Skip to content

Merge pull request #1628 from smoser/fix/bwrap-user-ns-better-error #4416

Merge pull request #1628 from smoser/fix/bwrap-user-ns-better-error

Merge pull request #1628 from smoser/fix/bwrap-user-ns-better-error #4416

Workflow file for this run

name: e2e melange bootstrap + build
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
env:
SOURCE_DATE_EPOCH: 1669683910
jobs:
examples:
name: build examples
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
example:
- git-checkout.yaml
- gnu-hello.yaml
- mbedtls.yaml
- minimal.yaml
- sshfs.yaml
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: "go.mod"
- name: Build package
run: |
sudo apt-get update -y
sudo apt-get install -y bubblewrap
make melange
./melange keygen
./melange build --pipeline-dir=pipelines examples/${{matrix.example}} --arch=x86_64 --empty-workspace
- name: Check SBOM Conformance
run: |
set -euxo pipefail
for f in packages/x86_64/*.apk; do
tar -Oxf "$f" var/lib/db/sbom > sbom.json
echo ::group::sbom.json
cat sbom.json
echo ::endgroup::
docker run --rm -v $(pwd)/sbom.json:/sbom.json cgr.dev/chainguard/ntia-conformance-checker --file /sbom.json
# TODO: Make this an image.
docker run --rm -v $(pwd)/sbom.json:/sbom.json --entrypoint "sh" cgr.dev/chainguard/wolfi-base -c "apk add spdx-tools-java && tools-java Verify /sbom.json"
done
bootstrap:
name: bootstrap package
runs-on: ubuntu-latest
permissions:
contents: read
container:
image: alpine:latest
options: |
--cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
steps:
- name: Fetch dependencies
run: |
cat >/etc/apk/repositories <<_EOF_
https://dl-cdn.alpinelinux.org/alpine/edge/main
https://dl-cdn.alpinelinux.org/alpine/edge/community
https://dl-cdn.alpinelinux.org/alpine/edge/testing
_EOF_
apk upgrade -Ua
apk add go cosign build-base git bubblewrap
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: "go.mod"
- name: Mark workspace as a safe repository
run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
- name: Build bootstrap melange tool (stage1)
run: make melange
- name: Generate a package signing keypair
run: |
./melange keygen
mv melange.rsa.pub /etc/apk/keys
- name: Prepare build workspace for stage2
run: |
git clone . workspace-stage2/x86_64
- name: Build stage2 melange package with bootstrap melange
run: ./melange build --pipeline-dir=pipelines/ --signing-key=melange.rsa --arch x86_64 --workspace-dir ${{github.workspace}}/workspace-stage2/
- name: Install stage2 melange package
run: apk add ./packages/x86_64/melange-*.apk
- name: Move stage2 artifacts to stage2 directory
run: |
mv packages stage2
- name: Verify operation of stage2 melange
run: melange version
- name: Prepare build workspace for stage3
run: |
git clone . workspace-stage3/x86_64
- name: Build stage3 melange package with stage2 melange
run: melange build --signing-key=melange.rsa --arch x86_64 --workspace-dir ${{github.workspace}}/workspace-stage3/
- name: Install stage3 melange package
run: apk add ./packages/x86_64/melange-*.apk
- name: Move stage3 artifacts to stage3 directory
run: |
mv packages stage3
- name: Ensure melange package is reproducible
run: |
sha256sum stage2/x86_64/*.apk | sed -e 's:stage2/:stage3/:g' | sha256sum -c
- name: Verify operation of stage3 melange
run: melange version