) | |
| BUNDLE=$(wolfictl bundle \ | |
| --bundle-base ghcr.io/wolfi-dev/sdk:latest@sha256:0385b70eda5f4cec8f6f71063e95c6f3c5b80578cd2218a12e609cf35f5dba04 \ | |
| --bundle-repo "${BUNDLE_REPO}" \ | |
| ${COMMON_FLAGS} \ | |
| --runner bubblewrap \ | |
| --pipeline-dir ./pipelines \ | |
| ${{ github.event.inputs.package_names }} | |
| ) | |
| wolfictl build \ | |
| --jobs 128 \ | |
| --bucket "${BUCKET}" \ | |
| --destination-bucket "${BUCKET}" \ | |
| ${COMMON_FLAGS} \ | |
| --k8s-namespace 'post-wolfi' \ | |
| --service-account 'post-wolfi' \ | |
| --trace /tmp/trace.json \ | |
| --bundle "${BUNDLE}" | |
| - if: ${{ always() }} | |
| name: 'Upload trace to GitHub Artifacts' | |
| uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 | |
| with: | |
| name: trace-build.json | |
| path: /tmp/trace.json | |
| if-no-files-found: warn | |
| postrun: | |
| name: Notify Slack | |
| runs-on: ubuntu-latest | |
| if: failure() && false # TODO(kleung): remove `&& false` when ready to slack | |
| needs: [build] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 | |
| with: | |
| egress-policy: audit | |
| - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.3.0 | |
| env: | |
| SLACK_ICON: http://github.com/chainguard-dev.png?size=48 | |
| SLACK_USERNAME: guardian | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| SLACK_CHANNEL: chainguard-images-alerts | |
| SLACK_MSG_AUTHOR: wolfi-bot | |
| SLACK_COLOR: "#8E1600" | |
| MSG_MINIMAL: "true" | |
| SLACK_TITLE: "[bundle build wolfi] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| SLACK_MESSAGE: | | |
| https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} |