Skip to content

Image / Build

Image / Build #434

Workflow file for this run

# Copyright (C) Nicolas Lamirault <[email protected]>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
---
name: Image / Build
on: # yamllint disable-line rule:truthy
merge_group:
workflow_dispatch:
schedule:
- cron: "0 6,18 * * *" # 6am and 6pm every day
pull_request:
paths:
- apko.yaml
- melange.yaml
- "hack/scripts/**"
- "deps.sh"
push:
paths:
- apko.yaml
- melange.yaml
- "hack/scripts/**"
- "deps.sh"
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
ARCHS: x86_64,aarch64 #,armv7
FULCIO_URL: https://fulcio.sigstore.dev
REKOR_URL: https://rekor.sigstore.dev
jobs:
build:
name: Build OCI image
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
contents: read
packages: write
# Required for keyless signing with fulcio
id-token: write
steps:
- uses: actions/checkout@v4
- name: Populate workspace
shell: bash
run: |
echo ".github/" >> .melangeignore && tree -a . \
&& sudo rm -rf /work && sudo mkdir /work
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
sep-tags: ' '
- name: Dependencies
run: ./deps.sh
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Run Melange
uses: chainguard-dev/actions/melange-build@main
with:
config: melange.yaml
archs: ${{ env.ARCHS }}
signing-key-path: /work/melange.rsa
repository-path: /work/packages
empty-workspace: false
sign-with-temporary-key: true
- name: Create temp copy of /work directory (used in next step)
shell: bash
run: |
rm -rf .apko-automount && cp -r /work .apko-automount
- name: Run Apko
uses: chainguard-images/actions/apko-build@main
id: apko-build
with:
config: apko.yaml
archs: ${{ env.ARCHS }}
tag: ${{ steps.meta.outputs.tags }}
keyring-append: /work/melange.rsa.pub
automount-src: .apko-automount/.
automount-dest: /work
- name: Load image from apko-produced tarball
shell: bash
run: |
docker load < output.tar
- name: Run apko publish
uses: chainguard-images/actions/apko-publish@main
id: apko-publish
with:
config: apko.yaml
archs: ${{ env.ARCHS }}
tag: ${{ steps.meta.outputs.tags }}
keyring-append: /work/melange.rsa.pub
automount-src: .apko-automount/.
automount-dest: /work
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: ${{ steps.apko-publish.outputs.digest }}
format: table
exit-code: '1'
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'