Skip to content

renovate/37.421.6 package update #43253

renovate/37.421.6 package update

renovate/37.421.6 package update #43253

Workflow file for this run

name: CI build action
on:
pull_request:
branches: ["main"]
push:
branches:
- gh-readonly-queue/main/**
permissions:
contents: read
jobs:
changes:
permissions:
contents: read
name: Determine packages to test building
runs-on: ubuntu-latest
outputs:
packages: ${{steps.package-list.outputs.packages}}
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Look for changed files
id: changes
uses: tj-actions/changed-files@cc733854b1f224978ef800d29e4709d5ee2883e4 # v44.5.5
with:
files_yaml: |
melange:
- ./*.yaml # Only top level files without structure
- ./*/*/*.melange.yaml # Support recursive melange files with the new naming convention.
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
# Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
# strips the list down into `foo` and `bar`.
- name: Build package list
id: package-list
run: |
printf "packages=" >> $GITHUB_OUTPUT
wolfictl text -t name --pipeline-dir=./pipelines/ \
-r https://packages.wolfi.dev/bootstrap/stage3 \
-k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub > packages-list
while read pkg; do
for file in ${{ steps.changes.outputs.melange_all_changed_files }}; do
# Since the file is a path, we need to strip out only the file
# name from it.
base_file=$(basename $file)
base_file="${base_file%.melange.yaml}"
base_file="${base_file%.yaml}"
printf "base_file: $base_file"
[ "${base_file}" = "$pkg" ] && printf "%s " ${base_file} >> $GITHUB_OUTPUT
done
done < packages-list
printf "\n" >> $GITHUB_OUTPUT
build:
name: Test building of packages
strategy:
matrix:
arch: ["x86_64", "aarch64"]
include:
- arch: x86_64
runner: ubuntu-latest-16-cores
oci: amd64
- arch: aarch64
runner: ubuntu-arm-16-cores
oci: arm64
fail-fast: false
runs-on: ${{ matrix.runner }}
needs: changes
outputs:
packages_were_built: ${{ steps.file_check.outputs.exists }}
permissions:
contents: read
pull-requests: write # so we have permission to comment on pull requests
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: Free up runner disk space
run: |
set -x
printf "==> Available space before cleanup\n"
df -h
rm -rf /usr/share/dotnet
rm -rf "$AGENT_TOOLSDIRECTORY"
printf "==> Available space after cleanup\n"
df -h
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Docker
run: |
# Add Docker's official GPG key:
sudo apt-get update -y
sudo apt-get install ca-certificates curl -y
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update -y
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo usermod -aG docker $USER
sudo apt-get install acl
sudo setfacl --modify user:$USER:rw /var/run/docker.sock
- name: "Generate local signing key"
uses: ./.github/actions/docker-run
with:
run: |
make MELANGE="melange" local-melange.rsa
- name: "Build Wolfi"
uses: ./.github/actions/docker-run
with:
opts: "-v /temp:/temp -v /var/run/docker.sock:/var/run/docker.sock"
run: |
# Use a different shared $TMPDIR accessible and non-conflicting to
# both the host and container since we're running docker out of
# docker
export TMPDIR="/temp"
# This is to avoid fatal errors about "dubious ownership" because we are
# running inside of a container action with the workspace mounted in.
git config --global --add safe.directory .
mkdir -p .melangecache
for package in ${{needs.changes.outputs.packages}}; do
make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/$package -j1
make MELANGE_EXTRA_OPTS="--runner docker" REPO="./packages" "test/$package" -j1
done
- name: "Check that packages can be installed with apk add"
uses: ./.github/actions/docker-run
with:
run: |
# Create a fake linux fs under /tmp/emptyroot to pass to `apk --root`.
mkdir -p /tmp/emptyroot/etc/apk
cp -r /etc/apk/* /tmp/emptyroot/etc/apk/
cat /dev/null > /tmp/emptyroot/etc/apk/world
mkdir -p /tmp/emptyroot/lib/apk/db
touch /tmp/emptyroot/lib/apk/db/{installed,lock,scripts.tar,triggers}
mkdir -p /tmp/emptyroot/var/cache/apk
apk update --root /tmp/emptyroot
# Find .apk files and add them to the string
for f in $(find packages -name '*.apk'); do
tar -Oxf "$f" .PKGINFO
apk add --root /tmp/emptyroot --repository "./packages" --allow-untrusted --simulate "$f"
done
- name: Reset file permissions
run: |
sudo chown -R $(id -u):$(id -g) .
- name: Check SBOMs
uses: ./.github/actions/docker-run
with:
run: |
apk add py3-ntia-conformance-checker spdx-tools-java
for f in $(find packages -name '*.apk'); do
echo "==== Checking SBOM for $f ===="
tar -Oxf "$f" var/lib/db/sbom/ > sbom.json
echo ::group::sbom.json
cat sbom.json
echo ::endgroup::
ntia-checker -v --file sbom.json
tools-java Verify sbom.json
done
- name: Check for file
id: file_check
run: |
if test -f "packages.log"; then
cat packages.log
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "exists=false" >> $GITHUB_OUTPUT
fi
touch packages.log
- name: Check diff
if: steps.file_check.outputs.exists == 'true'
# Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check
continue-on-error: true
uses: ./.github/actions/docker-run
with:
run: |
wolfictl check diff
- name: Check for diff file
id: diff_file_check
run: |
if test -f "diff.log"; then
cat diff.log
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "exists=false" >> $GITHUB_OUTPUT
fi
# Use the x86_64 build results for the comment for now so we don't have duplicates.
- name: PR comment diff
if: steps.diff_file_check.outputs.exists == 'true' && matrix.arch == 'x86_64'
uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0
# We're seeing jobs using merge queues fail
continue-on-error: true
with:
filePath: diff.log
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Upload built packages to GitHub artifacts"
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
path: |
./packages/${{ matrix.arch }}
./packages.log
name: packages-${{ matrix.arch }}
retention-days: 1
if-no-files-found: warn
so_check:
permissions:
contents: read
name: "ABI Compatibility check"
runs-on: ubuntu-latest
needs: build
if: needs.build.outputs.packages_were_built == 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: "Retrieve x86_64 packages"
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: packages-x86_64
path: /tmp/artifacts-1/
- name: "Retrieve aarch64 packages"
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: packages-aarch64
path: /tmp/artifacts-2/
- name: "Collect packages from all architectures into one place"
run: |
cd /tmp/artifacts-1
# Put the packages into one place (if aarch64 logs exist)
if test -f "/tmp/artifacts-2/packages"; then
mv /tmp/artifacts-2/packages/* ./packages/
# Merge the build log ("packages.log") files
cat /tmp/artifacts-2/packages.log >> ./packages.log
fi
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
- name: Soname check
run: |
wolfictl check so-name --packages-dir /tmp/artifacts-1/packages --package-list-file /tmp/artifacts-1/packages.log
scan:
permissions:
contents: read
name: "Scan packages for CVEs"
runs-on: ubuntu-latest
needs: build
if: needs.build.outputs.packages_were_built == 'true'
timeout-minutes: 30
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: "Retrieve x86_64 packages"
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: packages-x86_64
path: /tmp/artifacts-1/
- name: "Retrieve aarch64 packages"
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: packages-aarch64
path: /tmp/artifacts-2/
- name: "Collect packages from all architectures into one place"
run: |
cd /tmp/artifacts-1
# Put the packages into one place (if aarch64 logs exist)
if test -f "/tmp/artifacts-2/packages"; then
mv /tmp/artifacts-2/packages/* ./packages/
# Merge the build log ("packages.log") files
cat /tmp/artifacts-2/packages.log >> ./packages.log
fi
- name: "Retrieve Wolfi advisory data"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: "wolfi-dev/advisories"
path: "data/wolfi-advisories"
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
- name: Scan for CVEs
run: |
wolfictl scan \
--build-log \
--advisories-repo-dir 'data/wolfi-advisories' \
--advisory-filter 'resolved' \
--require-zero \
/tmp/artifacts-1 \
2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout.