Skip to content

grype/0.74.5 package update #29079

grype/0.74.5 package update

grype/0.74.5 package update #29079

Workflow file for this run

name: CI build action
on:
pull_request:
branches: ['main']
push:
branches:
- gh-readonly-queue/main/**
jobs:
changes:
permissions:
contents: read
name: Determine packages to test building
runs-on: ubuntu-latest
outputs:
packages: ${{steps.package-list.outputs.packages}}
steps:
- uses: actions/checkout@v4
- name: Look for changed files
id: changes
uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f #tj-actions/[email protected]
with:
files_yaml: |
melange:
- ./*.yaml # Only top level files without structure
- ./*/*/*.melange.yaml # Support recursive melange files with the new naming convention.
- name: "Install wolfictl onto PATH"
run: |
# Copy wolfictl out of the wolfictl image and onto PATH
TMP=$(mktemp -d)
docker run --rm -i -v $TMP:/out --entrypoint /bin/sh ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee -c "cp /usr/bin/wolfictl /out"
echo "$TMP" >> $GITHUB_PATH
# Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this
# strips the list down into `foo` and `bar`.
- name: Build package list
id: package-list
run: |
printf "packages=" >> $GITHUB_OUTPUT
wolfictl text -t name --pipeline-dir=./pipelines/ \
-r https://packages.wolfi.dev/bootstrap/stage3 \
-k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub > packages-list
while read pkg; do
for file in ${{ steps.changes.outputs.melange_all_changed_files }}; do
# Since the file is a path, we need to strip out only the file
# name from it.
base_file=$(basename $file)
base_file="${base_file%.melange.yaml}"
base_file="${base_file%.yaml}"
printf "base_file: $base_file"
[ "${base_file}" = "$pkg" ] && printf "%s " ${base_file} >> $GITHUB_OUTPUT
done
done < packages-list
printf "\n" >> $GITHUB_OUTPUT
build:
name: Test building of packages
strategy:
matrix:
arch: [ "x86_64", "aarch64" ]
fail-fast: false
runs-on:
group: wolfi-builder-${{ matrix.arch }}
needs: changes
container:
image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
options: |
--cap-add NET_ADMIN --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor:unconfined
outputs:
packages_were_built: ${{ steps.file_check.outputs.exists }}
permissions:
contents: read
pull-requests: write # so we have permission to comment on pull requests
steps:
- uses: actions/checkout@v4
- name: 'Trust the github workspace'
run: |
# This is to avoid fatal errors about "dubious ownership" because we are
# running inside of a container action with the workspace mounted in.
git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: 'Generate local signing key'
run: |
make MELANGE="melange" local-melange.rsa
- name: 'Build Wolfi'
run: |
# Setup the melange cache dir on the host so we can use that in subsequent builds
mkdir ../.melangecache
for package in ${{needs.changes.outputs.packages}}; do
make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=$(pwd)/../.melangecache" REPO="$GITHUB_WORKSPACE/packages" package/$package -j1
make REPO="$GITHUB_WORKSPACE/packages" test/$package -j1
done
- name: "Check that packages can be installed with apk add"
run: |
# Create a fake linux fs under /tmp/emptyroot to pass to `apk --root`.
mkdir -p /tmp/emptyroot/etc/apk
cp -r /etc/apk/* /tmp/emptyroot/etc/apk/
cat /dev/null > /tmp/emptyroot/etc/apk/world
mkdir -p /tmp/emptyroot/lib/apk/db
touch /tmp/emptyroot/lib/apk/db/{installed,lock,scripts.tar,triggers}
mkdir -p /tmp/emptyroot/var/cache/apk
apk update --root /tmp/emptyroot
# Find .apk files and add them to the string
for f in $(find packages -name '*.apk'); do
tar -Oxf $f .PKGINFO
apk add --root /tmp/emptyroot --repository "$GITHUB_WORKSPACE/packages" --allow-untrusted --simulate $f
done
- name: Check SBOMs
run: |
apk add py3-ntia-conformance-checker
for f in $(find packages -name '*.apk'); do
echo ==== Checking SBOM for $f ====
tar -Oxf $f var/lib/db/sbom/ > sbom.json
echo ::group::sbom.json
cat sbom.json
echo ::endgroup::
ntia-checker -v --file sbom.json
done
- name: Check for file
id: file_check
run: |
if test -f "packages.log"; then
cat packages.log
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "exists=false" >> $GITHUB_OUTPUT
fi
- name: Check diff
if: steps.file_check.outputs.exists == 'true'
# Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check
continue-on-error: true
run: |
wolfictl check diff
- name: Check for diff file
id: diff_file_check
run: |
if test -f "diff.log"; then
cat diff.log
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "exists=false" >> $GITHUB_OUTPUT
fi
# Use the x86_64 build results for the comment for now so we don't have duplicates.
- name: PR comment diff
if: steps.diff_file_check.outputs.exists == 'true' && matrix.arch == 'x86_64'
uses: thollander/actions-comment-pull-request@632cf9ce90574d125be56b5f3405cda41a84e2fd # v2.3.1
# We're seeing jobs using merge queues fail
continue-on-error: true
with:
filePath: diff.log
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: 'Upload built packages to GitHub artifacts'
uses: actions/upload-artifact@v3
with:
path: |
./packages/${{ matrix.arch }}
./packages.log
name: packages-${{ matrix.arch }}
retention-days: 1
if-no-files-found: warn
so_check:
permissions:
contents: read
name: "ABI Compatibility check"
runs-on: ubuntu-latest
container:
image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
needs: build
if: needs.build.outputs.packages_were_built == 'true'
steps:
- name: 'Retrieve x86_64 packages'
uses: actions/download-artifact@v3
with:
name: packages-x86_64
path: /tmp/artifacts-1/
- name: 'Retrieve aarch64 packages'
uses: actions/download-artifact@v3
with:
name: packages-aarch64
path: /tmp/artifacts-2/
- name: 'Collect packages from all architectures into one place'
run: |
cd /tmp/artifacts-1
# Put the packages into one place (if aarch64 logs exist)
if test -f "/tmp/artifacts-2/packages"; then
mv /tmp/artifacts-2/packages/* ./packages/
# Merge the build log ("packages.log") files
cat /tmp/artifacts-2/packages.log >> ./packages.log
fi
- name: Soname check
run: |
wolfictl check so-name --packages-dir /tmp/artifacts-1/packages --package-list-file /tmp/artifacts-1/packages.log
scan:
permissions:
contents: read
name: "Scan packages for CVEs"
runs-on: ubuntu-latest
container:
image: ghcr.io/wolfi-dev/sdk:latest@sha256:faf2d69b08630162837a98d3e83f7c129a0322cb8236ac46f9e2e3e5fd2300ee
needs: build
if: needs.build.outputs.packages_were_built == 'true'
steps:
- name: 'Retrieve x86_64 packages'
uses: actions/download-artifact@v3
with:
name: packages-x86_64
path: /tmp/artifacts-1/
- name: 'Retrieve aarch64 packages'
uses: actions/download-artifact@v3
with:
name: packages-aarch64
path: /tmp/artifacts-2/
- name: 'Collect packages from all architectures into one place'
run: |
cd /tmp/artifacts-1
# Put the packages into one place (if aarch64 logs exist)
if test -f "/tmp/artifacts-2/packages"; then
mv /tmp/artifacts-2/packages/* ./packages/
# Merge the build log ("packages.log") files
cat /tmp/artifacts-2/packages.log >> ./packages.log
fi
- name: 'Retrieve Wolfi advisory data'
uses: actions/checkout@v4
with:
repository: 'wolfi-dev/advisories'
path: 'data/wolfi-advisories'
- name: Scan for CVEs
run: |
wolfictl scan \
--build-log \
--advisories-repo-dir 'data/wolfi-advisories' \
--advisory-filter 'resolved' \
--require-zero \
/tmp/artifacts-1 \
2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout.