ci: fix ref extraction in scan workflow #45
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull Request | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - v[0-9]+ | |
| env: | |
| ARTIFACT_NAME_PREFIX: almalinux-pr-${{ github.event.pull_request.number }} | |
| jobs: | |
| check-changes: | |
| name: Check changes since last commit | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| image: ${{ steps.changes.outputs.image }} | |
| builder: ${{ steps.changes.outputs.builder }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
| - name: Check changes | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| id: changes | |
| with: | |
| filters: ./.github/paths-filter.yml | |
| build: | |
| name: Build base image | |
| needs: check-changes | |
| if: ${{ needs.check-changes.outputs.image == 'true' || needs.check-changes.outputs.builder == 'true' }} | |
| outputs: | |
| local-image: ${{ steps.export.outputs.local-image }} | |
| oci-archive: ${{ steps.export.outputs.oci-archive }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
| with: | |
| submodules: 'true' | |
| - name: Validate release branch version | |
| if: ${{ github.base_ref != 'main' }} | |
| run: | | |
| #!/bin/bash | |
| set -xeo pipefail | |
| releasever=$(yq '.releasever' almalinux-bootc-version.yaml) | |
| if [[ ${GITHUB_BASE_REF#v*} != ${releasever%%.*} ]] | |
| then | |
| echo "Release branch should match major version in manifest" | |
| exit 1 | |
| fi | |
| - name: Inject ostree version | |
| run: | | |
| #!/bin/bash | |
| set -xeo pipefail | |
| releasever=$(yq '.releasever' almalinux-bootc-version.yaml) | |
| yq -i ".add-commit-metadata.version = \"${releasever}+$GITHUB_SHA\"" almalinux-bootc-version.yaml | |
| - name: Build image | |
| id: build | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 | |
| with: | |
| image: ${{ env.ARTIFACT_NAME_PREFIX }} | |
| tags: ${{ github.sha }} | |
| containerfiles: | | |
| Dockerfile | |
| oci: 'true' | |
| extra-args: | | |
| --security-opt=label=disable | |
| --cap-add=all | |
| --device /dev/fuse | |
| labels: | | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| - name: Export image as oci archive | |
| id: export | |
| run: | | |
| #!/bin/bash | |
| set -xeo pipefail | |
| local_image=localhost/${{ steps.build.outputs.image-with-tag }} | |
| oci_archive=${{ steps.build.outputs.image }}-${{ steps.build.outputs.tags }}.tar | |
| podman save --output $oci_archive --format oci-archive $local_image | |
| echo "local-image=$local_image" >> "$GITHUB_OUTPUT" | |
| echo "oci-archive=$oci_archive" >> "$GITHUB_OUTPUT" | |
| - name: Upload oci archive | |
| uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| with: | |
| name: ${{ steps.export.outputs.oci-archive }} | |
| path: ${{ steps.export.outputs.oci-archive }} | |
| retention-days: 1 | |
| compression-level: 0 # oci-archive is already compressed | |
| sbom: | |
| name: Generate SBOM | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| steps: | |
| - name: Download oci archive | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: ${{ needs.build.outputs.oci-archive }} | |
| - name: Generate SBOM | |
| uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 | |
| with: | |
| syft-version: v1.5.0 | |
| image: oci-archive:${{ needs.build.outputs.oci-archive }} | |
| artifact-name: ${{ env.ARTIFACT_NAME_PREFIX }}-${{ github.sha }}.syft.json | |
| format: json | |
| upload-artifact: true | |
| upload-artifact-retention: 1 | |
| upload-release-assets: false | |
| scan: | |
| name: Vulnerability scan | |
| runs-on: ubuntu-24.04 | |
| needs: sbom | |
| steps: | |
| - name: Download SBOM | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME_PREFIX }}-${{ github.sha }}.syft.json | |
| - name: Scan SBOM with Grype | |
| uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4 | |
| id: scan | |
| with: | |
| sbom: ${{ env.ARTIFACT_NAME_PREFIX }}-${{ github.sha }}.syft.json | |
| fail-build: false | |
| output-format: table | |
| only-fixed: true | |
| grype-version: v0.78.0 | |
| test-install-to-disk: | |
| name: Test install to disk | |
| needs: build | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Download oci archive | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| name: ${{ needs.build.outputs.oci-archive }} | |
| - name: Import oci archive into containers-storage | |
| run: >- | |
| sudo podman load --input ${{ needs.build.outputs.oci-archive }} && | |
| sudo rm ${{ needs.build.outputs.oci-archive }} | |
| - name: Prepare disk file | |
| run: truncate -s5G disk.img | |
| - name: Test bootc install to disk | |
| run: >- | |
| sudo podman run | |
| --rm --pid host --privileged --security-opt label=type:unconfined_t | |
| -v ./:/workdir -v /var/lib/containers/storage:/var/lib/containers/storage | |
| ${{ needs.build.outputs.local-image }} | |
| bootc install to-disk --generic-image --skip-fetch-check --via-loopback | |
| /workdir/disk.img |