build(deps): bump actions/checkout from 6.0.1 to 6.0.2 #4059
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Images | |
| on: | |
| pull_request: | |
| branches: [ "main" ] | |
| push: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| # Build a single-arch nginx image for each arch. | |
| build-nginx-on-all-arches: | |
| name: build-nginx-all-arches | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [x86_64, aarch64] | |
| steps: | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - run: | | |
| make apko | |
| ./apko build ./examples/nginx.yaml nginx:build /tmp/nginx-${{ matrix.arch }}.tar --arch ${{ matrix.arch }} | |
| - name: Check SBOM Conformance | |
| run: | | |
| set -euxo pipefail | |
| if ! ls *.spdx.json; then | |
| echo "no SBOMs found!" | |
| exit 1 | |
| fi | |
| for f in *.spdx.json; do | |
| echo ::group::sbom.json | |
| cat $f | |
| echo ::endgroup:: | |
| docker run --rm -v $(pwd)/$f:/$f --entrypoint "sh" cgr.dev/chainguard/wolfi-base -c "apk add spdx-tools-java && tools-java Verify /$f" | |
| done | |
| build-all-examples-one-arch: | |
| name: build-all-examples-amd64 | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: [ubuntu-latest, macos-latest] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
| - run: | | |
| make apko | |
| for cfg in $(find ./examples/ -name '*.yaml'); do | |
| name=$(basename ${cfg} .yaml) | |
| echo "Building ${name}..." | |
| build_script=$(dirname ${cfg})/build.sh | |
| if [ -f ${build_script} ]; then | |
| ${build_script} ./apko | |
| else | |
| ./apko build ${cfg} ${name}:build /tmp/${name}.tar | |
| ./apko build --offline ${cfg} ${name}:build /tmp/${name}.tar | |
| fi | |
| done | |
| build-wolfi-source-date-epoch: | |
| name: source-date-epoch | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - uses: chainguard-dev/actions/setup-registry@f77a7c3431f961556be5a41e2602c450a590f3e5 # v1.5.12 | |
| with: | |
| port: 5000 | |
| - name: build image (w/ source date epoch) | |
| env: | |
| SOURCE_DATE_EPOCH: "0" | |
| run: | | |
| make apko | |
| FIRST=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null) | |
| for idx in {2..10} | |
| do | |
| NEXT=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null) | |
| if [ "${FIRST}" = "${NEXT}" ]; then | |
| echo "Build ${idx} matches." | |
| else | |
| echo "Build ${idx} differs: ${FIRST} and ${NEXT}" | |
| exit 1 | |
| fi | |
| done | |
| build-wolfi-build-date-epoch: | |
| name: build-date-epoch | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - uses: chainguard-dev/actions/setup-registry@f77a7c3431f961556be5a41e2602c450a590f3e5 # v1.5.12 | |
| with: | |
| port: 5000 | |
| - name: build image (w/ build date epoch) | |
| run: | | |
| make apko | |
| # Without SOURCE_DATE_EPOCH set, the timestamp of the image will be computed to be | |
| # the maximum build date of the resolved APKs. | |
| FIRST=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null) | |
| for idx in {2..10} | |
| do | |
| NEXT=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null) | |
| if [ "${FIRST}" = "${NEXT}" ]; then | |
| echo "Build ${idx} matches." | |
| else | |
| echo "Build ${idx} differs: ${FIRST} and ${NEXT}" | |
| exit 1 | |
| fi | |
| done | |
| annotations: | |
| name: annotations | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
| - uses: chainguard-dev/actions/setup-registry@f77a7c3431f961556be5a41e2602c450a590f3e5 # v1.5.12 | |
| with: | |
| port: 5000 | |
| - run: | | |
| make apko | |
| # Build image with annotations. | |
| ref=$(./apko publish ./examples/nginx.yaml localhost:5000/nginx --arch x86_64,aarch64) | |
| # Check index annotations. | |
| crane manifest $ref | jq -r '.annotations.foo' | grep bar | |
| # Check per-image annotations. | |
| crane manifest --platform=linux/arm64 $ref | jq -r '.annotations.foo' | grep bar | |
| # Check per-image config labels. | |
| crane config --platform=linux/arm64 $ref | jq -r '.config.Labels' | grep bar | |
| certificates: | |
| name: certificates | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - name: test additional certificates | |
| run: | | |
| set -euo pipefail | |
| # Gets all certificate fingerprints from a PEM stream, sorted, so two outputs can | |
| # be semantically compared. | |
| get_fingerprints() { | |
| local cert="" | |
| while IFS= read -r line; do | |
| case "$line" in | |
| "-----BEGIN CERTIFICATE-----") | |
| cert="$line"$'\n' ;; | |
| "-----END CERTIFICATE-----") | |
| cert+="$line" | |
| echo "$cert" | openssl x509 -noout -fingerprint -sha256 2>/dev/null | |
| cert="" ;; | |
| *) | |
| [[ -n "$cert" ]] && cert+="$line"$'\n' || true ;; | |
| esac | |
| done | sort | |
| } | |
| # Verifies that fingerprints file contains at least N certs and the two additional test certs. | |
| verify_fingerprints() { | |
| local file="$1" | |
| local min_count="$2" | |
| local name="$3" | |
| local count=$(wc -l < "$file") | |
| if [ "$count" -lt "$min_count" ]; then | |
| echo "Expected at least $min_count certificates in $name, found $count" | |
| exit 1 | |
| fi | |
| grep "E7:05:70:A9:89:F8:56:5A:AB:DF:7C:AE:27:AB:D1:62:18:72:D6:A3:F8:11:E3:FE:F2:7E:3D:BA:02:91:21:98" "$file" | |
| grep "9B:2A:33:9F:E6:A3:E8:55:85:C4:CD:75:53:6C:B8:C1:CF:7C:D6:03:B9:A6:4B:EC:25:21:85:8A:E4:8D:A8:5D" "$file" | |
| echo "$name contains the additional certificates." | |
| } | |
| make apko | |
| # Build the certificates image. | |
| ./apko build ./examples/certificates.yaml certificates:build /tmp/certificates.tar --arch amd64 | |
| docker load < /tmp/certificates.tar | |
| # Get fingerprints from CA bundle and Java truststore before update-ca-certificates. | |
| docker run --rm certificates:build-amd64 "cat /etc/ssl/certs/ca-certificates.crt" | get_fingerprints > /tmp/ca-bundle-fingerprints.txt | |
| docker run --rm certificates:build-amd64 "trust extract --filter=ca-anchors --purpose=server-auth --format=pem-bundle /tmp/certs.pem && cat /tmp/certs.pem" | get_fingerprints > /tmp/java-truststore-fingerprints.txt | |
| # Verify both stores contain base certs and the additional certificates. | |
| verify_fingerprints /tmp/ca-bundle-fingerprints.txt 10 "CA bundle" | |
| verify_fingerprints /tmp/java-truststore-fingerprints.txt 10 "Java truststore" | |
| # Run update-ca-certificates and get fingerprints from both stores after. | |
| docker run --rm certificates:build-amd64 "apk add ca-certificates && update-ca-certificates && cat /etc/ssl/certs/ca-certificates.crt" | get_fingerprints > /tmp/ca-bundle-updated-fingerprints.txt | |
| docker run --rm certificates:build-amd64 "apk add ca-certificates && update-ca-certificates && trust extract --filter=ca-anchors --purpose=server-auth --format=pem-bundle /tmp/certs.pem && cat /tmp/certs.pem" | get_fingerprints > /tmp/java-truststore-updated-fingerprints.txt | |
| # Verify that the stores are semantically identical before and after update-ca-certificates. | |
| diff /tmp/ca-bundle-fingerprints.txt /tmp/ca-bundle-updated-fingerprints.txt | |
| echo "CA bundles before and after update-ca-certificates are identical." | |
| diff /tmp/java-truststore-fingerprints.txt /tmp/java-truststore-updated-fingerprints.txt | |
| echo "Java truststores before and after update-ca-certificates are identical." |