Skip to content

Commit

Permalink
Merge pull request #175 from OmegaSquad82/OmegaSquad82-patch-1
Browse files Browse the repository at this point in the history 
feat: add philips-labs/[email protected]
  • Loading branch information
@OmegaSquad82
OmegaSquad82 authored Feb 6, 2025
2 parents ae10f26 + 1f4aff1 commit 9a68a60
Show file tree
Hide file tree
Showing 4 changed files with 296 additions and 10 deletions.
10 changes: 3 additions & 7 deletions .github/workflows/build-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ on:
push:
paths-ignore:
- '**/release-please.yml'
- '**/recompress-latest.yml'
- '**/vulnerability-scan.yml'
- '**/composition-analysis.yml'
- "**.md"
- "**/.gitkeep"
- "build-isos"
Expand All @@ -25,7 +27,7 @@ env:
ZSTD_CHUNKED: true

jobs:
bluebuild:
imagebuild:
name: Build Custom Image
runs-on: ubuntu-24.04
permissions:
Expand Down Expand Up @@ -195,9 +197,3 @@ jobs:
if: env.DO_ZSTD_CHUNKED == 'true'
run: |
echo "${{ toJSON(steps.push.outputs) }}"
# Free and Open Source Software license scanning
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
with:
sw-name: ${{ matrix.package }}
127 changes: 127 additions & 0 deletions .github/workflows/composition-analysis.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
name: composition-analysis
on:
workflow_dispatch: # allow manually triggering builds
push:
paths-ignore:
- '**/build-image.yml'
- '**/release-please.yml'
- '**/recompress-latest.yml'
- '**/vulnerability-scan.yml'
- "**.md"
- "**/.gitkeep"
- "build-isos"
- "renovate.json"
schedule:
- cron: "10 07 * * 1,3,5" # scan at 06:10 UTC on Mon, Wed, Fr
# (1 hour after bluebuild images started building)

concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true

env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_TAGS: latest
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}

jobs:
analysis:
name: Scan Custom Image
runs-on: ubuntu-24.04
permissions:
contents: read
packages: read
security-events: write
strategy:
fail-fast: true
matrix:
package:
- aubertit
- buttgenbachit
- carbonatcyanotrichit
- flaviramea
steps:

# Gimme more room to unfold
- name: Maximize build space
uses: easimon/maximize-build-space@master
with:
overprovision-lvm: true
remove-android: true
remove-codeql: true
remove-docker-images: true
remove-dotnet: true
remove-haskell: true
- name: Convert to compressed filesystem
shell: bash
run: |
set -eux pipefail
# https://github.com/easimon/maximize-build-space/issues/23
# https://github.com/easimon/maximize-build-space/pull/37
WORKSPACE_OWNER="$(stat -c '%U:%G' "${GITHUB_WORKSPACE}")"
VG_NAME=buildvg
LV_NAME="/dev/mapper/${VG_NAME}-buildlv"
cd ~
sudo umount "${LV_NAME}"
# https://github.com/radxa/armbian-compile-action/commit/82fe40188f2f3b4dbd4ae8fb9c64f49f117085c7
sudo mkfs.btrfs -L buildlv -M -m single --force "${LV_NAME}"
sudo mount -o defaults,noatime,compress=zstd:3,discard=sync "${LV_NAME}" "${GITHUB_WORKSPACE}"
sudo chown -R "$WORKSPACE_OWNER" "${GITHUB_WORKSPACE}"
# Prepare analysis
- name: Checkout codeZ
uses: actions/checkout@v4

- name: Get default branch name
run: echo "DEFAULT_BRANCH=${{ github.event.repository.default_branch }}" >$GITHUB_ENV

- name: Check if on default (main) or test (rechunk) branch to rechunk it
run: |
if [[ '${{ github.ref_name }}' = "$DEFAULT_BRANCH" || '${{ github.ref_name }}' = 'analyze' ]]; then
OUT='IS_DEFAULT=true'
else
OUT='IS_DEFAULT=false'
fi
echo "$OUT" >$GITHUB_ENV
# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
uses: ASzc/change-string-case-action@v6
id: case
with:
string: ${{ env.IMAGE_REGISTRY }}

- name: Composite image name
run: echo "IMAGE_NAME=${{ steps.case.outputs.lowercase }}/${{ matrix.package }}:$IMAGE_TAGS" >$GITHUB_ENV

# SCA, Vuln and License scanning
- name: Run GitHub Action for ORT
uses: oss-review-toolkit/ort-ci-github-action@v1
id: ort
with:
sw-name: ${{ matrix.package }}

- name: Echo outputs
run: |
echo "${{ toJSON(steps.ort.outputs) }}"
- uses: philips-labs/[email protected]
id: tern
with:
image: ${{ env.IMAGE_NAME }}

- uses: actions/upload-artifact@v4
with:
name: ${{ matrix.package }}
path: ${{ steps.tern.outputs.file }}

- name: Echo outputs
run: |
echo "${{ toJSON(steps.ort.outputs) }}"
echo "${{ toJSON(steps.tern.outputs) }}"
161 changes: 161 additions & 0 deletions .github/workflows/recompress-latest.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
name: recompress-latest
on:
workflow_dispatch: # allow manually triggering builds
push:
paths-ignore:
- '**/build-image.yml'
- '**/release-please.yml'
- '**/vulnerability-scan.yml'
- '**/composition-analysis.yml'
- "**.md"
- "**/.gitkeep"
- "build-isos"
- "renovate.json"
schedule:
- cron: "10 07 * * 1,3,5" # build at 07:10 UTC on Mon, Wed, Fr
# (60 minutes after bluebuild images start building)

concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true

env:
IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_TAGS: latest
REGISTRY_USER: ${{ github.actor }}
REGISTRY_PASSWORD: ${{ github.token }}

jobs:
recompress:
name: Build Custom Image
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
strategy:
fail-fast: true
matrix:
package:
- aubertit
- buttgenbachit
- carbonatcyanotrichit
- flaviramea
steps:

# Gimme more room to unfold
- name: Maximize build space
uses: easimon/maximize-build-space@master
with:
overprovision-lvm: true
remove-android: true
remove-codeql: true
remove-docker-images: true
remove-dotnet: true
remove-haskell: true
- name: Convert to compressed filesystem
shell: bash
run: |
set -eux pipefail
# https://github.com/easimon/maximize-build-space/issues/23
# https://github.com/easimon/maximize-build-space/pull/37
WORKSPACE_OWNER="$(stat -c '%U:%G' "${GITHUB_WORKSPACE}")"
VG_NAME=buildvg
LV_NAME="/dev/mapper/${VG_NAME}-buildlv"
cd ~
sudo umount "${LV_NAME}"
# https://github.com/radxa/armbian-compile-action/commit/82fe40188f2f3b4dbd4ae8fb9c64f49f117085c7
sudo mkfs.btrfs -L buildlv -M -m single --force "${LV_NAME}"
sudo mount -o defaults,noatime,compress=zstd:3,discard=sync "${LV_NAME}" "${GITHUB_WORKSPACE}"
sudo chown -R "$WORKSPACE_OWNER" "${GITHUB_WORKSPACE}"
# Create bootc image
- name: Checkout codeZ
uses: actions/checkout@v4

- name: Get default branch name
run: echo "DEFAULT_BRANCH=${{ github.event.repository.default_branch }}" >$GITHUB_ENV

# Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
# https://github.com/macbre/push-to-ghcr/issues/12
- name: Lowercase Registry
uses: ASzc/change-string-case-action@v6
id: registry_case
with:
string: ${{ env.IMAGE_REGISTRY }}

- name: Composite image name
run: echo "IMAGE_NAME=${{ steps.registry_case.outputs.lowercase }}/${{ matrix.package }}" >$GITHUB_ENV

# This is something the community works for quite a long time
# but it likely will improve the efficiency of transfers;
# this was made to workaround the fact that blue-build
# does not yet support zstd:chunked and it depends
# on bootc/rpm-ostree having implemented this.
# No OS image must be pushed in this form,
# except to non-productive image tags.
#
# Changetracker
# https://fedoraproject.org/wiki/Changes/zstd:chunked
# https://github.com/containers/storage/pull/775
# Documentation
# https://universal-blue.discourse.group/t/zst-chunked-faq/3462
# Projectstuffz
# https://github.com/blue-build/cli/issues/112
# https://github.com/containers/bootc/issues/20
# https://github.com/containers/bootc/issues/963
- name: Tag latest as latest-zstchd
id: pull
run: |
set -eux pipefail
IMAGES=()
podman login \
--username ${{ env.REGISTRY_USER }} \
--password ${{ env.REGISTRY_PASSWORD }} \
${{ steps.registry_case.outputs.lowercase }}
for tag in ${{ env.IMAGE_TAGS }}; do
podman pull "${{ env.IMAGE_NAME }}:$tag"
podman tag "${{ env.IMAGE_NAME }}:$tag" "${{ env.IMAGE_NAME }}:${tag}-zstchd"
IMAGES+=("${{ env.IMAGE_NAME }}:${tag}-zstchd") # zstd:chunked
done
echo "ALL_TAGS=${IMAGES[@]}" >$GITHUB_ENV
- name: Push To GHCR with Podman in zstd:chunked
uses: redhat-actions/push-to-registry@v2
id: push
with:
tags: ${{ env.ALL_TAGS }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}
extra-args: |
--compression-format=zstd:chunked
# Sign recompressed container image
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY_PASSWORD }}

- uses: sigstore/[email protected]

- name: Sign container image
id: sign
run: |
echo "${{ env.COSIGN_PRIVATE_KEY }}" >cosign.key
wc -c cosign.key
cosign sign -y --key cosign.key ${{ env.IMAGE_NAME }}@${TAGS}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
TAGS: ${{ steps.push.outputs.digest }}

- name: Echo outputs
run: |
echo "${{ toJSON(steps.pull.outputs) }}"
echo "${{ toJSON(steps.push.outputs) }}"
echo "${{ toJSON(steps.sign.outputs) }}"
8 changes: 5 additions & 3 deletions .github/workflows/vulnerability-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@ name: vulnerability-scan
on:
schedule:
- cron:
"50 0,6,12,18 * * *" # build at {0,6,12,18}:55 UTC every day
# (50 minutes after custom image build was triggered, then every 6h)
"55 06 * * *" # build at 06:55 am UTC every day
# (50 minutes after custom image build was triggered)
push:
paths-ignore:
- '**/build-image.yml'
- '**/release-please.yml'
- '**/recompress-latest.yml'
- '**/composition-analysis.yml'
- "**.md"
- "**/.gitkeep"
- "build-isos"
Expand All @@ -22,9 +24,9 @@ jobs:
name: Scan Custom Image
runs-on: ubuntu-24.04
permissions:
security-events: write
contents: read
packages: read
security-events: write
strategy:
fail-fast: true
matrix:
Expand Down

0 comments on commit 9a68a60

Please sign in to comment.