Skip to content

Merge pull request #1723 from chainguard-dev/dependabot/github_action… #3051

Merge pull request #1723 from chainguard-dev/dependabot/github_action…

Merge pull request #1723 from chainguard-dev/dependabot/github_action… #3051

name: ci
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build-melange:
name: Build melange and add to artifact cache
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version-file: './go.mod'
check-latest: true
- name: build
run: |
make melange
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/melange
retention-days: 1
build-packages:
name: Build packages
needs:
- build-melange
# TODO: Set up a larger runner for this.
runs-on: ubuntu-latest
permissions:
contents: read
# This is a list of packages which covers basic and exotic uses of
# the built-in pipelines. Goal is to balance efficiency while also
# exercising Melange with real-world package builds.
# Feel free to add additional packages to this matrix which exercise
# Melange in new ways (e.g. new pipelines, etc.)
strategy:
fail-fast: false
matrix:
runner:
- bubblewrap
- qemu
package:
- hello-wolfi
- glibc
- tini
- lzo
- bubblewrap
# - gdk-pixbuf # Looks like this is broken again, see: https://gitlab.gnome.org/GNOME/gobject-introspection/-/issues/515
- gitsign
- guac
- mdbook
- s3cmd
- perl-yaml-syck
- ncurses
# TODO: https://github.com/wolfi-dev/os/issues/26442
#- xmlto
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: wolfi-dev/os
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/.melange-dir
run-id: ${{ github.run_id }}
- run: |
sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange
sudo chmod a+x /usr/bin/melange
melange version
- if: matrix.runner == 'bubblewrap'
run: |
sudo apt-get -y install bubblewrap
- if: matrix.runner == 'bubblewrap'
run: |
make SHELL="/bin/bash" MELANGE="sudo melange" package/${{ matrix.package }}
- name: Download kernel for VMs
if: matrix.runner == 'qemu'
run: |
KERNEL_PKG="$(curl -sL https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | grep "linux-virt" | grep -v dev)"
curl -LSo linux-virt.apk "https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/$KERNEL_PKG"
mkdir -p /tmp/kernel
tar -xf ./linux-virt.apk -C /tmp/kernel/
- name: Install QEMU/KVM
if: matrix.runner == 'qemu'
run: |
sudo apt-get update
sudo apt-get -y install qemu-system qemu-kvm
- name: Enable KVM group perms
if: matrix.runner == 'qemu'
run: |
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
sudo udevadm control --reload-rules
sudo udevadm trigger --name-match=kvm
- name: Make package ${{matrix.package}} with QEMU Runner
if: matrix.runner == 'qemu'
run: |
make \
SHELL="/bin/bash" \
QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
MELANGE="/usr/bin/melange" \
MELANGE_EXTRA_OPTS="--runner qemu" \
package/${{ matrix.package }}
- name: "Retrieve Wolfi advisory data"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: "wolfi-dev/advisories"
path: "data/wolfi-advisories"
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
- name: Test installable and Scan for CVEs
run: |
docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base apk add --allow-untrusted packages/x86_64/${{ matrix.package }}-*.apk
# There is a huge fixed cost for every wolfictl scan invocation for grype DB init.
# Do this outside of the loop in one invocation with every package.
wolfictl scan \
--advisories-repo-dir 'data/wolfi-advisories' \
--advisory-filter 'resolved' \
--require-zero \
packages/x86_64/${{ matrix.package }}-*.apk \
2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout.