.github/workflows/e2e.yaml

name: e2e melange bootstrap + build

on:
  push:
    branches:
      - 'main'
  pull_request:

env:
  SOURCE_DATE_EPOCH: 1669683910

jobs:
  examples:
    name: build examples
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        example:
        - git-checkout.yaml
        - gnu-hello.yaml
        - mbedtls.yaml
        - minimal.yaml
        - sshfs.yaml

    steps:
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    - uses: actions/setup-go@v5
      with:
        go-version-file: 'go.mod'
    - name: Build package
      run: |
        sudo apt-get update -y
        sudo apt-get install -y bubblewrap

        make melange
        ./melange keygen
        ./melange build --pipeline-dir=pipelines examples/${{matrix.example}} --arch=x86_64 --empty-workspace

    - name: Check SBOM Conformance
      run: |
        set -euxo pipefail
        for f in packages/x86_64/*.apk; do
          tar -Oxf "$f" var/lib/db/sbom > sbom.json
          echo ::group::sbom.json
          cat sbom.json
          echo ::endgroup::
          docker run --rm -v $(pwd)/sbom.json:/sbom.json cgr.dev/chainguard/ntia-conformance-checker --file /sbom.json
        done

  runner-kubernetes:
    name: build example on kubernetes
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
      with:
        go-version: '1.21'
        check-latest: true

    - name: Setup melange
      run: |
        make melange
        ./melange keygen local-melange.rsa

    - name: Setup Cluster
      uses: chainguard-dev/actions/setup-kind@main
      with:
        k8s-version: v1.26.x
        registry-authority: registry.local:5000

    - name: Configure
      run: |
        cat > .melange.k8s.yaml <<EOF
        provider: generic
        # Need something small enough for CI to handle
        resources:
          cpu: 0.5
          memory: 1Gi
        EOF

    - name: Build
      run: |
        # Pick an example that requires mounting to flex kontext.Bundle()
        ./melange build --signing-key local-melange.rsa examples/simple-hello/melange.yaml --source-dir="examples/simple-hello" --workspace-dir="examples/simple-hello" --arch=x86_64 --runner kubernetes

  bootstrap:
    name: bootstrap package
    runs-on: ubuntu-latest
    container:
      image: alpine:latest
      options: |
        --cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined

    steps:
    - name: Fetch dependencies
      run: |
        cat >/etc/apk/repositories <<_EOF_
        https://dl-cdn.alpinelinux.org/alpine/edge/main
        https://dl-cdn.alpinelinux.org/alpine/edge/community
        https://dl-cdn.alpinelinux.org/alpine/edge/testing
        _EOF_

        apk upgrade -Ua
        apk add go cosign build-base git bubblewrap
    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
    - name: Mark workspace as a safe repository
      run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
    - name: Build bootstrap melange tool (stage1)
      run: make melange
    - name: Generate a package signing keypair
      run: |
        ./melange keygen
        mv melange.rsa.pub /etc/apk/keys
    - name: Prepare build workspace for stage2
      run: |
        git clone . workspace-stage2/x86_64
    - name: Build stage2 melange package with bootstrap melange
      run: ./melange build --pipeline-dir=pipelines/ --signing-key=melange.rsa --arch x86_64 --workspace-dir ${{github.workspace}}/workspace-stage2/
    - name: Install stage2 melange package
      run: apk add ./packages/x86_64/melange-*.apk
    - name: Move stage2 artifacts to stage2 directory
      run: |
        mv packages stage2
    - name: Verify operation of stage2 melange
      run: melange version
    - name: Prepare build workspace for stage3
      run: |
        git clone . workspace-stage3/x86_64
    - name: Build stage3 melange package with stage2 melange
      run: melange build --signing-key=melange.rsa --arch x86_64 --workspace-dir ${{github.workspace}}/workspace-stage3/
    - name: Install stage3 melange package
      run: apk add ./packages/x86_64/melange-*.apk
    - name: Move stage3 artifacts to stage3 directory
      run: |
        mv packages stage3
    - name: Ensure melange package is reproducible
      run: |
        sha256sum stage2/x86_64/*.apk | sed -e 's:stage2/:stage3/:g' | sha256sum -c
    - name: Verify operation of stage3 melange
      run: melange version