From c6860e1c42977b1760b7146edb8670782d49f2ac Mon Sep 17 00:00:00 2001 From: Dave Sargent Date: Fri, 8 Nov 2024 15:25:26 -0800 Subject: [PATCH] Remove compare containers --- .github/workflows/release-weekly.yml | 22 ++--------- .github/workflows/release.yml | 6 +-- .github/workflows/scorecard.yml | 8 ++-- .github/workflows/trivy.yml | 10 ++--- workflow_scripts/compare_containers.sh | 53 -------------------------- 5 files changed, 15 insertions(+), 84 deletions(-) delete mode 100755 workflow_scripts/compare_containers.sh diff --git a/.github/workflows/release-weekly.yml b/.github/workflows/release-weekly.yml index 344e7c1..dfd63c2 100644 --- a/.github/workflows/release-weekly.yml +++ b/.github/workflows/release-weekly.yml @@ -39,7 +39,7 @@ jobs: fetch-depth: 0 fetch-tags: true - - name: Get the latest version + - name: Get the Latest Version id: get_version run: bash ${GITHUB_WORKSPACE}/workflow_scripts/get_latest_version.sh env: @@ -47,31 +47,16 @@ jobs: REGISTRY: ${{ env.REGISTRY }} REPOSITORY: ${{ env.REPOSITORY }} - - name: Log into registry + - name: Log Into Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build Docker image + - name: Build and Push Docker image id: build uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 - with: - push: false - tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }} - - - name: Compare the Old and New Docker Images - id: compare_versions - run: bash ${GITHUB_WORKSPACE}/workflow_scripts/compare_containers.sh - env: - GH_TOKEN: ${{ github.token }} - TAG_OLD: ${{ env.TAG_OLD }} - TAG_PATCH: ${{ env.TAG_PATCH }} - - - name: Push Docker image - if: steps.compare_versions.outputs.continue == 'true' - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 with: push: true tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }} @@ -79,7 +64,6 @@ jobs: # Docs: https://github.com/marketplace/actions/create-release - name: Create Release id: create_release - if: steps.compare_versions.outputs.continue == 'true' uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 with: body: "A Weekly release containing upgrades to system packages in the base Rocky Linux container." diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bf6d68c..bc22c55 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,7 +32,7 @@ jobs: fetch-depth: 0 fetch-tags: true - - name: Log into registry + - name: Log Into Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: registry: ${{ env.REGISTRY }} @@ -40,7 +40,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} # During a release workflow the new git tag is provided and is automatically used by this step to generate the new image tags. - - name: Extract Docker metadata + - name: Extract Docker Metadata id: meta uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 with: @@ -50,7 +50,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - - name: Build and push Docker image + - name: Build and Push Docker Image uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 with: context: . diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 24f7450..b03c7f7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -50,12 +50,12 @@ jobs: tuf-repo-cdn.sigstore.dev:443 www.bestpractices.dev:443 - - name: "Checkout code" + - name: "Checkout Code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: false - - name: "Run analysis" + - name: "Run Analysis" uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 with: results_file: results.sarif @@ -77,7 +77,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - - name: "Upload artifact" + - name: "Upload Artifact" uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 with: name: SARIF file @@ -86,7 +86,7 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - - name: "Upload to code-scanning" + - name: "Upload to Code-Scanning" uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd with: sarif_file: results.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 2e3684e..dcb6334 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -36,23 +36,23 @@ jobs: disable-sudo: true egress-policy: audit - - name: Log into registry + - name: Log Into Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout code + - name: Checkout Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - - name: Build Docker image + - name: Build Docker Image uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 with: push: false tags: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ github.sha }} - - name: Run Trivy vulnerability scanner + - name: Run Trivy Vulnerability Scanner uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 with: image-ref: '${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ github.sha }}' @@ -64,7 +64,7 @@ jobs: TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db TRIVY_SKIP_JAVA_DB_UPDATE: true - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Trivy Results uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd with: sarif_file: 'trivy-results.sarif' diff --git a/workflow_scripts/compare_containers.sh b/workflow_scripts/compare_containers.sh deleted file mode 100755 index 0f98589..0000000 --- a/workflow_scripts/compare_containers.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -#cspell:ignore diffoci - -set -euo pipefail -IFS=$'\n\t' - -main() { - if [ -z "${TAG_OLD:-}" ]; then - echo "Error: TAG_OLD is not set." - exit 1 - fi - - if [ -z "${TAG_PATCH:-}" ]; then - echo "Error: TAG_PATCH is not set." - exit 1 - fi - - echo "Downloading the diffoci binary." - latest_release_url=$(gh release view -R reproducible-containers/diffoci --json assets -q '.assets[] | select(.name | test("linux-amd64")) | .url') - echo "Using the latest release URL: $latest_release_url" - curl -L -o diffoci "$latest_release_url" - chmod +x diffoci - # Github runner does not print empty echos. :( - echo "-" - - echo "Pulling the previous Docker image to compare." - docker pull "${TAG_OLD}" - echo "-" - - echo "Checking if the images are different with diffoci." - OLD_IMAGE="docker://${TAG_OLD}" - NEW_IMAGE="docker://${TAG_PATCH}" - set +e - ./diffoci diff --semantic "$OLD_IMAGE" "$NEW_IMAGE" - DIFFOCI_EXIT_CODE=$? - set -e - echo "-" - - # Check the exit code of diffoci. If it is zero then there are no changes, otherwise there are. - if [ $DIFFOCI_EXIT_CODE -eq 0 ]; then - echo "The images appear to be the same, exiting." - echo "continue=false" >>"$GITHUB_OUTPUT" - exit 0 - fi - - echo "The images appear to be different. Continuing." - echo "continue=true" >>"$GITHUB_OUTPUT" -} - -if ! (return 0 2>/dev/null); then - (main "$@") -fi