Skip to content

Merge pull request #1593 from kranurag7/kr/fix-cargo-build-opts #2752

Merge pull request #1593 from kranurag7/kr/fix-cargo-build-opts

Merge pull request #1593 from kranurag7/kr/fix-cargo-build-opts #2752

name: ci
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build-melange:
name: Build melange and add to artifact cache
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: './go.mod'
check-latest: true
- name: build
run: |
make melange
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/melange
retention-days: 1
build-packages:
name: Build packages
needs:
- build-melange
# TODO: Set up a larger runner for this.
runs-on: ubuntu-latest
permissions:
contents: read
# This is a list of packages which covers basic and exotic uses of
# the built-in pipelines. Goal is to balance efficiency while also
# exercising Melange with real-world package builds.
# Feel free to add additional packages to this matrix which exercise
# Melange in new ways (e.g. new pipelines, etc.)
strategy:
fail-fast: false
matrix:
runner:
- bubblewrap
- qemu
package:
- hello-wolfi
- glibc
- tini
- lzo
- bubblewrap
# - gdk-pixbuf # Looks like this is broken again, see: https://gitlab.gnome.org/GNOME/gobject-introspection/-/issues/515
- gitsign
- guac
- mdbook
- s3cmd
- perl-yaml-syck
- ncurses
# TODO: https://github.com/wolfi-dev/os/issues/26442
#- xmlto
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
repository: wolfi-dev/os
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/.melange-dir
run-id: ${{ github.run_id }}
- run: |
sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange
sudo chmod a+x /usr/bin/melange
melange version
- if: matrix.runner == 'bubblewrap'
run: |
sudo apt-get -y install bubblewrap
- if: matrix.runner == 'bubblewrap'
run: |
make SHELL="/bin/bash" MELANGE="sudo melange" package/${{ matrix.package }}
- name: Download kernel for VMs
if: matrix.runner == 'qemu'
run: |
KERNEL_PKG="$(curl -sL https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | grep "linux-virt" | grep -v dev)"
curl -LSo linux-virt.apk "https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/$KERNEL_PKG"
mkdir -p /tmp/kernel
tar -xf ./linux-virt.apk -C /tmp/kernel/
- name: Install QEMU/KVM
if: matrix.runner == 'qemu'
run: |
sudo apt-get update
sudo apt-get -y install qemu-system qemu-kvm
- name: Enable KVM group perms
if: matrix.runner == 'qemu'
run: |
echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
sudo udevadm control --reload-rules
sudo udevadm trigger --name-match=kvm
- name: Make package ${{matrix.package}} with QEMU Runner
if: matrix.runner == 'qemu'
run: |
make \
SHELL="/bin/bash" \
QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
MELANGE="/usr/bin/melange" \
MELANGE_EXTRA_OPTS="--runner qemu" \
package/${{ matrix.package }}
- name: "Retrieve Wolfi advisory data"
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
repository: "wolfi-dev/advisories"
path: "data/wolfi-advisories"
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
- name: Test installable and Scan for CVEs
run: |
docker run --rm -v $(pwd):/work --workdir /work cgr.dev/chainguard/wolfi-base apk add --allow-untrusted packages/x86_64/${{ matrix.package }}-*.apk
# There is a huge fixed cost for every wolfictl scan invocation for grype DB init.
# Do this outside of the loop in one invocation with every package.
wolfictl scan \
--advisories-repo-dir 'data/wolfi-advisories' \
--advisory-filter 'resolved' \
--require-zero \
packages/x86_64/${{ matrix.package }}-*.apk \
2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout.