CI: Update container scanning to account for the arm64 architecture.

freedomofpress · Oct 17, 2024 · b239503 · b239503
1 parent a95b612
commit b239503
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/.github/workflows/scan_released.yml b/.github/workflows/scan_released.yml
@@ -6,14 +6,21 @@ on:
 
 jobs:
  security-scan-container:
- runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ include:
+ - runs-on: ubuntu-latest
+ arch: i686
+ - runs-on: macos-latest
+ arch: arm64
+ runs-on: ${{ matrix.runs-on }}
  steps:
  - name: Checkout
  uses: actions/checkout@v4
  - name: Download container image for the latest release
  run: |
  VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
- wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
+ wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.${{ matrix.arch }}.tar.gz -O container.tar.gz
  - name: Load container image
  run: docker load -i container.tar.gz
  # NOTE: Scan first without failing, else we won't be able to read the scan
@@ -30,7 +37,7 @@ jobs:
  uses: github/codeql-action/upload-sarif@v3
  with:
  sarif_file: ${{ steps.scan_container.outputs.sarif }}
- category: container
+ category: container-${{ matrix.arch }}
  - name: Inspect container scan report
  run: cat ${{ steps.scan_container.outputs.sarif }}
  - name: Scan container image

diff --git a/RELEASE.md b/RELEASE.md
@@ -397,12 +397,14 @@ or create your own locally with:
 cd dangerzone
 ```
 
-Build the latest container:
+Build the latest container, on both architectures:
 
 ```sh
 python3 ./install/common/build-image.py
 ```
 
+Rename the container images to `dangerzone.i686.tar.gz` and `dangerzone.arm64.tar.gz`.
+
 Create a .rpm:
 
 ```sh
@@ -449,9 +451,9 @@ To publish the release:
  * Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
  * You can use `./dev_scripts/upload-asset.py`, if you want to upload an asset
  using an access token.
-- [ ] Upload the `container.tar.gz` i686 image that was created in the previous step
+- [ ] Upload the `container.i686.tar.gz` and `container.arm64.tar.gz` images that were created in the previous step
 
- **Important:** Make sure that it's the same container image as the ones that
+ **Important:** Make sure that it's the same container images as the ones that
  are shipped in other platforms (see our [Pre-release](#Pre-release) section)
 
 - [ ] Upload the detached signatures (.asc) and checksum file.