diff --git a/.github/workflows/push-production.yaml b/.github/workflows/push-production.yaml new file mode 100644 index 00000000000..d2569943d8d --- /dev/null +++ b/.github/workflows/push-production.yaml @@ -0,0 +1,421 @@ +name: Build Packages Production + +on: + push: + branches: + - main + workflow_dispatch: + +jobs: + build: + name: Build OS packages + runs-on: ubuntu-16-core + + permissions: + id-token: write + packages: write + contents: read + + steps: + - name: Generate snapshot date + id: snapshot-date + run: | + echo ::set-output name=date::$(date -u +%Y%m%d) + echo ::set-output name=epoch::$(date -u +%s) + shell: bash + + - uses: actions/checkout@v3 + - run: echo "${{ secrets.MELANGE_RSA }}" > ./wolfi-signing.rsa + - run: | + sudo mkdir -p /etc/apk/keys + sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub + + - uses: chainguard-dev/actions/setup-melange@main + + - id: auth + name: 'Authenticate to Google Cloud' + uses: google-github-actions/auth@v0 + with: + workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" + service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" + + - uses: google-github-actions/setup-gcloud@v0 + with: + project_id: prod-images-c6e5 + version: 399.0.0 + + - name: 'Check that GCloud is properly configured' + run: | + gcloud info + gcloud --quiet alpha storage ls + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: gmp + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: mpfr + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: mpc + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: isl + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: zlib + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: flex + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: glibc + empty-workspace: false + source-dir: ${{ github.workspace }}/glibc + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: build-base + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: gcc + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: busybox + empty-workspace: false + source-dir: ${{ github.workspace }}/busybox + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: binutils + empty-workspace: false + source-dir: ${{ github.workspace }}/binutils + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: bison + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: texinfo + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: pax-utils + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: openssl + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: gzip + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: make + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: sed + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: mpdecimal + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: libffi + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: linux-headers + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: gdbm + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: grep + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: gawk + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: file + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: expat + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: m4 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: bzip2 + empty-workspace: false + source-dir: ${{ github.workspace }}/bzip2 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: perl + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: ca-certificates + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: patch + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: ncurses + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: pkgconf + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: readline + empty-workspace: false + source-dir: ${{ github.workspace }}/readline + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: sqlite + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: xz + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: python3 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: scdoc + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: linenoise + empty-workspace: false + source-dir: ${{ github.workspace }}/linenoise + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: autoconf + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: automake + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: help2man + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: libtool + empty-workspace: false + source-dir: ${{ github.workspace }}/libtool + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: lua5.3 + empty-workspace: false + source-dir: ${{ github.workspace }}/lua5.3 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: lua5.3-lzlib + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: apk-tools + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: wget + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: wolfi-keys + empty-workspace: false + source-dir: ${{ github.workspace }}/wolfi-keys + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: wolfi-baselayout + empty-workspace: false + source-dir: ${{ github.workspace }}/wolfi-baselayout + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: wolfi-base + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: oniguruma + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: jq + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: brotli + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: libev + empty-workspace: false + source-dir: ${{ github.workspace }}/libev + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: c-ares + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: nghttp2 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: curl + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: attr + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: acl + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: coreutils + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: diffutils + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: findutils + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: procps + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: samurai + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: lz4 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: zstd + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: libarchive + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: libuv + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: rhash + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: cmake + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-appdirs + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-ordered-set + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-installer + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-tomli + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-gpep517 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-flit-core + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-parsing + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-packaging + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-more-itertools + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-setuptools-stage0 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-setuptools + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-pep517 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-six + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-retrying + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-contextlib2 + + - uses: chainguard-dev/actions/inky-build-pkg@main + with: + package-name: py3-pip + + - name: 'Upload the repository to a bucket' + run: | + cp /etc/apk/keys/wolfi-signing.rsa.pub ${{ github.workspace }}/packages/wolfi-signing.rsa.pub + gcloud --quiet alpha storage cp --recursive ${{ github.workspace }}/packages/ gs://wolfi-production-registry-source/os/ diff --git a/.github/workflows/push.yaml b/.github/workflows/push-staging.yaml similarity index 99% rename from .github/workflows/push.yaml rename to .github/workflows/push-staging.yaml index 78a4f9ceeba..a5c1e285f4d 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push-staging.yaml @@ -1,9 +1,6 @@ name: Build action on: - push: - branches: - - main workflow_dispatch: diff --git a/.github/workflows/secdb-production.yaml b/.github/workflows/secdb-production.yaml new file mode 100644 index 00000000000..dbe4a832abd --- /dev/null +++ b/.github/workflows/secdb-production.yaml @@ -0,0 +1,53 @@ +name: Build security database Production + +on: + push: + branches: + - main + workflow_dispatch: + +jobs: + build: + name: Build security database + runs-on: ubuntu-latest + + permissions: + id-token: write + packages: write + contents: read + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + + - id: auth + name: 'Authenticate to Google Cloud' + uses: google-github-actions/auth@v0 + with: + workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" + service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" + + - uses: google-github-actions/setup-gcloud@v0 + with: + project_id: prod-images-c6e5 + version: 399.0.0 + + - name: 'Check that GCloud is properly configured' + run: | + gcloud info + gcloud --quiet alpha storage ls + + - name: 'Build wolfi-secdb' + run: | + git clone https://github.com/chainguard-dev/wolfi-secdb + pushd wolfi-secdb + go build + popd + + - name: 'Generate security database' + run: | + ./wolfi-secdb/wolfi-secdb generate . --repo-name os + + - name: 'Upload the security database to a bucket' + run: | + gcloud --quiet alpha storage cp --recursive ${{ github.workspace }}/security.json gs://wolfi-production-registry-destination/os/ diff --git a/.github/workflows/secdb.yaml b/.github/workflows/secdb-staging.yaml similarity index 95% rename from .github/workflows/secdb.yaml rename to .github/workflows/secdb-staging.yaml index f00484f0e72..a68037c9dc3 100644 --- a/.github/workflows/secdb.yaml +++ b/.github/workflows/secdb-staging.yaml @@ -1,12 +1,8 @@ -name: Build security database +name: Build security database staging on: - push: - branches: - - main workflow_dispatch: - jobs: build: name: Build security database