diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ec854c8..6e50cf2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -110,6 +110,22 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to ghcr.io + uses: redhat-actions/podman-login@v1 + with: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + + - name: Build bare images + if: ${{ github.event_name != 'pull_request' }} + id: bare + run: | + ./build_bare.sh + podman push --digestfile=bare-amd64-digest ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare + podman push ghcr.io/gardenlinux/glvd-api:latest-linuxarm64_bare + echo "bare-amd64-digest=$(cat ./bare-amd64-digest)" >> $GITHUB_OUTPUT + - name: Print image url if: ${{ github.event_name != 'pull_request' }} run: echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}" @@ -133,7 +149,7 @@ jobs: - name: Deploy the image if: ${{ github.event_name != 'pull_request' }} - run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest@${{ steps.push-to-ghcr.outputs.digest }} + run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare@${{ steps.bare.outputs.bare-amd64-digest }} dependency-submission: diff --git a/build.sh b/build.sh deleted file mode 100755 index 51e2ec7..0000000 --- a/build.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bash - -set -eufo pipefail - -if [[ ! -f build/libs/glvd-0.0.1-SNAPSHOT.jar ]]; then - ./gradlew bootJar -fi - -podman build --tag ghcr.io/gardenlinux/glvd-api:edge . - -podman save --format oci-archive ghcr.io/gardenlinux/glvd-api:edge > glvd.oci - -podman pull ubuntu:22.04 -podman save --format oci-archive ubuntu:22.04 > ubuntu.oci - -./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree ubuntu.oci glvd.oci glvd_bare.oci - -image="$(podman load < glvd_bare.oci | awk '{ print $NF }')" -podman tag "$image" ghcr.io/gardenlinux/glvd-api:edge_bare diff --git a/build_bare.sh b/build_bare.sh new file mode 100755 index 0000000..6e41826 --- /dev/null +++ b/build_bare.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +GLVD_API_IMAGE_REPOSITORY=ghcr.io/gardenlinux/glvd-api +GLVD_API_IMAGE_TAG=latest + +build () { + local ARCH="${1}"; shift + + SHA_GLVD=$(podman pull -q --arch="$ARCH" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG) + podman save --format oci-archive "$SHA_GLVD" > glvd-"$ARCH".oci + + SHA_GL=$(podman pull -q --arch="$ARCH" ghcr.io/gardenlinux/gardenlinux:1592) + podman save --format oci-archive "$SHA_GL" > gardenlinux-"$ARCH".oci + + ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux-"$ARCH".oci glvd-"$ARCH".oci glvd_bare-"$ARCH".oci + + image="$(podman load < glvd_bare-"$ARCH".oci | awk '{ print $NF }')" + podman tag "$image" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG-linux"$ARCH"_bare +} + +build amd64 +build arm64 diff --git a/unbase_oci b/unbase_oci index 1a6db1b..f2634fc 100755 --- a/unbase_oci +++ b/unbase_oci @@ -2,7 +2,7 @@ set -eufo pipefail -container_image=ghcr.io/gardenlinux/unbase_oci:233f4213036fadd4b91b965b4ca71b457f1a6b88 +container_image=ghcr.io/gardenlinux/unbase_oci:8e33b68bf7b93d392fa8ef3248adb0a65d43c67a container_engine=podman container_mount_opts=() @@ -52,4 +52,4 @@ container_mount_opts+=(-v "$(realpath "$1"):/mnt$(realpath "$1")") container_mount_opts+=(-v "$(realpath "$3"):/mnt$(realpath "$3")") args+=("/mnt$(realpath "$1")" "/mnt$(realpath "$2")" "/mnt$(realpath "$3")") -"$container_engine" run --rm --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}" +"$container_engine" run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --security-opt label=disable --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}"