diff --git a/.github/actions/docker-run/action.yaml b/.github/actions/docker-run/action.yaml deleted file mode 100644 index 671f2e840a4..00000000000 --- a/.github/actions/docker-run/action.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Run a command in Docker -description: Wraps the given `cmd` in a `docker run` -inputs: - run: - description: "The command/script to run" - required: true - image: - description: "The image to use" - default: "ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3" - required: false - workdir: - description: "The images working directory" - default: "/github/home" - required: false - opts: - description: "Extra options to pass to docker run" - default: "" - required: false - -runs: - using: composite - steps: - - name: Run in Docker - shell: bash - run: | - docker run \ - --privileged \ - --security-opt "seccomp=unconfined" \ - --security-opt "apparmor:unconfined" \ - -v "$PWD":"${{ inputs.workdir }}" \ - -v /home/runner:/home/runner \ - --workdir "${{ inputs.workdir }}" \ - --entrypoint "bash" \ - -e "HOME=${{ inputs.workdir }}" \ - -e "GITHUB_ACTIONS=true" \ - -e "CI=true" \ - -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CLOUDSDK_AUTH_CREDENTIAL_FILE} \ - -e GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS} \ - -e GOOGLE_GHA_CREDS_PATH=${GOOGLE_GHA_CREDS_PATH} \ - -i \ - ${{ inputs.opts }} \ - ${{ inputs.image }} <<"_END_DOCKER_RUN" - set -e - ${{ inputs.run }} - _END_DOCKER_RUN diff --git a/.github/chainguard/delete-branches.sts.yaml b/.github/chainguard/delete-branches.sts.yaml deleted file mode 100644 index 89623d8435a..00000000000 --- a/.github/chainguard/delete-branches.sts.yaml +++ /dev/null @@ -1,7 +0,0 @@ -issuer: https://token.actions.githubusercontent.com -subject: repo:wolfi-dev/os:ref:refs/heads/main -claim_pattern: - job_workflow_ref: wolfi-dev/os/.github/workflows/delete-old-branches.yaml@refs/heads/main - -permissions: - contents: write diff --git a/.github/chainguard/digestabot.sts.yaml b/.github/chainguard/digestabot.sts.yaml deleted file mode 100644 index ca72e4fd7f5..00000000000 --- a/.github/chainguard/digestabot.sts.yaml +++ /dev/null @@ -1,9 +0,0 @@ -issuer: https://token.actions.githubusercontent.com -subject: repo:wolfi-dev/os:ref:refs/heads/main -claim_pattern: - workflow_ref: wolfi-dev/os/.github/workflows/digestabot.yaml@refs/heads/main - -permissions: - contents: write - pull_requests: write - workflows: write diff --git a/.github/chainguard/github-updates.sts.yaml b/.github/chainguard/github-updates.sts.yaml deleted file mode 100644 index 5cf792b0248..00000000000 --- a/.github/chainguard/github-updates.sts.yaml +++ /dev/null @@ -1,10 +0,0 @@ -issuer: https://token.actions.githubusercontent.com -subject: repo:wolfi-dev/os:ref:refs/heads/main -claim_pattern: - job_workflow_ref: wolfi-dev/os/.github/workflows/wolfictl-update-gh.yaml@refs/heads/main - -permissions: - contents: write - pull_requests: write - workflows: write - issues: write diff --git a/.github/chainguard/lifecycle-automation-release.sts.yaml b/.github/chainguard/lifecycle-automation-release.sts.yaml deleted file mode 100644 index eb8e3c836b1..00000000000 --- a/.github/chainguard/lifecycle-automation-release.sts.yaml +++ /dev/null @@ -1,9 +0,0 @@ -issuer: https://accounts.google.com - -# staging-images: not in use -# prod-images: lifecycle-upstream-github@prod-images-c6e5.iam.gserviceaccount.com -subject: "100889997859037637297" - -permissions: - contents: read - metadata: read diff --git a/.github/chainguard/lifecycle-cve-remediation.sts.yaml b/.github/chainguard/lifecycle-cve-remediation.sts.yaml deleted file mode 100644 index bf410863675..00000000000 --- a/.github/chainguard/lifecycle-cve-remediation.sts.yaml +++ /dev/null @@ -1,11 +0,0 @@ -issuer: https://accounts.google.com - -# have more than one service account -# staging-images: cve-remediation-sa@staging-images-183e.iam.gserviceaccount.com (115001090278325569140) -# prod-images: cve-remediation-sa@prod-images-c6e5.iam.gserviceaccount.com (103318643747916563750) -subject_pattern: "(115001090278325569140|103318643747916563750)" - -permissions: - pull_requests: write - contents: write - workflows: write diff --git a/.github/chainguard/lifecycle-devops-data-collector.sts.yaml b/.github/chainguard/lifecycle-devops-data-collector.sts.yaml deleted file mode 100644 index 03b30df28dd..00000000000 --- a/.github/chainguard/lifecycle-devops-data-collector.sts.yaml +++ /dev/null @@ -1,9 +0,0 @@ -issuer: https://accounts.google.com - -# staging-images: not in use -# prod-images: lifecycle-devops-collector@prod-images-c6e5.iam.gserviceaccount.com -subject: "109102922315025257155" - -permissions: - contents: read - metadata: read diff --git a/.github/chainguard/lifecycle-eol-mover.sts.yaml b/.github/chainguard/lifecycle-eol-mover.sts.yaml deleted file mode 100644 index 41ec3193c63..00000000000 --- a/.github/chainguard/lifecycle-eol-mover.sts.yaml +++ /dev/null @@ -1,10 +0,0 @@ -issuer: https://accounts.google.com - -# staging-images: not in use -# prod-images: lifecycle-eol-mover@prod-images-c6e5.iam.gserviceaccount.com -subject: "105314035764875766195" - -permissions: - contents: write - pull_requests: write - workflows: write diff --git a/.github/chainguard/lifecycle-version-stream-bot.sts.yaml b/.github/chainguard/lifecycle-version-stream-bot.sts.yaml deleted file mode 100644 index c4b3f42b324..00000000000 --- a/.github/chainguard/lifecycle-version-stream-bot.sts.yaml +++ /dev/null @@ -1,8 +0,0 @@ -issuer: https://accounts.google.com - -# staging-images: not in use -# prod-images: lifecycle-version-bot@prod-images-c6e5.iam.gserviceaccount.com -subject: "107394578545378987534" - -permissions: - contents: read diff --git a/.github/chainguard/lifecycle-version-stream-create.sts.yaml b/.github/chainguard/lifecycle-version-stream-create.sts.yaml deleted file mode 100644 index 373c67a798d..00000000000 --- a/.github/chainguard/lifecycle-version-stream-create.sts.yaml +++ /dev/null @@ -1,9 +0,0 @@ -issuer: https://accounts.google.com - -# staging-images: not in use -# prod-images: lifecycle-vs-creator@prod-images-c6e5.iam.gserviceaccount.com -subject: "115891404086175406658" - -permissions: - contents: write - pull_requests: write diff --git a/.github/chainguard/release-monitoring-updates.sts.yaml b/.github/chainguard/release-monitoring-updates.sts.yaml deleted file mode 100644 index 5d170808d20..00000000000 --- a/.github/chainguard/release-monitoring-updates.sts.yaml +++ /dev/null @@ -1,10 +0,0 @@ -issuer: https://token.actions.githubusercontent.com -subject: repo:wolfi-dev/os:ref:refs/heads/main -claim_pattern: - job_workflow_ref: wolfi-dev/os/.github/workflows/wolfictl-update-rm.yaml@refs/heads/main - -permissions: - contents: write - pull_requests: write - workflows: write - issues: write diff --git a/.github/workflows/build-beta.yaml b/.github/workflows/build-beta.yaml deleted file mode 100644 index 9bdd04deb0c..00000000000 --- a/.github/workflows/build-beta.yaml +++ /dev/null @@ -1,215 +0,0 @@ -name: Build Wolfi OS (beta) - -on: - push: - branches: ['main'] - paths-ignore: - - '**.md' - - '**.txt' - - workflow_dispatch: - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - include: - - arch: x86_64 - runner: ubuntu-intel-64-cores - - arch: aarch64 - runner: ubuntu-arm-64-cores - fail-fast: false - - runs-on: ${{matrix.runner}} - - permissions: - contents: read - id-token: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Setup Docker - run: | - # Add Docker's official GPG key: - sudo apt-get update -y - sudo apt-get install ca-certificates curl -y - sudo install -m 0755 -d /etc/apt/keyrings - sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc - sudo chmod a+r /etc/apt/keyrings/docker.asc - # Add the repository to Apt sources: - echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ - $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - sudo apt-get update -y - sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin - sudo usermod -aG docker $USER - sudo apt-get install acl - sudo setfacl --modify user:$USER:rw /var/run/docker.sock - - - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: ${{ env.FQ_SERVICE_ACCOUNT }} - - # Build with a local key, we'll resign this with the real key later - - name: 'Set up environment and build' - uses: ./.github/actions/docker-run - with: - run: | - set -x - set -e - set -o pipefail - - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$PWD" - - make local-melange.rsa - - # Touch it with the epoch date to convince `make` that we don't need to - # rebuild the targets that depend on this (all) - touch -d @0 local-melange.rsa - - # yay wolfi! - apk add google-cloud-sdk - - mkdir -p ./packages/${{ matrix.arch }} - - wolfictl build \ - --runner bubblewrap \ - --repository-append ./packages \ - --keyring-append local-melange.rsa.pub \ - --repository-append https://packages.wolfi.dev/os \ - --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \ - --signing-key local-melange.rsa \ - --arch ${{ matrix.arch }} \ - --namespace wolfi \ - --pipeline-dir ./pipelines/ \ - --destination-repository https://packages.wolfi.dev/os \ - --trace ./packages/${{ matrix.arch }}/trace.json - - - name: Reset file permissions - run: sudo chown -R $(id -u):$(id -g) . - - - name: Create an archive for uploading - if: ${{ always() }} - run: | - # Move logs so we can upload them separately. - mv ./packages/${{ matrix.arch }}/buildlogs /tmp/buildlogs - - # Move trace so we can upload it separately. - mv ./packages/${{ matrix.arch }}/trace.json /tmp/trace.json - - tar -cvzf /tmp/packages-${{ matrix.arch }}.tar.gz ./packages/${{ matrix.arch }} - - # Always run these steps for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Upload logs archive to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: logs-${{ matrix.arch }} - path: /tmp/buildlogs/ - if-no-files-found: warn - - if: ${{ always() }} - name: 'Upload trace to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: trace-${{ matrix.arch }} - path: /tmp/trace.json - if-no-files-found: warn - - if: ${{ always() }} - name: 'Upload built packages archive to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: packages-${{ matrix.arch }} - path: /tmp/packages-${{ matrix.arch }}.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-packages: - runs-on: ubuntu-latest-16-cores - needs: build - - # Always run this job for https://github.com/wolfi-dev/os/issues/8698 - if: ${{ always() }} - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Free up runner disk space - run: | - set -x - printf "==> Available space before cleanup\n" - df -h - rm -rf /usr/share/dotnet - rm -rf "$AGENT_TOOLSDIRECTORY" - - printf "==> Available space after cleanup\n" - df -h - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Download x86_64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-x86_64 - - - name: 'Download aarch64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-aarch64 - - - name: 'Update the APKINDEX' - run: | - for arch in "aarch64" "x86_64"; do - mkdir -p ./packages/${arch} - - # Consolidate with the built artifacts - tar xvf /tmp/artifacts/packages-${arch}.tar.gz - done - - - name: 'Create APKINDEX tarball' - run: | - # Tar up any 'APKINDEX.*' files {aarch64,x86_64} x {tar.gz,json} - find ./packages/ -name 'APKINDEX.*' > to-include - tar -cvzf /tmp/indexes.tar.gz --files-from to-include - - - name: 'Upload APKINDEX archive to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: indexes - path: /tmp/indexes.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn diff --git a/.github/workflows/build-old.yaml b/.github/workflows/build-old.yaml deleted file mode 100644 index 8d9f42334b3..00000000000 --- a/.github/workflows/build-old.yaml +++ /dev/null @@ -1,335 +0,0 @@ -name: Build Wolfi OS with make all - -on: - workflow_dispatch: - -# Only run one build at a time to prevent out of sync signatures. -concurrency: build - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - arch: [ "x86_64", "aarch64" ] - fail-fast: false - - runs-on: - group: wolfi-os-builder-${{ matrix.arch }} - - permissions: - contents: read - - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - # TODO: Deprivilege - options: | - --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined - - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - # Build with a local key, we'll resign this with the real key later - - name: 'Generate local signing key' - run: | - make local-melange.rsa - - # Touch it with the epoch date to convince `make` that we don't need to - # rebuild the targets that depend on this (all) - touch -d @0 local-melange.rsa - - - name: 'Prepare package repository' - run: | - # yay wolfi! - apk add gcsfuse google-cloud-sdk - - # Set up a gcsfuse RO mount to the public bucket. This is a cheap and - # cheerful way to recreate the make targets (class A HEADs) locally - # without syncing the whole bucket (class A+B). - mkdir -p /gcsfuse/wolfi-registry - gcsfuse -o ro --implicit-dirs --only-dir os wolfi-production-registry-destination /gcsfuse/wolfi-registry - - mkdir -p ./packages/${{ matrix.arch }} - # Symlink the gcsfuse mount to ./packages/ to workaround the Makefile CWD assumptions - for f in /gcsfuse/wolfi-registry/${{ matrix.arch }}/*.apk; do - ln -s "$f" ./packages/${{ matrix.arch }}/ - done - - # Make a copy of the APKINDEX.* since we'll need to write to it on package builds - cp /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.* ./packages/${{ matrix.arch }}/ - - # TODO: Replace this with wolfictl build, since the current make build - # method doesn't trigger new builds for dependent updates. - - name: 'Build Wolfi' - run: | - make \ - ARCH=${{ matrix.arch }} \ - MELANGE_EXTRA_OPTS="--keyring-append=/gcsfuse/wolfi-registry/wolfi-signing.rsa.pub" \ - all -j1 - - # Always run this step for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Create artifacts tarball' - run: | - set -x - set -e - set -o pipefail - - # Pick up any stragglers that didn't get uploaded in previous builds. - cat ./packages/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | sort > indexed.txt - # TODO: Figure out why ls through gcsfuse is so slow. - gcloud storage ls gs://wolfi-production-registry-destination/os/${{ matrix.arch }} | grep ".apk$" | xargs -n1 basename | sort > uploaded.txt - - # Lines that are only in uploaded.txt and not indexed.txt. - comm -13 indexed.txt uploaded.txt > missing.txt - - # Clean up the symlinks to keep only packages we built. - find ./packages/${{ matrix.arch }} -type l -exec rm -f {} \; - - # Merge any missing APKs into our new index. - for missed in $(cat missing.txt); do - # We could do this in one command instead of a loop, but it takes things on argv, which is a bit annoying. - melange index --merge \ - --source ./packages/${{ matrix.arch }}/APKINDEX.tar.gz \ - --output new.tar.gz \ - /gcsfuse/wolfi-registry/${{ matrix.arch }}/${missed} - - # Overwrite what we're going to upload (and for the next loop). - mv new.tar.gz ./packages/${{ matrix.arch }}/APKINDEX.tar.gz - done - - diff \ - <(cat /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX) \ - <(cat ./packages/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX) || true - - # Create an archive for uploading - tar -cvzf /tmp/packages-${{ matrix.arch }}.tar.gz ./packages/${{ matrix.arch }} - - # Always run this step for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Upload built packages archive to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: packages-${{ matrix.arch }} - path: /tmp/packages-${{ matrix.arch }}.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-packages: - runs-on: ubuntu-latest-16-cores - needs: build - - # Always run this job for https://github.com/wolfi-dev/os/issues/8698 - if: ${{ always() }} - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Free up runner disk space - run: | - set -x - rm -rf /usr/share/dotnet - rm -rf "$AGENT_TOOLSDIRECTORY" - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Download x86_64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-x86_64 - - - name: 'Download aarch64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-aarch64 - - # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf - - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - id: auth - with: - workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider" - service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: "chainguard-github-secrets" - - uses: 'google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae' # v2.1.3 - id: secrets - with: - secrets: |- - token:chainguard-github-secrets/wolfi-dev-signing-key - - - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa - - run: | - mkdir -p /etc/apk/keys - cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub - - - name: 'Update the APKINDEX' - run: | - for arch in "x86_64" "aarch64"; do - mkdir -p ./packages/${arch} - - # Consolidate with the built artifacts - tar xvf /tmp/artifacts/packages-${arch}.tar.gz - - # Sign the APK index - melange sign-index -f --signing-key ./wolfi-signing.rsa packages/${arch}/APKINDEX.tar.gz - - # Only attempt to sign when *.apk's exist. - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - melange sign --signing-key ./wolfi-signing.rsa ./packages/${arch}/*.apk - fi - done - - # Clean up the signing key before uploading to storage out - # of an abundance of caution. - - run: rm ./wolfi-signing.rsa - - # We use a different GSA for our interaction with GCS. - - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: "prod-images-c6e5" - - - name: 'Upload packages to GCS' - run: | - for arch in "x86_64" "aarch64"; do - # Only attempt to upload when *.apk's exist - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - # apks will be cached in CDN for an hour by default. - # Don't upload the object if it already exists. - gcloud --quiet storage cp \ - --no-clobber \ - "./packages/${arch}/*.apk" "gs://wolfi-production-registry-destination/os/${arch}/" - fi - done - - - name: 'Create APKINDEX tarball' - run: | - # Tar up any 'APKINDEX.*' files {aarch64,x86_64} x {tar.gz,json} - find ./packages/ -name 'APKINDEX.*' > to-include - tar -cvzf /tmp/indexes.tar.gz --files-from to-include - - - name: 'Upload APKINDEX archive to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: indexes - path: /tmp/indexes.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-index: - runs-on: ubuntu-latest-16-cores - needs: upload-packages - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - id: auth - name: 'Authenticate to Google Cloud' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: prod-images-c6e5 - - - name: 'Download index archive' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: indexes - - - name: 'Upload indexes to GCS' - run: | - tar xvf /tmp/artifacts/indexes.tar.gz - - for arch in "x86_64" "aarch64"; do - # Don't cache the APKINDEX. - gcloud --quiet storage cp \ - --cache-control=no-store \ - "./packages/${arch}/APKINDEX.tar.gz" "gs://wolfi-production-registry-destination/os/${arch}/" - - gcloud --quiet storage cp \ - --cache-control=no-store \ - "./packages/${arch}/APKINDEX.json" "gs://wolfi-production-registry-destination/os/${arch}/" - done - - postrun: - name: Notify Slack - runs-on: ubuntu-latest - if: failure() - needs: [build, upload-packages, upload-index] - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.3.0 - env: - SLACK_ICON: http://github.com/chainguard-dev.png?size=48 - SLACK_USERNAME: guardian - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_CHANNEL: C047DK5BUNP - SLACK_MSG_AUTHOR: wolfi-bot - SLACK_COLOR: '#8E1600' - MSG_MINIMAL: 'true' - SLACK_TITLE: '[build-wolfi-os] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' - SLACK_MESSAGE: | - https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/build-world.yaml b/.github/workflows/build-world.yaml deleted file mode 100644 index aa98ea37d66..00000000000 --- a/.github/workflows/build-world.yaml +++ /dev/null @@ -1,81 +0,0 @@ -name: Build Wolfi OS world from bootstrap - -on: - workflow_dispatch: - -# Only run one build at a time to prevent out of sync signatures -concurrency: - group: build-world-${{ github.ref }} - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - arch: [ "x86_64", "aarch64" ] - fail-fast: false - - runs-on: - group: wolfi-os-builder-${{ matrix.arch }} - - # Ensure this is deprivileged, isolated job - # permissions: - - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - # TODO: Deprivilege - options: | - --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined - - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - # Build with a local key, we'll resign this with the real key later - - name: 'Generate local signing key' - run: | - make local-melange.rsa - - - name: 'Build Wolfi World' - run: | - wolfictl build \ - -k local-melange.rsa.pub \ - -r ./packages \ - -k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub \ - -r https://packages.wolfi.dev/bootstrap/stage3 \ - --arch=${{ matrix.arch }} \ - --runner=bubblewrap \ - -j10 - - # TODO: See how big these get, maybe we only upload failures and shorten the retention, or throw them in GCS - - name: Upload build logs - if: always() - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: buildlogs - path: ./packages/**/buildlogs/*.log - retention-days: 7 - - # TODO: enable Slack alerts when this is expected to pass reliably. - #postrun: - # runs-on: ubuntu-latest - # needs: [build] - # if: failure() - # steps: - # - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 - # id: slack - # with: - # payload: '{"text": "[build-wolfi-world-bootstrap] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' - # env: - # SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - # SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 888ac4e5aa5..4d41260d54c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,463 +1,21 @@ -name: Build Wolfi OS +name: Build -on: - push: - branches: ['main'] - paths-ignore: - - '**.md' - - '**.txt' - - workflow_dispatch: - -# Only run one build at a time to prevent out of sync signatures. -concurrency: build +on: [pull_request] jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - arch: [ "x86_64", "aarch64" ] - fail-fast: false - - runs-on: - group: wolfi-os-builder-${{ matrix.arch }} - - permissions: - contents: read - - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - # TODO: Deprivilege - options: | - --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined - - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - # Build with a local key, we'll resign this with the real key later - - name: 'Generate local signing key' - run: | - make local-melange.rsa - - # Touch it with the epoch date to convince `make` that we don't need to - # rebuild the targets that depend on this (all) - touch -d @0 local-melange.rsa - - - name: 'Prepare package repository' - run: | - # yay wolfi! - apk add gcsfuse google-cloud-sdk - - # Set up a gcsfuse RO mount to the public bucket. This is a cheap and - # cheerful way to recreate the make targets (class A HEADs) locally - # without syncing the whole bucket (class A+B). - mkdir -p /gcsfuse/wolfi-registry - gcsfuse -o ro --implicit-dirs --only-dir os wolfi-production-registry-destination /gcsfuse/wolfi-registry - - mkdir -p ./packages/${{ matrix.arch }} - # Symlink the gcsfuse mount to ./packages/ to workaround the Makefile CWD assumptions - for f in /gcsfuse/wolfi-registry/${{ matrix.arch }}/*.apk; do - ln -s "$f" ./packages/${{ matrix.arch }}/ - done - - # Make a copy of the APKINDEX.* since we'll need to write to it on package builds - cp /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.* ./packages/${{ matrix.arch }}/ - - # TODO: Remove the previous and next steps by folding the logic into wolfictl. - - name: 'Build Wolfi' - run: | - wolfictl build \ - --runner bubblewrap \ - --keyring-append /gcsfuse/wolfi-registry/wolfi-signing.rsa.pub \ - --repository-append ./packages \ - --keyring-append local-melange.rsa.pub \ - --repository-append https://packages.wolfi.dev/os \ - --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \ - --signing-key local-melange.rsa \ - --arch ${{ matrix.arch }} \ - --namespace wolfi \ - --pipeline-dir ./pipelines/ \ - --destination-repository https://packages.wolfi.dev/os \ - --trace ./packages/${{ matrix.arch }}/trace.json - - # Always run this step for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Create artifacts tarball' - run: | - set -x - set -e - set -o pipefail - - # Overwrite the APKINDEX.tar.gz we just generated with the original one. - # Since we use a temporary key during the build, we need to re-sign the APKs later. - # We don't want to keep the newly indexed stuff because the size field is probably wrong. - cp /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.* ./packages/${{ matrix.arch }}/ - - # Pick up any stragglers that didn't get uploaded in previous builds. - cat ./packages/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | sort > indexed.txt - # TODO: Figure out why ls through gcsfuse is so slow. - gcloud storage ls gs://wolfi-production-registry-destination/os/${{ matrix.arch }} | grep ".apk$" | xargs -n1 basename | sort > uploaded.txt - - # Lines that are only in uploaded.txt and not indexed.txt. - comm -13 indexed.txt uploaded.txt > missing.txt - - # Clean up the symlinks to keep only packages we built. - find ./packages/${{ matrix.arch }} -type l -exec rm -f {} \; - - # Merge any missing APKs into our new index. - for missed in $(cat missing.txt); do - # We could do this in one command instead of a loop, but it takes things on argv, which is a bit annoying. - melange index --merge \ - --source ./packages/${{ matrix.arch }}/APKINDEX.tar.gz \ - --output new.tar.gz \ - /gcsfuse/wolfi-registry/${{ matrix.arch }}/${missed} - - # Overwrite what we're going to upload (and for the next loop). - mv new.tar.gz ./packages/${{ matrix.arch }}/APKINDEX.tar.gz - done - - diff \ - <(cat /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX) \ - <(cat ./packages/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX) || true - - # Move logs so we can upload them separately. - mv ./packages/${{ matrix.arch }}/buildlogs /tmp/buildlogs - - # Move trace so we can upload it separately. - mv ./packages/${{ matrix.arch }}/trace.json /tmp/trace.json - - # Create an archive for uploading - tar -cvzf /tmp/packages-${{ matrix.arch }}.tar.gz ./packages/${{ matrix.arch }} - - # Always run these steps for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Upload logs archive to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: logs-${{ matrix.arch }} - path: /tmp/buildlogs/ - if-no-files-found: warn - - if: ${{ always() }} - name: 'Upload trace to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: trace-${{ matrix.arch }} - path: /tmp/trace.json - if-no-files-found: warn - - if: ${{ always() }} - name: 'Upload built packages archive to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: packages-${{ matrix.arch }} - path: /tmp/packages-${{ matrix.arch }}.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-packages: - runs-on: ubuntu-latest-16-cores - needs: build - - # Always run this job for https://github.com/wolfi-dev/os/issues/8698 - if: ${{ always() }} - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Free up runner disk space - run: | - set -x - rm -rf /usr/share/dotnet - rm -rf "$AGENT_TOOLSDIRECTORY" - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Download x86_64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-x86_64 - - - name: 'Download aarch64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-aarch64 - - # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf - - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - id: auth - with: - workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider" - service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: "chainguard-github-secrets" - - uses: 'google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae' # v2.1.3 - id: secrets - with: - secrets: |- - token:chainguard-github-secrets/wolfi-dev-signing-key - - - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa - - run: | - mkdir -p /etc/apk/keys - cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub - - - name: 'Update the APKINDEX' - run: | - for arch in "aarch64" "x86_64"; do - mkdir -p ./packages/${arch} - - # Consolidate with the built artifacts - tar xvf /tmp/artifacts/packages-${arch}.tar.gz - - # Only attempt to sign when *.apk's exist. - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - melange sign --signing-key ./wolfi-signing.rsa ./packages/${arch}/*.apk - - melange index --merge \ - --source ./packages/${arch}/APKINDEX.tar.gz \ - --output ./packages/${arch}/APKINDEX.tar.gz \ - ./packages/${arch}/*.apk - fi - - # Sign the APK index - melange sign-index -f --signing-key ./wolfi-signing.rsa packages/${arch}/APKINDEX.tar.gz - done - - # Clean up the signing key before uploading to storage out - # of an abundance of caution. - - run: rm ./wolfi-signing.rsa - - # We use a different GSA for our interaction with GCS. - - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: "prod-images-c6e5" - - - name: 'Upload packages to GCS' - run: | - for arch in "aarch64" "x86_64"; do - # Only attempt to upload when *.apk's exist - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - # apks will be cached in CDN for an hour by default. - # Don't upload the object if it already exists. - gcloud --quiet storage cp \ - --no-clobber \ - "./packages/${arch}/*.apk" "gs://wolfi-production-registry-destination/os/${arch}/" - fi - done - - - name: 'Create APKINDEX tarball' - run: | - # Tar up any 'APKINDEX.*' files {aarch64,x86_64} x {tar.gz,json} - find ./packages/ -name 'APKINDEX.*' > to-include - tar -cvzf /tmp/indexes.tar.gz --files-from to-include - - - name: 'Upload APKINDEX archive to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: indexes - path: /tmp/indexes.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-index: - runs-on: ubuntu-latest-16-cores - needs: upload-packages - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - id: auth - name: 'Authenticate to Google Cloud' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: prod-images-c6e5 - - - name: 'Download index archive' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: indexes - - - name: 'Upload indexes to GCS' - run: | - tar xvf /tmp/artifacts/indexes.tar.gz - - for arch in "aarch64" "x86_64"; do - # Don't cache the APKINDEX. - gcloud --quiet storage cp \ - --cache-control=no-store \ - "./packages/${arch}/APKINDEX.tar.gz" "gs://wolfi-production-registry-destination/os/${arch}/" - - gcloud --quiet storage cp \ - --cache-control=no-store \ - "./packages/${arch}/APKINDEX.json" "gs://wolfi-production-registry-destination/os/${arch}/" - done - - upload-packages-to-cgr: + build-packages: runs-on: ubuntu-latest - needs: build - - # Always run this job for https://github.com/wolfi-dev/os/issues/8698 - if: ${{ always() }} - - permissions: - id-token: write - contents: read - steps: - - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 + - uses: actions/checkout@v3 with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + fetch-depth: 0 - - name: 'Trust the github workspace' + # TODO: if new packages list grows, automation of listing packages would be handy + - name: Build packages specific to this repo run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Download x86_64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-x86_64 - - - name: 'Download aarch64 package archives' - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: /tmp/artifacts/ - name: packages-aarch64 - - - name: 'Unpack the package archives' - run: | - for arch in "aarch64" "x86_64"; do - mkdir -p ./packages/${arch} - - # Consolidate with the built artifacts - tar xvf /tmp/artifacts/packages-${arch}.tar.gz - done - - # use public chainguard provider. - - uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2 - with: - # Managed here: - # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf - identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" - - - name: 'Upload packages to apk.cgr.dev' - run: | - set -ex - # Populate the token here, since chainctl auth token - # doesn't support all of the options we need. - chainctl auth login --audience apk.cgr.dev \ - --identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" - tok=$(chainctl auth token --audience apk.cgr.dev) - echo "::add-mask::${tok}" - - for arch in "aarch64" "x86_64"; do - # Only attempt to upload when *.apk's exist - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - for apk in ${apks}; do - package="$(basename ${apk})" - - # Check if package already exists in apk.cgr.dev - code=$(curl -s -o /dev/null --head -w "%{http_code}" --user "user:${tok}" "https://apk.cgr.dev/chainguard/${arch}/${package}") - if [ $code == "303" ]; then - echo "Package already exists: ${package}" - continue - elif [ $code != "404" ]; then - echo "Unexpected response code: $code" - exit 1 - fi - - curl --fail -X POST \ - --user "user:${tok}" \ - --data-binary "@${apk}" \ - "https://apk.cgr.dev/chainguard/${arch}/${package}" - done - fi - done - - postrun: - name: Notify Slack - runs-on: ubuntu-latest - if: failure() - needs: [build, upload-packages, upload-packages-to-cgr, upload-index] - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.2.1 - env: - SLACK_ICON: http://github.com/chainguard-dev.png?size=48 - SLACK_USERNAME: guardian - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_CHANNEL: C047DK5BUNP - SLACK_MSG_AUTHOR: wolfi-bot - SLACK_COLOR: '#8E1600' - MSG_MINIMAL: 'true' - SLACK_TITLE: '[build-wolfi-os] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' - SLACK_MESSAGE: | - https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml deleted file mode 100644 index 38ec1d8cc5c..00000000000 --- a/.github/workflows/ci-build.yaml +++ /dev/null @@ -1,344 +0,0 @@ -name: CI build action - -on: - pull_request: - branches: ["main"] - push: - branches: - - gh-readonly-queue/main/** - -permissions: - contents: read - -jobs: - changes: - permissions: - contents: read - - name: Determine packages to test building - runs-on: ubuntu-latest - outputs: - packages: ${{steps.package-list.outputs.packages}} - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Look for changed files - id: changes - uses: tj-actions/changed-files@6b2903bdce6310cfbddd87c418f253cf29b2dec9 # v44.5.6 - with: - files_yaml: | - melange: - - ./*.yaml # Only top level files without structure - - ./*/*/*.melange.yaml # Support recursive melange files with the new naming convention. - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this - # strips the list down into `foo` and `bar`. - - name: Build package list - id: package-list - run: | - printf "packages=" >> $GITHUB_OUTPUT - - wolfictl text -t name --pipeline-dir=./pipelines/ \ - -r https://packages.wolfi.dev/bootstrap/stage3 \ - -k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub > packages-list - while read pkg; do - for file in ${{ steps.changes.outputs.melange_all_changed_files }}; do - # Since the file is a path, we need to strip out only the file - # name from it. - base_file=$(basename $file) - base_file="${base_file%.melange.yaml}" - base_file="${base_file%.yaml}" - printf "base_file: $base_file" - [ "${base_file}" = "$pkg" ] && printf "%s " ${base_file} >> $GITHUB_OUTPUT - done - done < packages-list - - printf "\n" >> $GITHUB_OUTPUT - - build: - name: Test building of packages - strategy: - matrix: - arch: ["x86_64", "aarch64"] - include: - - arch: x86_64 - runner: ubuntu-latest-16-cores - oci: amd64 - - arch: aarch64 - runner: ubuntu-arm-16-cores - oci: arm64 - fail-fast: false - runs-on: ${{ matrix.runner }} - needs: changes - outputs: - packages_were_built: ${{ steps.file_check.outputs.exists }} - - permissions: - contents: read - pull-requests: write # so we have permission to comment on pull requests - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - name: Free up runner disk space - run: | - set -x - printf "==> Available space before cleanup\n" - df -h - rm -rf /usr/share/dotnet - rm -rf "$AGENT_TOOLSDIRECTORY" - - printf "==> Available space after cleanup\n" - df -h - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Docker - run: | - # Add Docker's official GPG key: - sudo apt-get update -y - sudo apt-get install ca-certificates curl -y - sudo install -m 0755 -d /etc/apt/keyrings - sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc - sudo chmod a+r /etc/apt/keyrings/docker.asc - # Add the repository to Apt sources: - echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ - $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - sudo apt-get update -y - sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin - sudo usermod -aG docker $USER - sudo apt-get install acl - sudo setfacl --modify user:$USER:rw /var/run/docker.sock - - - name: "Generate local signing key" - uses: ./.github/actions/docker-run - with: - run: | - make MELANGE="melange" local-melange.rsa - - - name: "Build Wolfi" - uses: ./.github/actions/docker-run - with: - opts: "-v /temp:/temp -v /var/run/docker.sock:/var/run/docker.sock" - run: | - # Use a different shared $TMPDIR accessible and non-conflicting to - # both the host and container since we're running docker out of - # docker - export TMPDIR="/temp" - - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory . - - mkdir -p .melangecache - for package in ${{needs.changes.outputs.packages}}; do - make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/$package -j1 - make MELANGE_EXTRA_OPTS="--runner docker" REPO="./packages" "test/$package" -j1 - done - - - name: "Check that packages can be installed with apk add" - uses: ./.github/actions/docker-run - with: - run: | - # Create a fake linux fs under /tmp/emptyroot to pass to `apk --root`. - mkdir -p /tmp/emptyroot/etc/apk - cp -r /etc/apk/* /tmp/emptyroot/etc/apk/ - cat /dev/null > /tmp/emptyroot/etc/apk/world - - mkdir -p /tmp/emptyroot/lib/apk/db - touch /tmp/emptyroot/lib/apk/db/{installed,lock,scripts.tar,triggers} - - mkdir -p /tmp/emptyroot/var/cache/apk - apk update --root /tmp/emptyroot - - # Find .apk files and add them to the string - for f in $(find packages -name '*.apk'); do - tar -Oxf "$f" .PKGINFO - apk add --root /tmp/emptyroot --repository "./packages" --allow-untrusted --simulate "$f" - done - - - name: Reset file permissions - run: | - sudo chown -R $(id -u):$(id -g) . - - - name: Check SBOMs - uses: ./.github/actions/docker-run - with: - run: | - apk add py3-ntia-conformance-checker spdx-tools-java - for f in $(find packages -name '*.apk'); do - echo "==== Checking SBOM for $f ====" - tar -Oxf "$f" var/lib/db/sbom/ > sbom.json - echo ::group::sbom.json - cat sbom.json - echo ::endgroup:: - ntia-checker -v --file sbom.json - tools-java Verify sbom.json - done - - - name: Check for file - id: file_check - run: | - if test -f "packages.log"; then - cat packages.log - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - touch packages.log - - - name: Check diff - if: steps.file_check.outputs.exists == 'true' - # Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check - continue-on-error: true - uses: ./.github/actions/docker-run - with: - run: | - wolfictl check diff - - - name: Check for diff file - id: diff_file_check - run: | - if test -f "diff.log"; then - cat diff.log - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - - # Use the x86_64 build results for the comment for now so we don't have duplicates. - - name: PR comment diff - if: steps.diff_file_check.outputs.exists == 'true' && matrix.arch == 'x86_64' - uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 - # We're seeing jobs using merge queues fail - continue-on-error: true - with: - filePath: diff.log - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: "Upload built packages to GitHub artifacts" - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - path: | - ./packages/${{ matrix.arch }} - ./packages.log - name: packages-${{ matrix.arch }} - retention-days: 1 - if-no-files-found: warn - - so_check: - permissions: - contents: read - - name: "ABI Compatibility check" - runs-on: ubuntu-latest - needs: build - if: needs.build.outputs.packages_were_built == 'true' - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - name: "Retrieve x86_64 packages" - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: packages-x86_64 - path: /tmp/artifacts-1/ - - - name: "Retrieve aarch64 packages" - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: packages-aarch64 - path: /tmp/artifacts-2/ - - - name: "Collect packages from all architectures into one place" - run: | - cd /tmp/artifacts-1 - - # Put the packages into one place (if aarch64 logs exist) - if test -f "/tmp/artifacts-2/packages"; then - mv /tmp/artifacts-2/packages/* ./packages/ - # Merge the build log ("packages.log") files - cat /tmp/artifacts-2/packages.log >> ./packages.log - fi - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - name: Soname check - run: | - wolfictl check so-name --packages-dir /tmp/artifacts-1/packages --package-list-file /tmp/artifacts-1/packages.log - - scan: - permissions: - contents: read - - name: "Scan packages for CVEs" - runs-on: ubuntu-latest - needs: build - if: needs.build.outputs.packages_were_built == 'true' - - timeout-minutes: 30 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - name: "Retrieve x86_64 packages" - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: packages-x86_64 - path: /tmp/artifacts-1/ - - - name: "Retrieve aarch64 packages" - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: packages-aarch64 - path: /tmp/artifacts-2/ - - - name: "Collect packages from all architectures into one place" - run: | - cd /tmp/artifacts-1 - - # Put the packages into one place (if aarch64 logs exist) - if test -f "/tmp/artifacts-2/packages"; then - mv /tmp/artifacts-2/packages/* ./packages/ - # Merge the build log ("packages.log") files - cat /tmp/artifacts-2/packages.log >> ./packages.log - fi - - - name: "Retrieve Wolfi advisory data" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - repository: "wolfi-dev/advisories" - path: "data/wolfi-advisories" - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - name: Scan for CVEs - run: | - wolfictl scan \ - --build-log \ - --advisories-repo-dir 'data/wolfi-advisories' \ - --advisory-filter 'resolved' \ - --require-zero \ - /tmp/artifacts-1 \ - 2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout. diff --git a/.github/workflows/delete-old-branches.yaml b/.github/workflows/delete-old-branches.yaml deleted file mode 100644 index 88c8dc0041d..00000000000 --- a/.github/workflows/delete-old-branches.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Delete old branches - -on: - schedule: - - cron: "0 0 * * *" - workflow_dispatch: - -permissions: - contents: read - -jobs: - cleanup_old_branches: - runs-on: ubuntu-latest - - if: github.repository == 'wolfi-dev/os' - - permissions: - id-token: write # To gitsign and federate - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 - id: octo-sts - with: - scope: ${{ github.repository }} - identity: delete-branches - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - name: Delete Branches - run: | - wolfictl gh gc branch https://github.com/wolfi-dev/os --match "wolfictl-" - env: - GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml deleted file mode 100644 index fe814e3a68f..00000000000 --- a/.github/workflows/digestabot.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Image digest update - -on: - workflow_dispatch: - schedule: - - cron: "0 1 * * *" - -permissions: - contents: read - -jobs: - image-update: - name: Image digest update - runs-on: ubuntu-latest - if: github.repository == 'wolfi-dev/os' - - permissions: - contents: read # To clone the repo - id-token: write # To gitsign and federate - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 - id: octo-sts - with: - scope: ${{ github.repository }} - identity: digestabot - - - uses: chainguard-dev/digestabot@7dc10a1f7fb063b5130b1116f26a5a0880c2a00f # v1.1.0 - with: - token: ${{ steps.octo-sts.outputs.token }} - author: "octo-sts[bot] <157150467+octo-sts[bot]@users.noreply.github.com>" - committer: "octo-sts[bot] <157150467+octo-sts[bot]@users.noreply.github.com>" diff --git a/.github/workflows/lint-world.yaml b/.github/workflows/lint-world.yaml deleted file mode 100644 index 51fbd850510..00000000000 --- a/.github/workflows/lint-world.yaml +++ /dev/null @@ -1,183 +0,0 @@ -name: Lint Wolfi OS World - -on: - workflow_dispatch: - -env: - EPHEMERAL_BUILD_PROJECT_ID: "prod-wolfi-os" - EPHEMERAL_BUILD_SERVICE_ACCOUNT: "wolfi-build-ephemeral-ci@prod-wolfi-os.iam.gserviceaccount.com" - EPHEMERAL_BUILD_WORKLOAD_IDENTITY_PROVIDER: "projects/728015869174/locations/global/workloadIdentityPools/github/providers/github" - EPHEMERAL_BUILD_NETWORK: "wolfi-build-ephemeral-vpc" - EPHEMERAL_BUILD_REGION: "us-central1" - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - arch: [ "x86_64", "aarch64" ] - fail-fast: false - - permissions: - id-token: write - contents: read - - runs-on: - # The host arch doesn't really matter, but use the self hosted runners because we want beefier machines. The network/io bandwidth for these builds are intense. - group: wolfi-os-builder-${{ matrix.arch }} - - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Authenticate to Google Cloud' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: ${{ env.EPHEMERAL_BUILD_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ env.EPHEMERAL_BUILD_SERVICE_ACCOUNT }} - - - run: apk add google-cloud-sdk gke-gcloud-auth-plugin kubectl-default - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: ${{ env.EPHEMERAL_BUILD_PROJECT_ID }} - skip_install: true - - - name: Configure GCR auth - run: gcloud auth configure-docker - - - name: 'Setup workflow variables' - run: | - # Create a globally unique cluster name for each run (including retries) - echo "cluster_name=tmp-world-builder-$(date +%s)" >> "$GITHUB_ENV" - - # Build with a local key, we'll resign this with the real key later - - name: 'Generate local signing key' - run: | - make local-melange.rsa - - - name: Setup k8s runner configs - run: | - cat > .melange.k8s.yaml <<"_END_MELANGE_YAML" - provider: gke - repo: gcr.io/${{ env.EPHEMERAL_BUILD_PROJECT_ID }}/world-builds - # Fully utilize {t2a,n2d}-standard-44 - resources: - cpu: 43 - memory: 172Gi - ephemeral-storage: 9Gi - podTemplate: - nodeSelector: - cloud.google.com/compute-class: "Scale-Out" - cloud.google.com/gke-spot: "true" - volumeMounts: - - name: scratch - mountPath: /tmp - volumes: - - name: mount-0 # the default volume for /home/build - ephemeral: - volumeClaimTemplate: - metadata: - labels: - type: build - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "premium-rwo" # Majority of builds are very I/O intensive, so this ends up being a significant boost - resources: - requests: - # The vast majority of builds don't need this, but some do and - # it's really annoying to make it all the way through only to - # fill up the disk at the end - storage: 15Gi - - name: scratch - ephemeral: - volumeClaimTemplate: - metadata: - labels: - type: scratch - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "premium-rwo" # Majority of builds are very I/O intensive, so this ends up being a significant boost - resources: - requests: - # The vast majority of builds don't need this, but some do and - # it's really annoying to make it all the way through only to - # fill up the disk at the end - storage: 15Gi - _END_MELANGE_YAML - - - name: Create ephemeral build cluster - run: | - # Get the IP of the runner, used to ensure only this is the only source IP allowed by the api server - ip=$(curl -s https://api.ipify.org) - - gcloud container clusters create-auto "$cluster_name" \ - --region "${{ env.EPHEMERAL_BUILD_REGION }}" \ - --project "${{ env.EPHEMERAL_BUILD_PROJECT_ID }}" \ - --enable-master-authorized-networks --master-authorized-networks "$ip/32" \ - --network "${{ env.EPHEMERAL_BUILD_NETWORK }}" \ - --create-subnetwork "" \ - --service-account "wolfi-build-ephemeral-default@prod-wolfi-os.iam.gserviceaccount.com" - - gcloud container clusters update "$cluster_name" --region "${{ env.EPHEMERAL_BUILD_REGION }}" --project "${{ env.EPHEMERAL_BUILD_PROJECT_ID }}" \ - --update-labels="wolfi-dev_ephemeral-builder_github-run-id=${{ github.GITHUB_RUN_ID }},wolfi-dev_ephemeral-builder_github-run-number=${{ github.GITHUB_RUN_NUMBER }}" - - - uses: 'google-github-actions/get-gke-credentials@c544a3d7e92276d24e03a5632a53aa3913ad5d8a' # v2.2.0 - with: - cluster_name: ${{ env.cluster_name }} - location: ${{ env.EPHEMERAL_BUILD_REGION }} - project_id: ${{ env.EPHEMERAL_BUILD_PROJECT_ID }} - - - name: 'Build the world from existing state' - run: | - make \ - MELANGE_EXTRA_OPTS="--runner kubernetes" \ - BUILDWORLD=no \ - all -j30 -k - - # Remove the build logs for packages that succeeded - find ./packages/${{ matrix.arch }}/buildlogs -name "*.log" -exec sh -c 'tail -n 1 "$1" | grep -q "generating apk index from packages in packages"' _ {} \; -exec rm {} \; - - - name: Upload failed build logs - if: always() - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - path: ./packages/${{ matrix.arch }}/buildlogs/*.log - retention-days: 7 - - - name: Janitor the builder clusters - if: always() - run: | - # Delete any stragler builder pods, they already lack grace periods, so we can be forceful here - kubectl delete pods --all -n default --wait=false --now=true --force=true - - gcloud container clusters delete $cluster_name \ - --region "${{ env.EPHEMERAL_BUILD_REGION }}" \ - --project "${{ env.EPHEMERAL_BUILD_PROJECT_ID }}" \ - --async \ - --quiet - - # TODO: Enable when workflow is more mature - # postrun: - # runs-on: ubuntu-latest - # needs: [build] - # steps: - # - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 - # id: slack - # with: - # payload: '{"text": "[build-wolfi-world-parallel] results: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' - # env: - # SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - # SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index 536cedc60d9..00000000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: Lint - -on: - pull_request: - branches: ['main'] - push: - branches: - - gh-readonly-queue/main/** - -permissions: - contents: read - -jobs: - lint: - name: Lint - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4.1.7 - - run: ./lint.sh diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml new file mode 100644 index 00000000000..74ce41ee10e --- /dev/null +++ b/.github/workflows/push-packages.yaml @@ -0,0 +1,40 @@ +name: Push packages + +on: + push: + branches: + - main + +jobs: + build-packages: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Save private key to temp file + run: 'echo "$SECRET" > melange.rsa' + env: + SECRET: ${{ secrets.MELANGE_PRIVATE_KEY }} + + # TODO: if new packages list grows, automation of listing packages would be handy + - name: Build signed packages specific to this repo + run: | + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v3 + with: + aws-access-key-id: ${{ secrets.AWS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Upload index to s3 + run: | + aws s3 cp --recursive packages/x86_64 s3://wolfi-packages/x86_64 --acl public-read \ No newline at end of file diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml deleted file mode 100644 index 181cd870c3a..00000000000 --- a/.github/workflows/stale.yaml +++ /dev/null @@ -1,36 +0,0 @@ -name: 'Close stale' - -on: - schedule: - - cron: '0 1 * * *' - -permissions: - contents: read - -jobs: - stale: - # These are the permissions recommended by github. - permissions: - issues: write - pull-requests: write - - runs-on: 'ubuntu-latest' - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - stale-pr-message: |- - This Pull Request is stale because it has been open for 90 days with - no activity. It will automatically close after 30 more days of - inactivity. Keep fresh with the 'lifecycle/frozen' label. - stale-pr-label: 'lifecycle/stale' - exempt-pr-labels: 'lifecycle/frozen' - - days-before-stale: 90 - days-before-close: 30 diff --git a/.github/workflows/test-world.yaml b/.github/workflows/test-world.yaml deleted file mode 100644 index 151a4ecb4aa..00000000000 --- a/.github/workflows/test-world.yaml +++ /dev/null @@ -1,112 +0,0 @@ -name: Wolfi OS Test World - -on: - push: - branches: ["main"] - paths-ignore: - - "**.md" - - "**.txt" - - workflow_dispatch: - - -# Only run one test at a time to curtail costs -concurrency: - group: test-world-${{ github.ref }} - -permissions: - contents: read - -jobs: - test: - name: Test packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - include: - - arch: x86_64 - runner: ubuntu-intel-64-cores - - arch: aarch64 - runner: ubuntu-arm-64-cores - fail-fast: false - - runs-on: ${{matrix.runner}} - - permissions: - contents: read - id-token: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Setup Docker - run: | - # Add Docker's official GPG key: - sudo apt-get update -y - sudo apt-get install ca-certificates curl -y - sudo install -m 0755 -d /etc/apt/keyrings - sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc - sudo chmod a+r /etc/apt/keyrings/docker.asc - # Add the repository to Apt sources: - echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ - $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - sudo apt-get update -y - sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin - sudo usermod -aG docker $USER - sudo apt-get install acl - sudo setfacl --modify user:$USER:rw /var/run/docker.sock - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - name: "Set up environment and test" - run: | - set -x - set -e - set -o pipefail - - mkdir -p ./packages/${{ matrix.arch }} - - # Don't use ./packages or a local key since we're not using any local packages - wolfictl test \ - --runner docker \ - --repository-append https://packages.wolfi.dev/os \ - --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \ - --arch ${{ matrix.arch }} \ - --trace ./packages/${{ matrix.arch }}/trace.json - - - name: Reset file permissions - run: sudo chown -R $(id -u):$(id -g) . - - - name: Create an archive for uploading - if: ${{ always() }} - run: | - # Move logs so we can upload them separately. - mv ./packages/${{ matrix.arch }}/testlogs /tmp/testlogs - - # Move trace so we can upload it separately. - mv ./packages/${{ matrix.arch }}/trace.json /tmp/trace.json - - # Always run these steps for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: "Upload logs archive to GitHub Artifacts" - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: logs-${{ matrix.arch }} - path: /tmp/testlogs/ - if-no-files-found: warn - - if: ${{ always() }} - name: "Upload trace to GitHub Artifacts" - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: trace-${{ matrix.arch }} - path: /tmp/trace.json - if-no-files-found: warn diff --git a/.github/workflows/update-cache.yaml b/.github/workflows/update-cache.yaml deleted file mode 100644 index 8d758eba781..00000000000 --- a/.github/workflows/update-cache.yaml +++ /dev/null @@ -1,50 +0,0 @@ -name: Update prod cache of build materials - -on: - workflow_dispatch: - # Triggers the workflow every six hours - schedule: - - cron: "0 */6 * * *" - -env: - PROJECT: prod-images-c6e5 - FQ_SERVICE_ACCOUNT: prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com - SOURCE_CACHE_BUCKET: wolfi-sources - -permissions: - contents: read - -jobs: - update-cache: - runs-on: ubuntu-latest - if: github.repository == 'wolfi-dev/os' - - permissions: - contents: read - id-token: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - uses: chainguard-dev/actions/setup-melange@2cadca168a422313df94f6169691a86498ae51b1 # main - - - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: ${{env.FQ_SERVICE_ACCOUNT}} - - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: ${{env.PROJECT}} - - - name: 'Update cache of build materials for all packages' - run: | - for cfg in $(ls -1 | grep '.*\.yaml'); do - echo "Updating cache for ${cfg}..."; - melange update-cache --cache-dir gs://${{env.SOURCE_CACHE_BUCKET}}/ "${cfg}" || true; - done diff --git a/.github/workflows/withdraw-packages.yaml b/.github/workflows/withdraw-packages.yaml deleted file mode 100644 index c6dd33c49cb..00000000000 --- a/.github/workflows/withdraw-packages.yaml +++ /dev/null @@ -1,145 +0,0 @@ -name: Withdraw packages - -on: - workflow_dispatch: - -# Don't withdraw during builds, to prevent out of sync signatures. -concurrency: build - -permissions: - contents: read - -jobs: - withdraw: - name: Withdraw packages - runs-on: ubuntu-latest - - permissions: - id-token: write - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files. - - # this need to point to main to always get the latest action - - name: "Install wolfictl onto PATH" - uses: wolfi-dev/actions/install-wolfictl@main # main - - # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf - - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - id: auth - with: - workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider" - service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com" - - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: "chainguard-github-secrets" - - - uses: 'google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae' # v2.1.3 - id: secrets - with: - secrets: |- - token:chainguard-github-secrets/wolfi-dev-signing-key - - - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa - - run: | - sudo mkdir -p /etc/apk/keys - sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub - - - name: Withdraw from index - run: | - set -euo pipefail - for arch in x86_64 aarch64; do - mkdir -p $arch - curl https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz - done - - # We use a different GSA for our interaction with GCS. - - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: "prod-images-c6e5" - - - name: Delete withdrawn packages - run: | - set -euo pipefail - for arch in x86_64 aarch64; do - for pkg in $(grep -v '\#' withdrawn-packages.txt); do - echo "=> $pkg" - gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true - done - done - - - name: Upload modified index - run: | - set -euxo pipefail - for arch in x86_64 aarch64; do - gsutil -h "Cache-Control:no-store" cp $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz || true - done - - - name: Upload full withdrawn packages list - run: | - set -euxo pipefail - git log -p -- withdrawn-packages.txt | grep "^+" | grep ".apk$" | cut -c2- | sort | uniq > all-withdrawn-packages.txt - gsutil cp \ - all-withdrawn-packages.txt \ - gs://wolfi-production-registry-destination/os/withdrawn-packages.txt - - - name: Delete sbom packages from the lifecycle automation - run: | - set -euo pipefail - for arch in x86_64 aarch64; do - for pkg in $(grep -v '\#' withdrawn-packages.txt); do - echo "=> $pkg" - gsutil -m rm -f gs://insights-apk-sbom-prod/wolfi-production-registry-destination/os/$arch/$pkg.sbom.json || true - done - done - - # use public chainguard provider. - - uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2 - with: - # Managed here: - # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/wolfi-os-pusher.tf - identity: "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" - - - name: 'Withdraw packages from apk.cgr.dev' - run: | - set -e - # Populate the token here, since chainctl auth token - # doesn't support all of the options we need. - chainctl auth login --audience apk.cgr.dev \ - --identity "720909c9f5279097d847ad02a2f24ba8f59de36a/6a26f2970f880c31" - echo "::add-mask::$(chainctl auth token --audience apk.cgr.dev)" - - for arch in "aarch64" "x86_64"; do - while IFS= read -r pkg; do - curl -X DELETE \ - --user "user:$(chainctl auth token --audience apk.cgr.dev)" \ - "https://apk.cgr.dev/chainguard/${arch}/${pkg}" || true - done < <(grep -v -e '^$' -v '\#' withdrawn-packages.txt | cut -d':' -f2) # Ignore empty lines and comments - done - - - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.2.1 - if: failure() - env: - SLACK_ICON: http://github.com/chainguard-dev.png?size=48 - SLACK_USERNAME: guardian - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - SLACK_CHANNEL: chainguard-images-alerts - SLACK_COLOR: '#8E1600' - MSG_MINIMAL: 'true' - SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' - SLACK_MESSAGE: | - https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/wolfictl-check-update.yaml b/.github/workflows/wolfictl-check-update.yaml deleted file mode 100644 index fb060272360..00000000000 --- a/.github/workflows/wolfictl-check-update.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Wolfictl Check Updates - -on: - pull_request: - branches: - - 'main' - push: - branches: - - gh-readonly-queue/main/** - -permissions: - contents: read - -jobs: - lint: - name: Wolfictl Check Updates - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Get changed files - id: files - uses: tj-actions/changed-files@6b2903bdce6310cfbddd87c418f253cf29b2dec9 # v44.5.6 - with: - separator: ' ' - files: "*.yaml" - files_ignore: ".yam.yaml" - - - name: Check - id: check - # this need to point to main to always get the latest action - uses: wolfi-dev/actions/wolfictl-check-updates@main # main - if: ${{ steps.files.outputs.all_changed_files != '' }} - with: - token: ${{ secrets.GITHUB_TOKEN }} - changed_files: ${{ steps.files.outputs.all_changed_files }} diff --git a/.github/workflows/wolfictl-lint.yaml b/.github/workflows/wolfictl-lint.yaml deleted file mode 100644 index 5e4d122f62d..00000000000 --- a/.github/workflows/wolfictl-lint.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: Wolfictl Lint - -on: - pull_request: - branches: - - 'main' - push: - branches: - - gh-readonly-queue/main/** - -permissions: - contents: read - -jobs: - lint: - name: Wolfictl Lint - runs-on: ubuntu-latest - - if: github.repository == 'wolfi-dev/os' - - permissions: - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/wolfictl-lint@main # main diff --git a/.github/workflows/wolfictl-update-gh.yaml b/.github/workflows/wolfictl-update-gh.yaml deleted file mode 100644 index c4581491fbd..00000000000 --- a/.github/workflows/wolfictl-update-gh.yaml +++ /dev/null @@ -1,43 +0,0 @@ -name: Wolfictl Update From GitHub - -on: - workflow_dispatch: - # Triggers the workflow every hour - schedule: - - cron: "0 * * * *" - -permissions: - contents: read - id-token: write - -env: - GIT_AUTHOR_NAME: wolfi-bot - GIT_AUTHOR_EMAIL: 121097084+wolfi-bot@users.noreply.github.com - -jobs: - update: - name: Wolfictl Update - if: github.repository == 'wolfi-dev/os' - runs-on: ubuntu-latest - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 - id: octo-sts - with: - scope: ${{ github.repository }} - identity: github-updates - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/wolfictl-update-gh@main # main - with: - repository: ${{github.repository}} - token: ${{ steps.octo-sts.outputs.token }} - git_author_name: ${{ env.GIT_AUTHOR_NAME }} - git_author_email: ${{ env.GIT_AUTHOR_EMAIL }} diff --git a/.github/workflows/wolfictl-update-rm.yaml b/.github/workflows/wolfictl-update-rm.yaml deleted file mode 100644 index c639cb5c93d..00000000000 --- a/.github/workflows/wolfictl-update-rm.yaml +++ /dev/null @@ -1,44 +0,0 @@ -name: Wolfictl Update From Release Monitor - -on: - workflow_dispatch: - # Triggers the workflow every hour - schedule: - - cron: "0 * * * *" - -permissions: - contents: read - id-token: write - -env: - GIT_AUTHOR_NAME: wolfi-bot - GIT_AUTHOR_EMAIL: 121097084+wolfi-bot@users.noreply.github.com - -jobs: - update: - name: Wolfictl Update - if: github.repository == 'wolfi-dev/os' - runs-on: ubuntu-latest - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 - id: octo-sts - with: - scope: ${{ github.repository }} - identity: release-monitoring-updates - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/wolfictl-update-rm@main # main - with: - repository: ${{github.repository}} - release_monitor_token: ${{ secrets.RELEASE_MONITOR_TOKEN }} - token: ${{ steps.octo-sts.outputs.token }} - git_author_name: ${{ env.GIT_AUTHOR_NAME }} - git_author_email: ${{ env.GIT_AUTHOR_EMAIL }} diff --git a/font-liberation1.yaml b/font-liberation1.yaml new file mode 100644 index 00000000000..9e7ffcca932 --- /dev/null +++ b/font-liberation1.yaml @@ -0,0 +1,47 @@ +# Generated from https://git.alpinelinux.org/aports/plain/main/font-liberation/APKBUILD +package: + name: font-liberation1 + version: 1.07.5 + epoch: 0 + description: Fonts to replace commonly used Microsoft Windows fonts + copyright: + - license: OFL-1.1 + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - autoconf + - automake + - build-base + - busybox + - ca-certificates-bundle + - fontconfig + +pipeline: + - uses: fetch + with: + expected-sha256: 201f64cc3c0f625b64098fb1fc4578680662956df49af233965f0dd45b4aa973 + uri: https://github.com/liberationfonts/liberation-1.7-fonts/files/2175699/liberation-fonts-ttf-${{package.version}}.tar.gz + + - runs: | + mkdir -p ${{targets.destdir}}/usr/share/fonts/${{package.name}} \ + ${{targets.destdir}}/etc/fonts/conf.avail \ + ${{targets.destdir}}/etc/fonts/conf.d + + install -D -m644 ./*.ttf -t ${{targets.destdir}}/usr/share/fonts/${{package.name}}/ + + for i in $(find . -name '*.conf'); do + install -D -m644 "$i" -t ${{targets.destdir}}/etc/fonts/conf.avail/ + ln -sf /etc/fonts/conf.avail/$i ${{targets.destdir}}/etc/fonts/conf.d/$i + done + + - uses: strip + +update: + enabled: true + release-monitor: + identifier: 16833 diff --git a/libjpeg-turbo2.yaml b/libjpeg-turbo2.yaml new file mode 100644 index 00000000000..94a6e088700 --- /dev/null +++ b/libjpeg-turbo2.yaml @@ -0,0 +1,66 @@ +package: + name: libjpeg-turbo2 + version: 2.0.3 + epoch: 1 + description: "Accelerated baseline JPEG compression and decompression library" + copyright: + - license: BSD-3-Clause AND IJG AND Zlib + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - build-base + - ca-certificates-bundle + - cmake + - nasm + - samurai # use ninja pkg later? + - wolfi-base + +pipeline: + - uses: git-checkout + with: + repository: https://github.com/libjpeg-turbo/libjpeg-turbo + tag: ${{package.version}} + expected-commit: 5db6a6819d0f904e0b58f34ae928fea234adb1a0 + + - runs: | + cmake -B build -G Ninja \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_INSTALL_LIBDIR=/usr/lib \ + -DBUILD_SHARED_LIBS=True \ + -DCMAKE_BUILD_TYPE=MinSizeRel \ + -DWITH_JPEG8=1 + cmake --build build + + - runs: | + DESTDIR="${{targets.destdir}}" cmake --install build + + - uses: strip + +subpackages: + - name: "libjpeg-turbo2-dev" + description: "headers for libjpeg-turbo2" + pipeline: + - uses: split/dev + + - name: "libjpeg-turbo2-doc" + description: "libjpeg-turbo2 documentation" + pipeline: + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/share/doc/libjpeg-turbo + mv doc/* "${{targets.subpkgdir}}"/usr/share/doc/libjpeg-turbo + dependencies: + runtime: + - libjpeg-turbo2-dev + + - name: "libjpeg-turbo2-utils" + description: "Utilities for manipulating JPEG images" + pipeline: + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/bin + mv "${{targets.destdir}}"/usr/bin/* "${{targets.subpkgdir}}"/usr/bin + diff --git a/libspatialindex.yaml b/libspatialindex.yaml new file mode 100644 index 00000000000..9566951b2b1 --- /dev/null +++ b/libspatialindex.yaml @@ -0,0 +1,52 @@ +package: + name: libspatialindex + version: 1.9.3 + epoch: 1 + description: extensible framework for robust spatial indexing methods + copyright: + - license: MIT + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - autoconf + - automake + - build-base + - busybox + - ca-certificates-bundle + - cmake + - gcc + +pipeline: + - uses: fetch + with: + expected-sha256: 47d8779e32477b330e46b62fb7e62cb812caee5d8e684c35cb635a42a749f3fc + uri: https://github.com/libspatialindex/libspatialindex/releases/download/${{package.version}}/spatialindex-src-${{package.version}}.tar.gz + + - runs: | + cmake -B build \ + -DCMAKE_BUILD_TYPE=MinSizeRel \ + -DCMAKE_PREFIX_PATH=/usr \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DBUILD_TESTING=ON + + - runs: | + cmake --build build + + - runs: | + DESTDIR="${{targets.destdir}}" cmake --install build + + - uses: strip + +subpackages: + - name: libspatialindex-dev + pipeline: + - uses: split/dev + dependencies: + runtime: + - libspatialindex + description: libspatialindex dev diff --git a/mesa22.yaml b/mesa22.yaml new file mode 100644 index 00000000000..957909d502c --- /dev/null +++ b/mesa22.yaml @@ -0,0 +1,136 @@ +package: + name: mesa22 + version: 22.3.7 + epoch: 0 + description: Mesa DRI OpenGL library + copyright: + - license: MIT AND SGI-B-2.0 AND BSL-1.0 + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - autoconf + - automake + - bison + - build-base + - busybox + - ca-certificates-bundle + - elfutils-dev + - eudev-dev + - expat-dev + - findutils + - flex + - gettext + - glslang-dev + - libdrm-dev + - libtool + - libva + - libva-dev + - libvdpau-dev + - libx11-dev + - libxcb-dev + - libxdamage-dev + - libxext-dev + - libxfixes-dev + - libxml2-dev + - libxrandr + - libxrandr-dev + - libxrender + - libxrender-dev + - libxshmfence-dev + - libxxf86vm-dev + - llvm15 + - llvm15-dev + - meson + - py3-mako + - py3-markupsafe + - py3-pygments + - py3-setuptools + - python3 + - vulkan-loader + - wayland-dev + - wayland-protocols + - xorgproto + - zlib-dev + - zstd-dev + - libpciaccess-dev + +pipeline: + - uses: fetch + with: + expected-sha256: 894ce2f4a1c2e76177cdd2284620192d0da3066b243eec2fbb1d7cf37f13042c + uri: https://mesa.freedesktop.org/archive/mesa-${{package.version}}.tar.xz + + - runs: | + export CFLAGS="$CFLAGS -O2 -g1" + export CXXFLAGS="$CXXFLAGS -O2 -g1" + export CPPFLAGS="$CPPFLAGS -O2 -g1" + + _dri_driverdir=/usr/lib/xorg/modules/dri + _gallium_drivers="r300,r600,radeonsi,nouveau,swrast,virgl,zink" + _vulkan_drivers="amd,swrast" + _vulkan_layers="device-select,overlay" + + PATH="$PATH:/usr/lib/llvm15/bin" \ + meson \ + --prefix=/usr \ + -Ddri-drivers-path=$_dri_driverdir \ + -Dgallium-drivers=$_gallium_drivers \ + -Dvulkan-drivers=$_vulkan_drivers \ + -Dvulkan-layers=$_vulkan_layers \ + -Dplatforms=x11,wayland \ + -Dllvm=enabled \ + -Dshared-llvm=enabled \ + -Dshared-glapi=enabled \ + -Dgbm=enabled \ + -Dglx=dri \ + -Dopengl=true \ + -Dosmesa=true \ + -Dgles1=enabled \ + -Dgles2=enabled \ + -Degl=enabled \ + -Dgallium-extra-hud=true \ + -Dgallium-xa=enabled \ + -Dgallium-vdpau=enabled \ + -Dgallium-va=enabled \ + -Dgallium-nine=true \ + -Db_ndebug=true \ + -Db_lto=false \ + . output + + meson configure --no-pager output + meson compile -C output + + DESTDIR="${{targets.destdir}}" meson install --no-rebuild -C output + + - uses: strip + +data: + - name: libs + items: + gles: libGLES* + egl: libEGL + gl: libGL + glapi: libglapi + xatracker: libxatracker* + osmesa: libOSMesa + gbm: libgbm + libd3dadapter9: d3d/d3dadapter9 + +subpackages: + - range: libs + name: mesa22-${{range.key}} + description: mesa22 ${{range.key}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/lib + mv ${{targets.destdir}}/usr/lib/${{range.value}}.so* ${{targets.subpkgdir}}/usr/lib + + - name: mesa22-dev + pipeline: + - uses: split/dev + description: mesa dev diff --git a/pandoc.yaml b/pandoc.yaml new file mode 100644 index 00000000000..a110292074b --- /dev/null +++ b/pandoc.yaml @@ -0,0 +1,39 @@ +package: + name: pandoc + version: 3.2 + epoch: 0 + description: "a Universal markup converter" + copyright: + - license: GPL-2.0 + +environment: + contents: + packages: + - wolfi-base + +pipeline: + - uses: fetch + with: + uri: https://github.com/jgm/pandoc/releases/download/${{package.version}}/pandoc-${{package.version}}-linux-amd64.tar.gz + expected-sha256: ea3f96dde56ae1577c81184694b8576d8efec52e168ce49a6e7df1441f428289 + strip-components: 0 + + - runs: | + mkdir -p "${{targets.destdir}}/usr/bin" + mkdir -p "${{targets.destdir}}/usr/share/man" + cd pandoc-${{package.version}} + cp -R -a share/man/man1 "${{targets.destdir}}/usr/share/man/man1" + cp -R -a bin/* "${{targets.destdir}}/usr/bin/" + +update: + enabled: true + github: + identifier: jgm/pandoc + strip-prefix: pandoc- + tag-filter: pandoc- + +test: + pipeline: + - name: Verify can use pandoc + runs: | + pandoc --version || exit 1 diff --git a/poppler.yaml b/poppler.yaml index c0adab31e01..d34bf8cd15a 100644 --- a/poppler.yaml +++ b/poppler.yaml @@ -1,73 +1,73 @@ package: name: poppler - version: 24.07.0 + version: 24.05.0 epoch: 0 - description: Poppler is a PDF rendering library based on the xpdf-3.0 code base. + description: "poppler" copyright: - - license: GPL-2.0-or-later + - license: GNU General Public License v2.0 or later environment: contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os packages: - - boost-dev + - wolfi-base - build-base - - busybox - - ca-certificates-bundle - - cairo-dev - - cmake - - expat-dev - - gobject-introspection-dev - - lcms2-dev - - libfontconfig1 - - libjpeg-turbo-dev - - libnspr-dev + - freetype-dev + - fontconfig-dev - libnss-dev - - libpng-dev - - libxml2-dev - - openjpeg-dev - - openjpeg-tools - - samurai + - libnspr-dev - tiff-dev + - glib-dev + - glib-gir - zlib-dev + - openjpeg-dev + - openjpeg-tools + - lcms2-dev + - cairo-dev + - xkbcomp-dev + - gtk-3-dev + - gobject-introspection-dev + - pango-dev + - expat-dev + - cmake + - gcc + - ninja + - boost-dev pipeline: - - uses: git-checkout + - uses: fetch with: - repository: https://gitlab.freedesktop.org/poppler/poppler.git - tag: poppler-${{package.version}} - expected-commit: 01a88235ea7b66db19ef1a3fce9a84d7e9850737 - - - uses: cmake/configure - with: - opts: | - -DENABLE_GPGME=OFF \ - -DENABLE_LIBCURL=OFF \ - -DCMAKE_BUILD_TYPE=Release \ - -DENABLE_QT5=OFF \ - -DENABLE_QT6=OFF - - - uses: cmake/build - - - uses: cmake/install - -subpackages: - - name: poppler-dev - pipeline: - - uses: split/dev + uri: https://gitlab.freedesktop.org/poppler/poppler/-/archive/poppler-${{package.version}}/poppler-poppler-${{package.version}}.tar.gz + expected-sha256: 72dbd8bddb719bfe0abd41250909f9552bca82ab43a4ae547d2cc24159062590 - - name: poppler-doc - pipeline: - - uses: split/dev + - runs: | + cmake -B build -G Ninja . \ + -DBUILD_CPP_TESTS="OFF" \ + -DBUILD_GTK_TESTS="OFF" \ + -DBUILD_MANUAL_TESTS="OFF" \ + -DBUILD_QT5_TESTS="OFF" \ + -DBUILD_QT6_TESTS="OFF" \ + -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DCMAKE_INSTALL_LIBDIR=lib \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_SYSTEM_NAME=Linux \ + -DCMAKE_HOST_SYSTEM_NAME=Linux \ + -DENABLE_BOOST=ON \ + -DENABLE_GPGME=OFF \ + -DENABLE_LIBCURL=OFF \ + -DENABLE_QT5=OFF \ + -DENABLE_QT6=OFF \ + -DENABLE_UNSTABLE_API_ABI_HEADERS=ON \ + -DCMAKE_BUILD_WITH_INSTALL_RPATH=TRUE \ + -DCMAKE_INSTALL_RPATH=/usr/bin - - name: poppler-glib - pipeline: - - uses: split/dev + - runs: | + cmake --build build - - name: poppler-utils - pipeline: - - uses: split/dev + - runs: | + DESTDIR="${{targets.destdir}}" cmake --install build -update: - enabled: true - release-monitor: - identifier: 3686 + - uses: strip \ No newline at end of file diff --git a/tesseract52.yaml b/tesseract52.yaml new file mode 100644 index 00000000000..729c16a0f6a --- /dev/null +++ b/tesseract52.yaml @@ -0,0 +1,154 @@ +package: + name: tesseract52 + version: 5.2.0 + epoch: 2 + description: Tesseract Open Source OCR Engine (5.2.0) + copyright: + - license: Apache-2.0 + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - autoconf + - automake + - build-base + - busybox + - ca-certificates-bundle + - cairo-dev + - cmake + - curl-dev + - expat-dev + - fontconfig-config + - fontconfig-dev + - fribidi-dev + - glib-dev + - harfbuzz-dev + - icu-dev + - leptonica-dev + - libarchive-dev + - libfontconfig1 + - libjpeg-turbo-dev + - libxft-dev + - opencl-dev + - pango + - pango-dev + - pkgconf + - pkgconf-dev + +data: + - name: langs + items: + afr: + ara: + aze: + bel: + ben: + bul: + cat: + ces: + chi_sim: + chi_tra: + chr: + dan: + deu: + eng: + enm: + epo: + equ: + est: + eus: + fin: + fra: + frk: + frm: + glg: + grc: + heb: + hin: + hrv: + hun: + ind: + isl: + ita: + ita_old: + jpn: + kan: + kat: + khm: + kor: + lav: + lit: + mal: + mkd: + mlt: + msa: + nld: + nor: + osd: + pol: + por: + ron: + rus: + slk: + slv: + spa: + spa_old: + sqi: + srp: + swa: + swe: + tam: + tel: + tgl: + tha: + tur: + ukr: + vie: + +vars: + tessdata-version: 4.1.0 + +pipeline: + - uses: git-checkout + with: + repository: https://github.com/tesseract-ocr/tesseract + tag: ${{package.version}} + expected-commit: 5ad5325a0aa8effc47ca033625b6a51682f82767 + + # Training data is stored in a separate repository + - uses: git-checkout + with: + repository: https://github.com/tesseract-ocr/tessdata + destination: tessdata-${{vars.tessdata-version}} + tag: ${{vars.tessdata-version}} + expected-commit: 4767ea922bcc460e70b87b1d303ebdfed0897da8 + + - runs: | + # They have some hardcoded include paths + ln -s /usr/include/pango-1.0 /usr/include/pango + + - uses: cmake/configure + with: + opts: -DTESSDATA_PREFIX=/usr/share -DUSE_SYSTEM_ICU=on + + - uses: cmake/build + + - uses: cmake/install + + - uses: strip + +subpackages: + - name: tesseract52-dev + pipeline: + - uses: split/dev + + - range: langs + name: tesseract52-${{range.key}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/share/tessdata + mv tessdata-${{vars.tessdata-version}}/${{range.key}}.traineddata ${{targets.subpkgdir}}/usr/share/tessdata/