Check for validity of the cached expanded APK more thoroughly (#1987) #337
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Examples | |
| on: | |
| pull_request: | |
| branches: [ "main" ] | |
| push: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| test-on-top-of-base: | |
| name: Test on_top_of_base example (${{ matrix.arch }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [x86_64, aarch64] | |
| steps: | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - name: Install crane | |
| uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
| - name: Build apko | |
| run: make apko | |
| - name: Test on_top_of_base example - usr-merge base image handling | |
| run: | | |
| set -euxo pipefail | |
| # Test with busybox base image (has usr-merge layout with /lib -> /usr/lib symlink) | |
| # This verifies that apko correctly handles building on top of base images with usr-merge layout | |
| BASE_IMAGE="cgr.dev/chainguard/busybox:latest" | |
| OUTPUT_TAR="test-output-${{ matrix.arch }}.tar" | |
| echo "Testing on_top_of_base example with ${{ matrix.arch }} architecture..." | |
| # Build image on top of base using the parameterized build.sh script | |
| ./examples/on_top_of_base/build.sh \ | |
| ./apko \ | |
| "$BASE_IMAGE" \ | |
| "$OUTPUT_TAR" \ | |
| "${{ matrix.arch }}" | |
| # Load the built image | |
| docker load -i "$OUTPUT_TAR" | |
| # Determine the correct image tag based on architecture | |
| if [ "${{ matrix.arch }}" = "x86_64" ]; then | |
| IMAGE_TAG="base_image:latest-amd64" | |
| else | |
| IMAGE_TAG="base_image:latest-arm64" | |
| fi | |
| # Test that shell works (verifies /lib symlink is preserved correctly) | |
| echo "Testing shell execution on ${{ matrix.arch }}..." | |
| if docker run --rm --platform linux/${{ matrix.arch == 'x86_64' && 'amd64' || 'arm64' }} \ | |
| --entrypoint /bin/sh "$IMAGE_TAG" \ | |
| -c "echo 'Shell works on ${{ matrix.arch }}'" | grep -q "Shell works"; then | |
| echo "Shell executes correctly on ${{ matrix.arch }}" | |
| else | |
| echo "FAILED: Shell failed to execute on ${{ matrix.arch }} (indicates broken /lib symlink)" | |
| exit 1 | |
| fi | |
| # Test another binary to be thorough | |
| echo "Testing busybox execution on ${{ matrix.arch }}..." | |
| if docker run --rm --platform linux/${{ matrix.arch == 'x86_64' && 'amd64' || 'arm64' }} \ | |
| --entrypoint /bin/busybox "$IMAGE_TAG" echo "Busybox works" | grep -q "Busybox works"; then | |
| echo "Busybox executes correctly on ${{ matrix.arch }}" | |
| else | |
| echo "FAILED: Busybox failed to execute on ${{ matrix.arch }}" | |
| exit 1 | |
| fi | |
| echo "PASSED: on_top_of_base example test for ${{ matrix.arch }}" | |
| - name: Clean up | |
| if: always() | |
| run: | | |
| # Clean up docker images | |
| docker rmi base_image:latest-amd64 2>/dev/null || true | |
| docker rmi base_image:latest-arm64 2>/dev/null || true | |
| # Clean up build artifacts | |
| rm -rf ./examples/on_top_of_base/{base_image,apkindexes,fs_dump,top_image,*.lock.json,*.tar} | |