Skip to content

build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.10.0 to 0.10.1 #1800

build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.10.0 to 0.10.1

build(deps): bump gitlab.alpinelinux.org/alpine/go from 0.10.0 to 0.10.1 #1800

name: ci
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build-melange:
name: Build melange and add to artifact cache
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: '1.21'
check-latest: true
- name: build
run: |
make melange
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/melange
retention-days: 1
build-packages:
name: Build packages
needs:
- build-melange
# TODO: Set up a larger runner for this.
runs-on: ubuntu-latest
permissions:
contents: read
# This is a list of packages which covers basic and exotic uses of
# the built-in pipelines. Goal is to balance efficiency while also
# exercising Melange with real-world package builds.
# Feel free to add additional packages to this matrix which exercise
# Melange in new ways (e.g. new pipelines, etc.)
strategy:
fail-fast: false
matrix:
package:
- hello-wolfi
- glibc
- tini
- lzo
- bubblewrap
- gdk-pixbuf
- gitsign
- guac
- mdbook
- s3cmd
- perl-yaml-syck
- xmlto
- ncurses
steps:
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: wolfi-dev/os
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: melange-${{ github.run_id }}
path: ${{ github.workspace }}/.melange-dir
run-id: ${{ github.run_id }}
- run: |
sudo mv ${{ github.workspace }}/.melange-dir/melange /usr/bin/melange
sudo chmod a+x /usr/bin/melange
melange version
- run: |
sudo apt-get -y install bubblewrap
- run: |
make SHELL="/bin/bash" MELANGE="sudo melange" package/${{ matrix.package }}
- name: "Retrieve Wolfi advisory data"
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: "wolfi-dev/advisories"
path: "data/wolfi-advisories"
# this need to point to main to always get the latest action
- uses: wolfi-dev/actions/install-wolfictl@main # main
- name: Test installable and Scan for CVEs
run: |
for f in packages/x86_64/${{ matrix.package }}-*.apk; do
docker run --rm -v $(pwd):/work cgr.dev/chainguard/wolfi-base apk add --allow-untrusted /work/$f
wolfictl scan \
--advisories-repo-dir 'data/wolfi-advisories' \
--advisory-filter 'resolved' \
--require-zero \
$f \
2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout.
done