Skip to content
Pull Request

ci: refactor pr workflow #31

Sign in to view logs

ci: refactor pr workflow

ci: refactor pr workflow #31

Workflow file for this run

.github/workflows/pr.yml at 1c1e4f0
name: Pull Request
on:
pull_request:
branches:
- main
- v[0-9]+
jobs:
check-changes:
name: Check changes since last commit
runs-on: ubuntu-24.04
outputs:
image: ${{ steps.changes.outputs.image }}
builder: ${{ steps.changes.outputs.builder }}
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Check changes
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: changes
with:
filters: ./.github/paths-filter.yml
build:
name: Build base image
needs: check-changes
if: ${{ needs.check-changes.outputs.image == 'true' || needs.check-changes.outputs.builder == 'true' }}
outputs:
local-image: ${{ steps.export.outputs.local-image }}
oci-archive: ${{ steps.export.outputs.oci-archive }}
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
submodules: 'true'
- name: Build image
id: build
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
with:
image: almalinux-pr
tags: ${{ github.sha }}
containerfiles: |
Dockerfile
oci: 'true'
extra-args: |
--security-opt=label=disable
--cap-add=all
--device /dev/fuse
labels: |
org.opencontainers.image.revision=${{ github.sha }}
- name: Export image as oci archive
id: export
run: |
#!/bin/bash
set -xeo pipefail
local_image=localhost/${{ steps.build.outputs.image-with-tag }}
oci_archive=${{ steps.build.outputs.image }}-${{ steps.build.outputs.tags }}.tar
podman save --output $oci_archive --format oci-archive $local_image
echo "local-image=$local_image" >> "$GITHUB_OUTPUT"
echo "oci-archive=$oci_archive" >> "$GITHUB_OUTPUT"
- name: Upload oci archive
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ steps.export.outputs.oci-archive }}
path: ${{ steps.export.outputs.oci-archive }}
retention-days: 1
compression-level: 0 # oci-archive is already compressed
scan:
name: Vulnerability scan
runs-on: ubuntu-24.04
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Download oci archive
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ needs.build.outputs.oci-archive }}
- name: Scan image with Grype
uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
id: scan
with:
image: oci-archive:${{ needs.build.outputs.oci-archive }}
fail-build: true
output-format: table
only-fixed: true
grype-version: v0.78.0
test-install-to-disk:
name: Test install to disk
needs: build
runs-on: ubuntu-24.04
steps:
- name: Download oci archive
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ needs.build.outputs.oci-archive }}
- name: Import oci archive into containers-storage
run: >-
podman load --input ${{ needs.build.outputs.oci-archive }} &&
sudo rm ${{ needs.build.outputs.oci-archive }}
- name: Prepare disk file
run: truncate -s5G disk.img
- name: Test bootc install to disk
run: >-
sudo podman run
--rm --pid host --privileged --security-opt label=type:unconfined_t
-v ./:/workdir -v /var/lib/containers/storage:/var/lib/containers/storage
${{ needs.build.outputs.local-image }}
bootc install to-disk --generic-image --skip-fetch-check --via-loopback
/workdir/disk.img