From 439d31af1ab5ab6a43354ed2f3dd4d7b9e080d2e Mon Sep 17 00:00:00 2001 From: achraf-mer <51244975+achraf-mer@users.noreply.github.com> Date: Thu, 23 May 2024 15:27:22 -0400 Subject: [PATCH 01/15] Add an x86_64 pandoc build --- pandoc.yaml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 pandoc.yaml diff --git a/pandoc.yaml b/pandoc.yaml new file mode 100644 index 0000000000..a110292074 --- /dev/null +++ b/pandoc.yaml @@ -0,0 +1,39 @@ +package: + name: pandoc + version: 3.2 + epoch: 0 + description: "a Universal markup converter" + copyright: + - license: GPL-2.0 + +environment: + contents: + packages: + - wolfi-base + +pipeline: + - uses: fetch + with: + uri: https://github.com/jgm/pandoc/releases/download/${{package.version}}/pandoc-${{package.version}}-linux-amd64.tar.gz + expected-sha256: ea3f96dde56ae1577c81184694b8576d8efec52e168ce49a6e7df1441f428289 + strip-components: 0 + + - runs: | + mkdir -p "${{targets.destdir}}/usr/bin" + mkdir -p "${{targets.destdir}}/usr/share/man" + cd pandoc-${{package.version}} + cp -R -a share/man/man1 "${{targets.destdir}}/usr/share/man/man1" + cp -R -a bin/* "${{targets.destdir}}/usr/bin/" + +update: + enabled: true + github: + identifier: jgm/pandoc + strip-prefix: pandoc- + tag-filter: pandoc- + +test: + pipeline: + - name: Verify can use pandoc + runs: | + pandoc --version || exit 1 From 307210efb42332f92b03377d400cfd01463676fd Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski Date: Thu, 30 May 2024 16:54:17 +0200 Subject: [PATCH 02/15] Added poppler package build --- poppler.yaml | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 poppler.yaml diff --git a/poppler.yaml b/poppler.yaml new file mode 100644 index 0000000000..ee6f3bfd65 --- /dev/null +++ b/poppler.yaml @@ -0,0 +1,59 @@ +package: + name: poppler + version: 24.05.0 + epoch: 0 + description: "poppler" + copyright: + - license: GNU General Public License v2.0 or later + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - wolfi-base + - build-base + - freetype-dev + - fontconfig-dev + - libnss-dev + - libnspr-dev + - tiff-dev + - zlib-dev + - openjpeg-dev + - openjpeg-tools + - lcms2-dev + - cairo-dev + - xkbcomp-dev + - gtk-3-dev + - gobject-introspection-dev + - pango-dev + - expat-dev + - cmake + - gcc + - ninja + - boost-dev + +pipeline: + - uses: fetch + with: + uri: https://gitlab.freedesktop.org/poppler/poppler/-/archive/poppler-${{package.version}}/poppler-poppler-${{package.version}}.tar.gz + expected-sha256: 72dbd8bddb719bfe0abd41250909f9552bca82ab43a4ae547d2cc24159062590 + + - runs: | + cmake -B build -G Ninja . \ + -DBUILD_CPP_TESTS="OFF" \ + -DBUILD_GTK_TESTS="OFF" \ + -DBUILD_MANUAL_TESTS="OFF" \ + -DBUILD_QT5_TESTS="OFF" \ + -DBUILD_QT6_TESTS="OFF" \ + -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DCMAKE_INSTALL_LIBDIR=lib \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DENABLE_BOOST=ON \ + -DENABLE_GPGME=OFF \ + -DENABLE_LIBCURL=OFF \ + -DENABLE_QT5=OFF \ + -DENABLE_QT6=OFF \ + -DENABLE_UNSTABLE_API_ABI_HEADERS=ON \ No newline at end of file From 09dc1f738b5b6bdbdf7ac04458b2f3788de1944b Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Fri, 31 May 2024 10:12:59 +0200 Subject: [PATCH 03/15] Tomasz/automate index creation (#5) (#7) * removed workflows from root repo * Added building new packages action * Run build on PR --- .github/actions/docker-run/action.yaml | 45 --- .github/chainguard/delete-branches.sts.yaml | 7 - .github/chainguard/digestabot.sts.yaml | 9 - .github/chainguard/github-updates.sts.yaml | 10 - .../lifecycle-automation-release.sts.yaml | 9 - .../lifecycle-cve-remediation.sts.yaml | 11 - .../lifecycle-devops-data-collector.sts.yaml | 9 - .../chainguard/lifecycle-eol-mover.sts.yaml | 10 - .../lifecycle-version-stream-bot.sts.yaml | 8 - .../lifecycle-version-stream-create.sts.yaml | 9 - .../release-monitoring-updates.sts.yaml | 10 - .github/workflows/build-beta.yaml | 215 ---------- .github/workflows/build-old.yaml | 335 ---------------- .github/workflows/build-world.yaml | 81 ---- .github/workflows/build.yaml | 368 +----------------- .github/workflows/ci-build.yaml | 344 ---------------- .github/workflows/delete-old-branches.yaml | 39 -- .github/workflows/digestabot.yaml | 39 -- .github/workflows/lint-world.yaml | 183 --------- .github/workflows/lint.yaml | 28 -- .github/workflows/stale.yaml | 36 -- .github/workflows/test-world.yaml | 107 ----- .github/workflows/update-cache.yaml | 50 --- .github/workflows/withdraw-packages.yaml | 121 ------ .github/workflows/wolfictl-check-update.yaml | 45 --- .github/workflows/wolfictl-lint.yaml | 33 -- .github/workflows/wolfictl-update-gh.yaml | 43 -- .github/workflows/wolfictl-update-rm.yaml | 44 --- 28 files changed, 9 insertions(+), 2239 deletions(-) delete mode 100644 .github/actions/docker-run/action.yaml delete mode 100644 .github/chainguard/delete-branches.sts.yaml delete mode 100644 .github/chainguard/digestabot.sts.yaml delete mode 100644 .github/chainguard/github-updates.sts.yaml delete mode 100644 .github/chainguard/lifecycle-automation-release.sts.yaml delete mode 100644 .github/chainguard/lifecycle-cve-remediation.sts.yaml delete mode 100644 .github/chainguard/lifecycle-devops-data-collector.sts.yaml delete mode 100644 .github/chainguard/lifecycle-eol-mover.sts.yaml delete mode 100644 .github/chainguard/lifecycle-version-stream-bot.sts.yaml delete mode 100644 .github/chainguard/lifecycle-version-stream-create.sts.yaml delete mode 100644 .github/chainguard/release-monitoring-updates.sts.yaml delete mode 100644 .github/workflows/build-beta.yaml delete mode 100644 .github/workflows/build-old.yaml delete mode 100644 .github/workflows/build-world.yaml delete mode 100644 .github/workflows/ci-build.yaml delete mode 100644 .github/workflows/delete-old-branches.yaml delete mode 100644 .github/workflows/digestabot.yaml delete mode 100644 .github/workflows/lint-world.yaml delete mode 100644 .github/workflows/lint.yaml delete mode 100644 .github/workflows/stale.yaml delete mode 100644 .github/workflows/test-world.yaml delete mode 100644 .github/workflows/update-cache.yaml delete mode 100644 .github/workflows/withdraw-packages.yaml delete mode 100644 .github/workflows/wolfictl-check-update.yaml delete mode 100644 .github/workflows/wolfictl-lint.yaml delete mode 100644 .github/workflows/wolfictl-update-gh.yaml delete mode 100644 .github/workflows/wolfictl-update-rm.yaml diff --git a/.github/actions/docker-run/action.yaml b/.github/actions/docker-run/action.yaml deleted file mode 100644 index 7409bbfc82..0000000000 --- a/.github/actions/docker-run/action.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Run a command in Docker -description: Wraps the given `cmd` in a `docker run` -inputs: - run: - description: "The command/script to run" - required: true - image: - description: "The image to use" - default: "ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6" - required: false - workdir: - description: "The images working directory" - default: "/github/home" - required: false - opts: - description: "Extra options to pass to docker run" - default: "" - required: false - -runs: - using: composite - steps: - - name: Run in Docker - shell: bash - run: | - docker run \ - --privileged \ - --security-opt "seccomp=unconfined" \ - --security-opt "apparmor:unconfined" \ - -v "$PWD":"${{ inputs.workdir }}" \ - -v /home/runner:/home/runner \ - --workdir "${{ inputs.workdir }}" \ - --entrypoint "bash" \ - -e "HOME=${{ inputs.workdir }}" \ - -e "GITHUB_ACTIONS=true" \ - -e "CI=true" \ - -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CLOUDSDK_AUTH_CREDENTIAL_FILE} \ - -e GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS} \ - -e GOOGLE_GHA_CREDS_PATH=${GOOGLE_GHA_CREDS_PATH} \ - -i \ - ${{ inputs.opts }} \ - ${{ inputs.image }} < /dev/null - sudo apt-get update -y - sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin - sudo usermod -aG docker $USER - sudo apt-get install acl - sudo setfacl --modify user:$USER:rw /var/run/docker.sock - - - uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: ${{ env.FQ_SERVICE_ACCOUNT }} - - # Build with a local key, we'll resign this with the real key later - - name: 'Set up environment and build' - uses: ./.github/actions/docker-run - with: - run: | - set -x - set -e - set -o pipefail - - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "\$(pwd)" - - make local-melange.rsa - - # Touch it with the epoch date to convince `make` that we don't need to - # rebuild the targets that depend on this (all) - touch -d @0 local-melange.rsa - - # yay wolfi! - apk add google-cloud-sdk - - mkdir -p ./packages/${{ matrix.arch }} - - wolfictl build \ - --runner bubblewrap \ - --repository-append ./packages \ - --keyring-append local-melange.rsa.pub \ - --repository-append https://packages.wolfi.dev/os \ - --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \ - --signing-key local-melange.rsa \ - --arch ${{ matrix.arch }} \ - --namespace wolfi \ - --pipeline-dir ./pipelines/ \ - --destination-repository https://packages.wolfi.dev/os \ - --trace ./packages/${{ matrix.arch }}/trace.json - - - name: Reset file permissions - run: sudo chown -R $(id -u):$(id -g) . - - - name: Create an archive for uploading - if: ${{ always() }} - run: | - # Move logs so we can upload them separately. - mv ./packages/${{ matrix.arch }}/buildlogs /tmp/buildlogs - - # Move trace so we can upload it separately. - mv ./packages/${{ matrix.arch }}/trace.json /tmp/trace.json - - tar -cvzf /tmp/packages-${{ matrix.arch }}.tar.gz ./packages/${{ matrix.arch }} - - # Always run these steps for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Upload logs archive to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: logs-${{ matrix.arch }} - path: /tmp/buildlogs/ - if-no-files-found: warn - - if: ${{ always() }} - name: 'Upload trace to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: trace-${{ matrix.arch }} - path: /tmp/trace.json - if-no-files-found: warn - - if: ${{ always() }} - name: 'Upload built packages archive to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: packages-${{ matrix.arch }} - path: /tmp/packages-${{ matrix.arch }}.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-packages: - runs-on: ubuntu-latest-16-cores - needs: build - - # Always run this job for https://github.com/wolfi-dev/os/issues/8698 - if: ${{ always() }} - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Free up runner disk space - run: | - set -x - printf "==> Available space before cleanup\n" - df -h - rm -rf /usr/share/dotnet - rm -rf "$AGENT_TOOLSDIRECTORY" - - printf "==> Available space after cleanup\n" - df -h - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Download x86_64 package archives' - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - path: /tmp/artifacts/ - name: packages-x86_64 - - - name: 'Download aarch64 package archives' - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - path: /tmp/artifacts/ - name: packages-aarch64 - - - name: 'Update the APKINDEX' - run: | - for arch in "aarch64" "x86_64"; do - mkdir -p ./packages/${arch} - - # Consolidate with the built artifacts - tar xvf /tmp/artifacts/packages-${arch}.tar.gz - done - - - name: 'Create APKINDEX tarball' - run: | - # Tar up any 'APKINDEX.*' files {aarch64,x86_64} x {tar.gz,json} - find ./packages/ -name 'APKINDEX.*' > to-include - tar -cvzf /tmp/indexes.tar.gz --files-from to-include - - - name: 'Upload APKINDEX archive to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: indexes - path: /tmp/indexes.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn diff --git a/.github/workflows/build-old.yaml b/.github/workflows/build-old.yaml deleted file mode 100644 index 2e51dca18c..0000000000 --- a/.github/workflows/build-old.yaml +++ /dev/null @@ -1,335 +0,0 @@ -name: Build Wolfi OS with make all - -on: - workflow_dispatch: - -# Only run one build at a time to prevent out of sync signatures. -concurrency: build - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - arch: [ "x86_64", "aarch64" ] - fail-fast: false - - runs-on: - group: wolfi-os-builder-${{ matrix.arch }} - - permissions: - contents: read - - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - # TODO: Deprivilege - options: | - --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined - - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - # Build with a local key, we'll resign this with the real key later - - name: 'Generate local signing key' - run: | - make local-melange.rsa - - # Touch it with the epoch date to convince `make` that we don't need to - # rebuild the targets that depend on this (all) - touch -d @0 local-melange.rsa - - - name: 'Prepare package repository' - run: | - # yay wolfi! - apk add gcsfuse google-cloud-sdk - - # Set up a gcsfuse RO mount to the public bucket. This is a cheap and - # cheerful way to recreate the make targets (class A HEADs) locally - # without syncing the whole bucket (class A+B). - mkdir -p /gcsfuse/wolfi-registry - gcsfuse -o ro --implicit-dirs --only-dir os wolfi-production-registry-destination /gcsfuse/wolfi-registry - - mkdir -p ./packages/${{ matrix.arch }} - # Symlink the gcsfuse mount to ./packages/ to workaround the Makefile CWD assumptions - for f in /gcsfuse/wolfi-registry/${{ matrix.arch }}/*.apk; do - ln -s "$f" ./packages/${{ matrix.arch }}/ - done - - # Make a copy of the APKINDEX.* since we'll need to write to it on package builds - cp /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.* ./packages/${{ matrix.arch }}/ - - # TODO: Replace this with wolfictl build, since the current make build - # method doesn't trigger new builds for dependent updates. - - name: 'Build Wolfi' - run: | - make \ - ARCH=${{ matrix.arch }} \ - MELANGE_EXTRA_OPTS="--keyring-append=/gcsfuse/wolfi-registry/wolfi-signing.rsa.pub" \ - all -j1 - - # Always run this step for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Create artifacts tarball' - run: | - set -x - set -e - set -o pipefail - - # Pick up any stragglers that didn't get uploaded in previous builds. - cat ./packages/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | sort > indexed.txt - # TODO: Figure out why ls through gcsfuse is so slow. - gcloud storage ls gs://wolfi-production-registry-destination/os/${{ matrix.arch }} | grep ".apk$" | xargs -n1 basename | sort > uploaded.txt - - # Lines that are only in uploaded.txt and not indexed.txt. - comm -13 indexed.txt uploaded.txt > missing.txt - - # Clean up the symlinks to keep only packages we built. - find ./packages/${{ matrix.arch }} -type l -exec rm -f {} \; - - # Merge any missing APKs into our new index. - for missed in $(cat missing.txt); do - # We could do this in one command instead of a loop, but it takes things on argv, which is a bit annoying. - melange index --merge \ - --source ./packages/${{ matrix.arch }}/APKINDEX.tar.gz \ - --output new.tar.gz \ - /gcsfuse/wolfi-registry/${{ matrix.arch }}/${missed} - - # Overwrite what we're going to upload (and for the next loop). - mv new.tar.gz ./packages/${{ matrix.arch }}/APKINDEX.tar.gz - done - - diff \ - <(cat /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX) \ - <(cat ./packages/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX) || true - - # Create an archive for uploading - tar -cvzf /tmp/packages-${{ matrix.arch }}.tar.gz ./packages/${{ matrix.arch }} - - # Always run this step for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Upload built packages archive to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: packages-${{ matrix.arch }} - path: /tmp/packages-${{ matrix.arch }}.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-packages: - runs-on: ubuntu-latest-16-cores - needs: build - - # Always run this job for https://github.com/wolfi-dev/os/issues/8698 - if: ${{ always() }} - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Free up runner disk space - run: | - set -x - rm -rf /usr/share/dotnet - rm -rf "$AGENT_TOOLSDIRECTORY" - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Download x86_64 package archives' - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - path: /tmp/artifacts/ - name: packages-x86_64 - - - name: 'Download aarch64 package archives' - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - path: /tmp/artifacts/ - name: packages-aarch64 - - # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf - - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1 - id: auth - with: - workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider" - service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1 - with: - project_id: "chainguard-github-secrets" - - uses: 'google-github-actions/get-secretmanager-secrets@ae0d4054c32840e2ced71207a9df55161ae3debc' # v2.0.0 - id: secrets - with: - secrets: |- - token:chainguard-github-secrets/wolfi-dev-signing-key - - - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa - - run: | - mkdir -p /etc/apk/keys - cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub - - - name: 'Update the APKINDEX' - run: | - for arch in "x86_64" "aarch64"; do - mkdir -p ./packages/${arch} - - # Consolidate with the built artifacts - tar xvf /tmp/artifacts/packages-${arch}.tar.gz - - # Sign the APK index - melange sign-index -f --signing-key ./wolfi-signing.rsa packages/${arch}/APKINDEX.tar.gz - - # Only attempt to sign when *.apk's exist. - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - melange sign --signing-key ./wolfi-signing.rsa ./packages/${arch}/*.apk - fi - done - - # Clean up the signing key before uploading to storage out - # of an abundance of caution. - - run: rm ./wolfi-signing.rsa - - # We use a different GSA for our interaction with GCS. - - uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1 - with: - project_id: "prod-images-c6e5" - - - name: 'Upload packages to GCS' - run: | - for arch in "x86_64" "aarch64"; do - # Only attempt to upload when *.apk's exist - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - # apks will be cached in CDN for an hour by default. - # Don't upload the object if it already exists. - gcloud --quiet storage cp \ - --no-clobber \ - "./packages/${arch}/*.apk" "gs://wolfi-production-registry-destination/os/${arch}/" - fi - done - - - name: 'Create APKINDEX tarball' - run: | - # Tar up any 'APKINDEX.*' files {aarch64,x86_64} x {tar.gz,json} - find ./packages/ -name 'APKINDEX.*' > to-include - tar -cvzf /tmp/indexes.tar.gz --files-from to-include - - - name: 'Upload APKINDEX archive to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: indexes - path: /tmp/indexes.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-index: - runs-on: ubuntu-latest-16-cores - needs: upload-packages - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - id: auth - name: 'Authenticate to Google Cloud' - uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: prod-images-c6e5 - - - name: 'Download index archive' - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - path: /tmp/artifacts/ - name: indexes - - - name: 'Upload indexes to GCS' - run: | - tar xvf /tmp/artifacts/indexes.tar.gz - - for arch in "x86_64" "aarch64"; do - # Don't cache the APKINDEX. - gcloud --quiet storage cp \ - --cache-control=no-store \ - "./packages/${arch}/APKINDEX.tar.gz" "gs://wolfi-production-registry-destination/os/${arch}/" - - gcloud --quiet storage cp \ - --cache-control=no-store \ - "./packages/${arch}/APKINDEX.json" "gs://wolfi-production-registry-destination/os/${arch}/" - done - - postrun: - name: Notify Slack - runs-on: ubuntu-latest - if: failure() - needs: [build, upload-packages, upload-index] - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: rtCamp/action-slack-notify@b24d75fe0e728a4bf9fc42ee217caa686d141ee8 # v2.2.1 - env: - SLACK_ICON: http://github.com/chainguard-dev.png?size=48 - SLACK_USERNAME: guardian - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_CHANNEL: C047DK5BUNP - SLACK_MSG_AUTHOR: wolfi-bot - SLACK_COLOR: '#8E1600' - MSG_MINIMAL: 'true' - SLACK_TITLE: '[build-wolfi-os] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' - SLACK_MESSAGE: | - https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/build-world.yaml b/.github/workflows/build-world.yaml deleted file mode 100644 index e50b474a0b..0000000000 --- a/.github/workflows/build-world.yaml +++ /dev/null @@ -1,81 +0,0 @@ -name: Build Wolfi OS world from bootstrap - -on: - workflow_dispatch: - -# Only run one build at a time to prevent out of sync signatures -concurrency: - group: build-world-${{ github.ref }} - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - arch: [ "x86_64", "aarch64" ] - fail-fast: false - - runs-on: - group: wolfi-os-builder-${{ matrix.arch }} - - # Ensure this is deprivileged, isolated job - # permissions: - - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - # TODO: Deprivilege - options: | - --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined - - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - # Build with a local key, we'll resign this with the real key later - - name: 'Generate local signing key' - run: | - make local-melange.rsa - - - name: 'Build Wolfi World' - run: | - wolfictl build \ - -k local-melange.rsa.pub \ - -r ./packages \ - -k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub \ - -r https://packages.wolfi.dev/bootstrap/stage3 \ - --arch=${{ matrix.arch }} \ - --runner=bubblewrap \ - -j10 - - # TODO: See how big these get, maybe we only upload failures and shorten the retention, or throw them in GCS - - name: Upload build logs - if: always() - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: buildlogs - path: ./packages/**/buildlogs/*.log - retention-days: 7 - - # TODO: enable Slack alerts when this is expected to pass reliably. - #postrun: - # runs-on: ubuntu-latest - # needs: [build] - # if: failure() - # steps: - # - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 - # id: slack - # with: - # payload: '{"text": "[build-wolfi-world-bootstrap] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' - # env: - # SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - # SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 590b07c543..e4c100bea5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,366 +1,16 @@ -name: Build Wolfi OS +name: Build -on: - push: - branches: ['main'] - paths-ignore: - - '**.md' - - '**.txt' - - workflow_dispatch: - -# Only run one build at a time to prevent out of sync signatures. -concurrency: build +on: [pull_request] jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - arch: [ "x86_64", "aarch64" ] - fail-fast: false - - runs-on: - group: wolfi-os-builder-${{ matrix.arch }} - - permissions: - contents: read - - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - # TODO: Deprivilege - options: | - --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined - - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - # Build with a local key, we'll resign this with the real key later - - name: 'Generate local signing key' - run: | - make local-melange.rsa - - # Touch it with the epoch date to convince `make` that we don't need to - # rebuild the targets that depend on this (all) - touch -d @0 local-melange.rsa - - - name: 'Prepare package repository' - run: | - # yay wolfi! - apk add gcsfuse google-cloud-sdk - - # Set up a gcsfuse RO mount to the public bucket. This is a cheap and - # cheerful way to recreate the make targets (class A HEADs) locally - # without syncing the whole bucket (class A+B). - mkdir -p /gcsfuse/wolfi-registry - gcsfuse -o ro --implicit-dirs --only-dir os wolfi-production-registry-destination /gcsfuse/wolfi-registry - - mkdir -p ./packages/${{ matrix.arch }} - # Symlink the gcsfuse mount to ./packages/ to workaround the Makefile CWD assumptions - for f in /gcsfuse/wolfi-registry/${{ matrix.arch }}/*.apk; do - ln -s "$f" ./packages/${{ matrix.arch }}/ - done - - # Make a copy of the APKINDEX.* since we'll need to write to it on package builds - cp /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.* ./packages/${{ matrix.arch }}/ - - # TODO: Remove the previous and next steps by folding the logic into wolfictl. - - name: 'Build Wolfi' - run: | - wolfictl build \ - --runner bubblewrap \ - --keyring-append /gcsfuse/wolfi-registry/wolfi-signing.rsa.pub \ - --repository-append ./packages \ - --keyring-append local-melange.rsa.pub \ - --repository-append https://packages.wolfi.dev/os \ - --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \ - --signing-key local-melange.rsa \ - --arch ${{ matrix.arch }} \ - --namespace wolfi \ - --pipeline-dir ./pipelines/ \ - --destination-repository https://packages.wolfi.dev/os \ - --trace ./packages/${{ matrix.arch }}/trace.json - - # Always run this step for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Create artifacts tarball' - run: | - set -x - set -e - set -o pipefail - - # Pick up any stragglers that didn't get uploaded in previous builds. - cat ./packages/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX | awk -F':' '$1 == "P" {printf "%s-", $2} $1 == "V" {printf "%s.apk\n", $2}' | sort > indexed.txt - # TODO: Figure out why ls through gcsfuse is so slow. - gcloud storage ls gs://wolfi-production-registry-destination/os/${{ matrix.arch }} | grep ".apk$" | xargs -n1 basename | sort > uploaded.txt - - # Lines that are only in uploaded.txt and not indexed.txt. - comm -13 indexed.txt uploaded.txt > missing.txt - - # Clean up the symlinks to keep only packages we built. - find ./packages/${{ matrix.arch }} -type l -exec rm -f {} \; - - # Merge any missing APKs into our new index. - for missed in $(cat missing.txt); do - # We could do this in one command instead of a loop, but it takes things on argv, which is a bit annoying. - melange index --merge \ - --source ./packages/${{ matrix.arch }}/APKINDEX.tar.gz \ - --output new.tar.gz \ - /gcsfuse/wolfi-registry/${{ matrix.arch }}/${missed} - - # Overwrite what we're going to upload (and for the next loop). - mv new.tar.gz ./packages/${{ matrix.arch }}/APKINDEX.tar.gz - done - - diff \ - <(cat /gcsfuse/wolfi-registry/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX) \ - <(cat ./packages/${{ matrix.arch }}/APKINDEX.tar.gz | tar -Oxz APKINDEX) || true - - # Move logs so we can upload them separately. - mv ./packages/${{ matrix.arch }}/buildlogs /tmp/buildlogs - - # Move trace so we can upload it separately. - mv ./packages/${{ matrix.arch }}/trace.json /tmp/trace.json - - # Create an archive for uploading - tar -cvzf /tmp/packages-${{ matrix.arch }}.tar.gz ./packages/${{ matrix.arch }} - - # Always run these steps for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: 'Upload logs archive to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: logs-${{ matrix.arch }} - path: /tmp/buildlogs/ - if-no-files-found: warn - - if: ${{ always() }} - name: 'Upload trace to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: trace-${{ matrix.arch }} - path: /tmp/trace.json - if-no-files-found: warn - - if: ${{ always() }} - name: 'Upload built packages archive to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: packages-${{ matrix.arch }} - path: /tmp/packages-${{ matrix.arch }}.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-packages: - runs-on: ubuntu-latest-16-cores - needs: build - - # Always run this job for https://github.com/wolfi-dev/os/issues/8698 - if: ${{ always() }} - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Free up runner disk space - run: | - set -x - rm -rf /usr/share/dotnet - rm -rf "$AGENT_TOOLSDIRECTORY" - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Download x86_64 package archives' - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - path: /tmp/artifacts/ - name: packages-x86_64 - - - name: 'Download aarch64 package archives' - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - path: /tmp/artifacts/ - name: packages-aarch64 - - # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf - - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1 - id: auth - with: - workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider" - service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1 - with: - project_id: "chainguard-github-secrets" - - uses: 'google-github-actions/get-secretmanager-secrets@ae0d4054c32840e2ced71207a9df55161ae3debc' # v2.0.0 - id: secrets - with: - secrets: |- - token:chainguard-github-secrets/wolfi-dev-signing-key - - - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa - - run: | - mkdir -p /etc/apk/keys - cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub - - - name: 'Update the APKINDEX' - run: | - for arch in "aarch64" "x86_64"; do - mkdir -p ./packages/${arch} - - # Consolidate with the built artifacts - tar xvf /tmp/artifacts/packages-${arch}.tar.gz - - # Sign the APK index - melange sign-index -f --signing-key ./wolfi-signing.rsa packages/${arch}/APKINDEX.tar.gz - - # Only attempt to sign when *.apk's exist. - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - melange sign --signing-key ./wolfi-signing.rsa ./packages/${arch}/*.apk - fi - done - - # Clean up the signing key before uploading to storage out - # of an abundance of caution. - - run: rm ./wolfi-signing.rsa - - # We use a different GSA for our interaction with GCS. - - uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1 - with: - project_id: "prod-images-c6e5" - - - name: 'Upload packages to GCS' - run: | - for arch in "aarch64" "x86_64"; do - # Only attempt to upload when *.apk's exist - apks=$(ls ./packages/${arch}/*.apk 2>/dev/null || true) - if [ -n "$apks" ]; then - # apks will be cached in CDN for an hour by default. - # Don't upload the object if it already exists. - gcloud --quiet storage cp \ - --no-clobber \ - "./packages/${arch}/*.apk" "gs://wolfi-production-registry-destination/os/${arch}/" - fi - done - - - name: 'Create APKINDEX tarball' - run: | - # Tar up any 'APKINDEX.*' files {aarch64,x86_64} x {tar.gz,json} - find ./packages/ -name 'APKINDEX.*' > to-include - tar -cvzf /tmp/indexes.tar.gz --files-from to-include - - - name: 'Upload APKINDEX archive to GitHub Artifacts' - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: indexes - path: /tmp/indexes.tar.gz - retention-days: 1 # Low ttl since this is just an intermediary used once - if-no-files-found: warn - - upload-index: - runs-on: ubuntu-latest-16-cores - needs: upload-packages - - permissions: - id-token: write - contents: read - - container: - # NOTE: This step only signs and uploads, so it doesn't need any privileges - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - id: auth - name: 'Authenticate to Google Cloud' - uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: prod-images-c6e5 - - - name: 'Download index archive' - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - path: /tmp/artifacts/ - name: indexes - - - name: 'Upload indexes to GCS' - run: | - tar xvf /tmp/artifacts/indexes.tar.gz - - for arch in "aarch64" "x86_64"; do - # Don't cache the APKINDEX. - gcloud --quiet storage cp \ - --cache-control=no-store \ - "./packages/${arch}/APKINDEX.tar.gz" "gs://wolfi-production-registry-destination/os/${arch}/" - - gcloud --quiet storage cp \ - --cache-control=no-store \ - "./packages/${arch}/APKINDEX.json" "gs://wolfi-production-registry-destination/os/${arch}/" - done - - postrun: - name: Notify Slack + build-packages: runs-on: ubuntu-latest - if: failure() - needs: [build, upload-packages, upload-index] steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + - uses: actions/checkout@v3 with: - egress-policy: audit + fetch-depth: 0 - - uses: rtCamp/action-slack-notify@f05987dc91a66984f1666f486497def2cf85183d # v2.2.1 - env: - SLACK_ICON: http://github.com/chainguard-dev.png?size=48 - SLACK_USERNAME: guardian - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_CHANNEL: C047DK5BUNP - SLACK_MSG_AUTHOR: wolfi-bot - SLACK_COLOR: '#8E1600' - MSG_MINIMAL: 'true' - SLACK_TITLE: '[build-wolfi-os] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' - SLACK_MESSAGE: | - https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + # TODO: if new packages list grows, automation of listing packages would be handy + - name: Build packages specific to this repo + run: | + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml \ No newline at end of file diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml deleted file mode 100644 index c73a386d8d..0000000000 --- a/.github/workflows/ci-build.yaml +++ /dev/null @@ -1,344 +0,0 @@ -name: CI build action - -on: - pull_request: - branches: ["main"] - push: - branches: - - gh-readonly-queue/main/** - -permissions: - contents: read - -jobs: - changes: - permissions: - contents: read - - name: Determine packages to test building - runs-on: ubuntu-latest - outputs: - packages: ${{steps.package-list.outputs.packages}} - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Look for changed files - id: changes - uses: tj-actions/changed-files@2d756ea4c53f7f6b397767d8723b3a10a9f35bf2 # v44.0.0 - with: - files_yaml: | - melange: - - ./*.yaml # Only top level files without structure - - ./*/*/*.melange.yaml # Support recursive melange files with the new naming convention. - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this - # strips the list down into `foo` and `bar`. - - name: Build package list - id: package-list - run: | - printf "packages=" >> $GITHUB_OUTPUT - - wolfictl text -t name --pipeline-dir=./pipelines/ \ - -r https://packages.wolfi.dev/bootstrap/stage3 \ - -k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub > packages-list - while read pkg; do - for file in ${{ steps.changes.outputs.melange_all_changed_files }}; do - # Since the file is a path, we need to strip out only the file - # name from it. - base_file=$(basename $file) - base_file="${base_file%.melange.yaml}" - base_file="${base_file%.yaml}" - printf "base_file: $base_file" - [ "${base_file}" = "$pkg" ] && printf "%s " ${base_file} >> $GITHUB_OUTPUT - done - done < packages-list - - printf "\n" >> $GITHUB_OUTPUT - - build: - name: Test building of packages - strategy: - matrix: - arch: ["x86_64", "aarch64"] - include: - - arch: x86_64 - runner: ubuntu-latest-16-cores - oci: amd64 - - arch: aarch64 - runner: ubuntu-arm-16-cores - oci: arm64 - fail-fast: false - runs-on: ${{ matrix.runner }} - needs: changes - outputs: - packages_were_built: ${{ steps.file_check.outputs.exists }} - - permissions: - contents: read - pull-requests: write # so we have permission to comment on pull requests - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - name: Free up runner disk space - run: | - set -x - printf "==> Available space before cleanup\n" - df -h - rm -rf /usr/share/dotnet - rm -rf "$AGENT_TOOLSDIRECTORY" - - printf "==> Available space after cleanup\n" - df -h - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup Docker - run: | - # Add Docker's official GPG key: - sudo apt-get update -y - sudo apt-get install ca-certificates curl -y - sudo install -m 0755 -d /etc/apt/keyrings - sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc - sudo chmod a+r /etc/apt/keyrings/docker.asc - # Add the repository to Apt sources: - echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ - $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - sudo apt-get update -y - sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin - sudo usermod -aG docker $USER - sudo apt-get install acl - sudo setfacl --modify user:$USER:rw /var/run/docker.sock - - - name: "Generate local signing key" - uses: ./.github/actions/docker-run - with: - run: | - make MELANGE="melange" local-melange.rsa - - - name: "Build Wolfi" - uses: ./.github/actions/docker-run - with: - opts: "-v /temp:/temp -v /var/run/docker.sock:/var/run/docker.sock" - run: | - # Use a different shared $TMPDIR accessible and non-conflicting to - # both the host and container since we're running docker out of - # docker - export TMPDIR="/temp" - - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory . - - mkdir -p .melangecache - for package in ${{needs.changes.outputs.packages}}; do - make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/\$package -j1 - make MELANGE_EXTRA_OPTS="--runner docker" REPO="./packages" "test/\$package" -j1 - done - - - name: "Check that packages can be installed with apk add" - uses: ./.github/actions/docker-run - with: - run: | - # Create a fake linux fs under /tmp/emptyroot to pass to `apk --root`. - mkdir -p /tmp/emptyroot/etc/apk - cp -r /etc/apk/* /tmp/emptyroot/etc/apk/ - cat /dev/null > /tmp/emptyroot/etc/apk/world - - mkdir -p /tmp/emptyroot/lib/apk/db - touch /tmp/emptyroot/lib/apk/db/{installed,lock,scripts.tar,triggers} - - mkdir -p /tmp/emptyroot/var/cache/apk - apk update --root /tmp/emptyroot - - # Find .apk files and add them to the string - for f in \$(find packages -name '*.apk'); do - tar -Oxf \$f .PKGINFO - apk add --root /tmp/emptyroot --repository "./packages" --allow-untrusted --simulate \$f - done - - - name: Reset file permissions - run: | - sudo chown -R $(id -u):$(id -g) . - - - name: Check SBOMs - uses: ./.github/actions/docker-run - with: - run: | - apk add py3-ntia-conformance-checker spdx-tools-java - for f in \$(find packages -name '*.apk'); do - echo ==== Checking SBOM for \$f ==== - tar -Oxf \$f var/lib/db/sbom/ > sbom.json - echo ::group::sbom.json - cat sbom.json - echo ::endgroup:: - ntia-checker -v --file sbom.json - tools-java Verify sbom.json - done - - - name: Check for file - id: file_check - run: | - if test -f "packages.log"; then - cat packages.log - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - touch packages.log - - - name: Check diff - if: steps.file_check.outputs.exists == 'true' - # Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check - continue-on-error: true - uses: ./.github/actions/docker-run - with: - run: | - wolfictl check diff - - - name: Check for diff file - id: diff_file_check - run: | - if test -f "diff.log"; then - cat diff.log - echo "exists=true" >> $GITHUB_OUTPUT - else - echo "exists=false" >> $GITHUB_OUTPUT - fi - - # Use the x86_64 build results for the comment for now so we don't have duplicates. - - name: PR comment diff - if: steps.diff_file_check.outputs.exists == 'true' && matrix.arch == 'x86_64' - uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 - # We're seeing jobs using merge queues fail - continue-on-error: true - with: - filePath: diff.log - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: "Upload built packages to GitHub artifacts" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - path: | - ./packages/${{ matrix.arch }} - ./packages.log - name: packages-${{ matrix.arch }} - retention-days: 1 - if-no-files-found: warn - - so_check: - permissions: - contents: read - - name: "ABI Compatibility check" - runs-on: ubuntu-latest - needs: build - if: needs.build.outputs.packages_were_built == 'true' - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - name: "Retrieve x86_64 packages" - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - name: packages-x86_64 - path: /tmp/artifacts-1/ - - - name: "Retrieve aarch64 packages" - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - name: packages-aarch64 - path: /tmp/artifacts-2/ - - - name: "Collect packages from all architectures into one place" - run: | - cd /tmp/artifacts-1 - - # Put the packages into one place (if aarch64 logs exist) - if test -f "/tmp/artifacts-2/packages"; then - mv /tmp/artifacts-2/packages/* ./packages/ - # Merge the build log ("packages.log") files - cat /tmp/artifacts-2/packages.log >> ./packages.log - fi - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - name: Soname check - run: | - wolfictl check so-name --packages-dir /tmp/artifacts-1/packages --package-list-file /tmp/artifacts-1/packages.log - - scan: - permissions: - contents: read - - name: "Scan packages for CVEs" - runs-on: ubuntu-latest - needs: build - if: needs.build.outputs.packages_were_built == 'true' - - timeout-minutes: 30 - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - name: "Retrieve x86_64 packages" - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - name: packages-x86_64 - path: /tmp/artifacts-1/ - - - name: "Retrieve aarch64 packages" - uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 - with: - name: packages-aarch64 - path: /tmp/artifacts-2/ - - - name: "Collect packages from all architectures into one place" - run: | - cd /tmp/artifacts-1 - - # Put the packages into one place (if aarch64 logs exist) - if test -f "/tmp/artifacts-2/packages"; then - mv /tmp/artifacts-2/packages/* ./packages/ - # Merge the build log ("packages.log") files - cat /tmp/artifacts-2/packages.log >> ./packages.log - fi - - - name: "Retrieve Wolfi advisory data" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: "wolfi-dev/advisories" - path: "data/wolfi-advisories" - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - name: Scan for CVEs - run: | - wolfictl scan \ - --build-log \ - --advisories-repo-dir 'data/wolfi-advisories' \ - --advisory-filter 'resolved' \ - --require-zero \ - /tmp/artifacts-1 \ - 2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout. diff --git a/.github/workflows/delete-old-branches.yaml b/.github/workflows/delete-old-branches.yaml deleted file mode 100644 index cbcdd7d370..0000000000 --- a/.github/workflows/delete-old-branches.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Delete old branches - -on: - schedule: - - cron: "0 0 * * *" - workflow_dispatch: - -permissions: - contents: read - -jobs: - cleanup_old_branches: - runs-on: ubuntu-latest - - if: github.repository == 'wolfi-dev/os' - - permissions: - id-token: write # To gitsign and federate - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 - id: octo-sts - with: - scope: ${{ github.repository }} - identity: delete-branches - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - name: Delete Branches - run: | - wolfictl gh gc branch https://github.com/wolfi-dev/os --match "wolfictl-" - env: - GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml deleted file mode 100644 index d514b6f7b0..0000000000 --- a/.github/workflows/digestabot.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Image digest update - -on: - workflow_dispatch: - schedule: - - cron: "0 1 * * *" - -permissions: - contents: read - -jobs: - image-update: - name: Image digest update - runs-on: ubuntu-latest - if: github.repository == 'wolfi-dev/os' - - permissions: - contents: read # To clone the repo - id-token: write # To gitsign and federate - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 - id: octo-sts - with: - scope: ${{ github.repository }} - identity: digestabot - - - uses: chainguard-dev/digestabot@4298e530896fb4164f9c89030c561b75b9321149 # v1.0.2 - with: - token: ${{ steps.octo-sts.outputs.token }} - author: "octo-sts[bot] <157150467+octo-sts[bot]@users.noreply.github.com>" - committer: "octo-sts[bot] <157150467+octo-sts[bot]@users.noreply.github.com>" diff --git a/.github/workflows/lint-world.yaml b/.github/workflows/lint-world.yaml deleted file mode 100644 index a5d1b05c44..0000000000 --- a/.github/workflows/lint-world.yaml +++ /dev/null @@ -1,183 +0,0 @@ -name: Lint Wolfi OS World - -on: - workflow_dispatch: - -env: - EPHEMERAL_BUILD_PROJECT_ID: "prod-wolfi-os" - EPHEMERAL_BUILD_SERVICE_ACCOUNT: "wolfi-build-ephemeral-ci@prod-wolfi-os.iam.gserviceaccount.com" - EPHEMERAL_BUILD_WORKLOAD_IDENTITY_PROVIDER: "projects/728015869174/locations/global/workloadIdentityPools/github/providers/github" - EPHEMERAL_BUILD_NETWORK: "wolfi-build-ephemeral-vpc" - EPHEMERAL_BUILD_REGION: "us-central1" - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - strategy: - matrix: - arch: [ "x86_64", "aarch64" ] - fail-fast: false - - permissions: - id-token: write - contents: read - - runs-on: - # The host arch doesn't really matter, but use the self hosted runners because we want beefier machines. The network/io bandwidth for these builds are intense. - group: wolfi-os-builder-${{ matrix.arch }} - - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:98416ef9cffdea730b9bf88628b07a671683f98e9b9ff60bf45c41d33376b2d6 - - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: 'Authenticate to Google Cloud' - uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 - with: - workload_identity_provider: ${{ env.EPHEMERAL_BUILD_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ env.EPHEMERAL_BUILD_SERVICE_ACCOUNT }} - - - run: apk add google-cloud-sdk gke-gcloud-auth-plugin kubectl-default - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: ${{ env.EPHEMERAL_BUILD_PROJECT_ID }} - skip_install: true - - - name: Configure GCR auth - run: gcloud auth configure-docker - - - name: 'Setup workflow variables' - run: | - # Create a globally unique cluster name for each run (including retries) - echo "cluster_name=tmp-world-builder-$(date +%s)" >> "$GITHUB_ENV" - - # Build with a local key, we'll resign this with the real key later - - name: 'Generate local signing key' - run: | - make local-melange.rsa - - - name: Setup k8s runner configs - run: | - cat > .melange.k8s.yaml < /dev/null - sudo apt-get update -y - sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin - sudo usermod -aG docker $USER - sudo apt-get install acl - sudo setfacl --modify user:$USER:rw /var/run/docker.sock - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/install-wolfictl@main # main - - - name: "Set up environment and test" - run: | - set -x - set -e - set -o pipefail - - mkdir -p ./packages/${{ matrix.arch }} - - # Don't use ./packages or a local key since we're not using any local packages - wolfictl test \ - --runner docker \ - --repository-append https://packages.wolfi.dev/os \ - --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \ - --arch ${{ matrix.arch }} \ - --trace ./packages/${{ matrix.arch }}/trace.json - - - name: Reset file permissions - run: sudo chown -R $(id -u):$(id -g) . - - - name: Create an archive for uploading - if: ${{ always() }} - run: | - # Move logs so we can upload them separately. - mv ./packages/${{ matrix.arch }}/testlogs /tmp/testlogs - - # Move trace so we can upload it separately. - mv ./packages/${{ matrix.arch }}/trace.json /tmp/trace.json - - # Always run these steps for https://github.com/wolfi-dev/os/issues/8698 - - if: ${{ always() }} - name: "Upload logs archive to GitHub Artifacts" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: logs-${{ matrix.arch }} - path: /tmp/testlogs/ - if-no-files-found: warn - - if: ${{ always() }} - name: "Upload trace to GitHub Artifacts" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: trace-${{ matrix.arch }} - path: /tmp/trace.json - if-no-files-found: warn diff --git a/.github/workflows/update-cache.yaml b/.github/workflows/update-cache.yaml deleted file mode 100644 index 303915ac4d..0000000000 --- a/.github/workflows/update-cache.yaml +++ /dev/null @@ -1,50 +0,0 @@ -name: Update prod cache of build materials - -on: - workflow_dispatch: - # Triggers the workflow every six hours - schedule: - - cron: "0 */6 * * *" - -env: - PROJECT: prod-images-c6e5 - FQ_SERVICE_ACCOUNT: prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com - SOURCE_CACHE_BUCKET: wolfi-sources - -permissions: - contents: read - -jobs: - update-cache: - runs-on: ubuntu-latest - if: github.repository == 'wolfi-dev/os' - - permissions: - contents: read - id-token: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - uses: chainguard-dev/actions/setup-melange@2cadca168a422313df94f6169691a86498ae51b1 # main - - - uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: ${{env.FQ_SERVICE_ACCOUNT}} - - - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: ${{env.PROJECT}} - - - name: 'Update cache of build materials for all packages' - run: | - for cfg in $(ls -1 | grep '.*\.yaml'); do - echo "Updating cache for ${cfg}..."; - melange update-cache --cache-dir gs://${{env.SOURCE_CACHE_BUCKET}}/ "${cfg}" || true; - done diff --git a/.github/workflows/withdraw-packages.yaml b/.github/workflows/withdraw-packages.yaml deleted file mode 100644 index 969ec4eeb5..0000000000 --- a/.github/workflows/withdraw-packages.yaml +++ /dev/null @@ -1,121 +0,0 @@ -name: Withdraw packages - -on: - workflow_dispatch: - -# Don't withdraw during builds, to prevent out of sync signatures. -concurrency: build - -permissions: - contents: read - -jobs: - withdraw: - name: Withdraw packages - runs-on: ubuntu-latest - - permissions: - id-token: write - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - with: - fetch-depth: 0 # We want the full history for uploading withdrawn-packages.txt to GCS. If this takes too long, we look at merging both files. - - # this need to point to main to always get the latest action - - name: "Install wolfictl onto PATH" - uses: wolfi-dev/actions/install-wolfictl@main # main - - # This is managed here: https://github.com/chainguard-dev/secrets/blob/main/wolfi-dev.tf - - uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1 - id: auth - with: - workload_identity_provider: "projects/12758742386/locations/global/workloadIdentityPools/github-pool/providers/github-provider" - service_account: "wolfi-dev@chainguard-github-secrets.iam.gserviceaccount.com" - - - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1 - with: - project_id: "chainguard-github-secrets" - - - uses: 'google-github-actions/get-secretmanager-secrets@ae0d4054c32840e2ced71207a9df55161ae3debc' # v2.0.0 - id: secrets - with: - secrets: |- - token:chainguard-github-secrets/wolfi-dev-signing-key - - - run: echo "${{ steps.secrets.outputs.token }}" > ./wolfi-signing.rsa - - run: | - sudo mkdir -p /etc/apk/keys - sudo cp ./wolfi-signing.rsa.pub /etc/apk/keys/wolfi-signing.rsa.pub - - - name: Withdraw from index - run: | - set -euo pipefail - for arch in x86_64 aarch64; do - mkdir -p $arch - curl https://packages.wolfi.dev/os/$arch/APKINDEX.tar.gz | wolfictl withdraw $(grep -v '\#' withdrawn-packages.txt) --signing-key="${{ github.workspace }}/wolfi-signing.rsa" > $arch/APKINDEX.tar.gz - done - - # We use a different GSA for our interaction with GCS. - - uses: google-github-actions/auth@f6de81663f7788d05bd15bcce18f0e57f23f0846 # v2.0.1 - with: - workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha" - service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com" - - - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1 - with: - project_id: "prod-images-c6e5" - - - name: Delete withdrawn packages - run: | - set -euo pipefail - for arch in x86_64 aarch64; do - for pkg in $(grep -v '\#' withdrawn-packages.txt); do - echo "=> $pkg" - gsutil -m rm -f gs://wolfi-production-registry-destination/os/$arch/$pkg || true - done - done - - - name: Upload modified index - run: | - set -euxo pipefail - for arch in x86_64 aarch64; do - gsutil -h "Cache-Control:no-store" cp $arch/APKINDEX.tar.gz gs://wolfi-production-registry-destination/os/$arch/APKINDEX.tar.gz || true - done - - - name: Upload full withdrawn packages list - run: | - set -euxo pipefail - git log -p -- withdrawn-packages.txt | grep "^+" | grep ".apk$" | cut -c2- | sort | uniq > all-withdrawn-packages.txt - gsutil cp \ - all-withdrawn-packages.txt \ - gs://wolfi-production-registry-destination/os/withdrawn-packages.txt - - - name: Delete sbom packages from the lifecycle automation - run: | - set -euo pipefail - for arch in x86_64 aarch64; do - for pkg in $(grep -v '\#' withdrawn-packages.txt); do - echo "=> $pkg" - gsutil -m rm -f gs://insights-apk-sbom-prod/wolfi-production-registry-destination/os/$arch/$pkg.sbom.json || true - done - done - - - uses: rtCamp/action-slack-notify@f05987dc91a66984f1666f486497def2cf85183d # v2.2.1 - if: failure() - env: - SLACK_ICON: http://github.com/chainguard-dev.png?size=48 - SLACK_USERNAME: guardian - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - SLACK_CHANNEL: chainguard-images-alerts - SLACK_COLOR: '#8E1600' - MSG_MINIMAL: 'true' - SLACK_TITLE: '[withdraw-packages] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' - SLACK_MESSAGE: | - https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/wolfictl-check-update.yaml b/.github/workflows/wolfictl-check-update.yaml deleted file mode 100644 index 69b8744769..0000000000 --- a/.github/workflows/wolfictl-check-update.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Wolfictl Check Updates - -on: - pull_request: - branches: - - 'main' - push: - branches: - - gh-readonly-queue/main/** - -permissions: - contents: read - -jobs: - lint: - name: Wolfictl Check Updates - runs-on: ubuntu-latest - - permissions: - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Get changed files - id: files - uses: tj-actions/changed-files@2d756ea4c53f7f6b397767d8723b3a10a9f35bf2 # v44.0.0 - with: - separator: ' ' - files: "*.yaml" - files_ignore: ".yam.yaml" - - - name: Check - id: check - # this need to point to main to always get the latest action - uses: wolfi-dev/actions/wolfictl-check-updates@main # main - if: ${{ steps.files.outputs.all_changed_files != '' }} - with: - token: ${{ secrets.GITHUB_TOKEN }} - changed_files: ${{ steps.files.outputs.all_changed_files }} diff --git a/.github/workflows/wolfictl-lint.yaml b/.github/workflows/wolfictl-lint.yaml deleted file mode 100644 index c75cb322e3..0000000000 --- a/.github/workflows/wolfictl-lint.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: Wolfictl Lint - -on: - pull_request: - branches: - - 'main' - push: - branches: - - gh-readonly-queue/main/** - -permissions: - contents: read - -jobs: - lint: - name: Wolfictl Lint - runs-on: ubuntu-latest - - if: github.repository == 'wolfi-dev/os' - - permissions: - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/wolfictl-lint@main # main diff --git a/.github/workflows/wolfictl-update-gh.yaml b/.github/workflows/wolfictl-update-gh.yaml deleted file mode 100644 index 5d77e6f31a..0000000000 --- a/.github/workflows/wolfictl-update-gh.yaml +++ /dev/null @@ -1,43 +0,0 @@ -name: Wolfictl Update From GitHub - -on: - workflow_dispatch: - # Triggers the workflow every hour - schedule: - - cron: "0 * * * *" - -permissions: - contents: read - id-token: write - -env: - GIT_AUTHOR_NAME: wolfi-bot - GIT_AUTHOR_EMAIL: 121097084+wolfi-bot@users.noreply.github.com - -jobs: - update: - name: Wolfictl Update - if: github.repository == 'wolfi-dev/os' - runs-on: ubuntu-latest - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - - - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 - id: octo-sts - with: - scope: ${{ github.repository }} - identity: github-updates - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/wolfictl-update-gh@main # main - with: - repository: ${{github.repository}} - token: ${{ steps.octo-sts.outputs.token }} - git_author_name: ${{ env.GIT_AUTHOR_NAME }} - git_author_email: ${{ env.GIT_AUTHOR_EMAIL }} diff --git a/.github/workflows/wolfictl-update-rm.yaml b/.github/workflows/wolfictl-update-rm.yaml deleted file mode 100644 index 340a1e5fc3..0000000000 --- a/.github/workflows/wolfictl-update-rm.yaml +++ /dev/null @@ -1,44 +0,0 @@ -name: Wolfictl Update From Release Monitor - -on: - workflow_dispatch: - # Triggers the workflow every hour - schedule: - - cron: "0 * * * *" - -permissions: - contents: read - id-token: write - -env: - GIT_AUTHOR_NAME: wolfi-bot - GIT_AUTHOR_EMAIL: 121097084+wolfi-bot@users.noreply.github.com - -jobs: - update: - name: Wolfictl Update - if: github.repository == 'wolfi-dev/os' - runs-on: ubuntu-latest - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - - - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 - id: octo-sts - with: - scope: ${{ github.repository }} - identity: release-monitoring-updates - - # this need to point to main to always get the latest action - - uses: wolfi-dev/actions/wolfictl-update-rm@main # main - with: - repository: ${{github.repository}} - release_monitor_token: ${{ secrets.RELEASE_MONITOR_TOKEN }} - token: ${{ steps.octo-sts.outputs.token }} - git_author_name: ${{ env.GIT_AUTHOR_NAME }} - git_author_email: ${{ env.GIT_AUTHOR_EMAIL }} From e796349427826b7ccb17b4b78d31eb352cf3884c Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Fri, 31 May 2024 12:48:32 +0200 Subject: [PATCH 04/15] Upload package index on main build (#8) --- .github/workflows/push-packages.yaml | 35 ++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/push-packages.yaml diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml new file mode 100644 index 0000000000..9a225785c1 --- /dev/null +++ b/.github/workflows/push-packages.yaml @@ -0,0 +1,35 @@ +name: Push packages + +on: + push: + branches: + - main + +jobs: + build-packages: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Save private key to temp file + run: 'echo "$SECRET" > melange.rsa' + env: + SECRET: ${{ secrets.MELANGE_PRIVATE_KEY }} + + # TODO: if new packages list grows, automation of listing packages would be handy + - name: Build signed packages specific to this repo + run: | + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v3 + with: + aws-access-key-id: ${{ secrets.AWS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Upload index to s3 + run: | + aws s3 cp --recursive packages/x86_64 s3://wolfi-packages/x86_64 --acl public-read \ No newline at end of file From e57ab809c1720d686d6634505a14b818f06a46bb Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Fri, 31 May 2024 14:09:35 +0200 Subject: [PATCH 05/15] Added glib and glib-gir dependencies (#9) --- poppler.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/poppler.yaml b/poppler.yaml index ee6f3bfd65..3decd7c3eb 100644 --- a/poppler.yaml +++ b/poppler.yaml @@ -20,6 +20,8 @@ environment: - libnss-dev - libnspr-dev - tiff-dev + - glib-dev + - glib-gir - zlib-dev - openjpeg-dev - openjpeg-tools @@ -56,4 +58,7 @@ pipeline: -DENABLE_LIBCURL=OFF \ -DENABLE_QT5=OFF \ -DENABLE_QT6=OFF \ - -DENABLE_UNSTABLE_API_ABI_HEADERS=ON \ No newline at end of file + -DENABLE_UNSTABLE_API_ABI_HEADERS=ON + cmake --build build + + - uses: strip \ No newline at end of file From 02bbb1a396611953689c44fae7bb56703b2f1cd7 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Mon, 3 Jun 2024 10:54:18 +0200 Subject: [PATCH 06/15] Fix provisioning of binaries in poppler package (#10) * Fixed installing binaries and libs into package --- poppler.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/poppler.yaml b/poppler.yaml index 3decd7c3eb..d34bf8cd15 100644 --- a/poppler.yaml +++ b/poppler.yaml @@ -53,12 +53,21 @@ pipeline: -DCMAKE_BUILD_TYPE=RelWithDebInfo \ -DCMAKE_INSTALL_LIBDIR=lib \ -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_SYSTEM_NAME=Linux \ + -DCMAKE_HOST_SYSTEM_NAME=Linux \ -DENABLE_BOOST=ON \ -DENABLE_GPGME=OFF \ -DENABLE_LIBCURL=OFF \ -DENABLE_QT5=OFF \ -DENABLE_QT6=OFF \ - -DENABLE_UNSTABLE_API_ABI_HEADERS=ON - cmake --build build + -DENABLE_UNSTABLE_API_ABI_HEADERS=ON \ + -DCMAKE_BUILD_WITH_INSTALL_RPATH=TRUE \ + -DCMAKE_INSTALL_RPATH=/usr/bin + + - runs: | + cmake --build build + + - runs: | + DESTDIR="${{targets.destdir}}" cmake --install build - uses: strip \ No newline at end of file From eb19f4b51f9959435529c01f7d2e01cfd05efcec Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Wed, 19 Jun 2024 10:22:41 +0200 Subject: [PATCH 07/15] Introduced package font-liberation1 (#11) --- .github/workflows/build.yaml | 3 +- .github/workflows/push-packages.yaml | 5 +-- font-liberation1.yaml | 47 ++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 font-liberation1.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e4c100bea5..743b4cee4a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,4 +13,5 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build packages specific to this repo run: | - docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml \ No newline at end of file + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 9a225785c1..3f69854646 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -21,8 +21,9 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build signed packages specific to this repo run: | - docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml - + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml\ docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 with: diff --git a/font-liberation1.yaml b/font-liberation1.yaml new file mode 100644 index 0000000000..9e7ffcca93 --- /dev/null +++ b/font-liberation1.yaml @@ -0,0 +1,47 @@ +# Generated from https://git.alpinelinux.org/aports/plain/main/font-liberation/APKBUILD +package: + name: font-liberation1 + version: 1.07.5 + epoch: 0 + description: Fonts to replace commonly used Microsoft Windows fonts + copyright: + - license: OFL-1.1 + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - autoconf + - automake + - build-base + - busybox + - ca-certificates-bundle + - fontconfig + +pipeline: + - uses: fetch + with: + expected-sha256: 201f64cc3c0f625b64098fb1fc4578680662956df49af233965f0dd45b4aa973 + uri: https://github.com/liberationfonts/liberation-1.7-fonts/files/2175699/liberation-fonts-ttf-${{package.version}}.tar.gz + + - runs: | + mkdir -p ${{targets.destdir}}/usr/share/fonts/${{package.name}} \ + ${{targets.destdir}}/etc/fonts/conf.avail \ + ${{targets.destdir}}/etc/fonts/conf.d + + install -D -m644 ./*.ttf -t ${{targets.destdir}}/usr/share/fonts/${{package.name}}/ + + for i in $(find . -name '*.conf'); do + install -D -m644 "$i" -t ${{targets.destdir}}/etc/fonts/conf.avail/ + ln -sf /etc/fonts/conf.avail/$i ${{targets.destdir}}/etc/fonts/conf.d/$i + done + + - uses: strip + +update: + enabled: true + release-monitor: + identifier: 16833 From 60af5bfc536b02df00892d07203c29931b8e8341 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Wed, 19 Jun 2024 10:26:56 +0200 Subject: [PATCH 08/15] Push packages fix (#12) --- .github/workflows/push-packages.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 3f69854646..913d15878a 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -21,8 +21,8 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build signed packages specific to this repo run: | - docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml\ docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 From 58bfb171da7c1c3647bf81fea1dca29759aba328 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Wed, 19 Jun 2024 10:34:01 +0200 Subject: [PATCH 09/15] mount private key (#13) --- .github/workflows/push-packages.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 913d15878a..d563c50f9a 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -22,7 +22,7 @@ jobs: - name: Build signed packages specific to this repo run: | docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 From 06e243d1ebc16eca67f719f2df9c4deb592c2171 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Wed, 19 Jun 2024 16:54:04 +0200 Subject: [PATCH 10/15] Tomasz/libspatialindex (#14) * added libspatialindex package * Update gh actions to build new package --- .github/workflows/build.yaml | 1 + .github/workflows/push-packages.yaml | 1 + libspatialindex.yaml | 52 ++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 libspatialindex.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 743b4cee4a..628baf64b8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -15,3 +15,4 @@ jobs: run: | docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index d563c50f9a..e1e7f67cdb 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -23,6 +23,7 @@ jobs: run: | docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 diff --git a/libspatialindex.yaml b/libspatialindex.yaml new file mode 100644 index 0000000000..9566951b2b --- /dev/null +++ b/libspatialindex.yaml @@ -0,0 +1,52 @@ +package: + name: libspatialindex + version: 1.9.3 + epoch: 1 + description: extensible framework for robust spatial indexing methods + copyright: + - license: MIT + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - autoconf + - automake + - build-base + - busybox + - ca-certificates-bundle + - cmake + - gcc + +pipeline: + - uses: fetch + with: + expected-sha256: 47d8779e32477b330e46b62fb7e62cb812caee5d8e684c35cb635a42a749f3fc + uri: https://github.com/libspatialindex/libspatialindex/releases/download/${{package.version}}/spatialindex-src-${{package.version}}.tar.gz + + - runs: | + cmake -B build \ + -DCMAKE_BUILD_TYPE=MinSizeRel \ + -DCMAKE_PREFIX_PATH=/usr \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DBUILD_TESTING=ON + + - runs: | + cmake --build build + + - runs: | + DESTDIR="${{targets.destdir}}" cmake --install build + + - uses: strip + +subpackages: + - name: libspatialindex-dev + pipeline: + - uses: split/dev + dependencies: + runtime: + - libspatialindex + description: libspatialindex dev From c335736e2281861f5292dc7f07a5f8099340c133 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Thu, 20 Jun 2024 13:57:59 +0200 Subject: [PATCH 11/15] Tomasz/mesa22 (#15) * added package for mesa 22.3.7 * build new package * name the package mesa22 --- .github/workflows/build.yaml | 1 + .github/workflows/push-packages.yaml | 1 + mesa22.yaml | 141 +++++++++++++++++++++++++++ 3 files changed, 143 insertions(+) create mode 100644 mesa22.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 628baf64b8..a7902ccd1b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,3 +16,4 @@ jobs: docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index e1e7f67cdb..f2d22553fc 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -24,6 +24,7 @@ jobs: docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 diff --git a/mesa22.yaml b/mesa22.yaml new file mode 100644 index 0000000000..8437fa5412 --- /dev/null +++ b/mesa22.yaml @@ -0,0 +1,141 @@ +package: + name: mesa22 + version: 22.3.7 + epoch: 0 + description: Mesa DRI OpenGL library + copyright: + - license: MIT AND SGI-B-2.0 AND BSL-1.0 + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - autoconf + - automake + - bison + - build-base + - busybox + - ca-certificates-bundle + - elfutils-dev + - eudev-dev + - expat-dev + - findutils + - flex + - gettext + - glslang-dev + - libdrm-dev + - libtool + - libva + - libva-dev + - libvdpau-dev + - libx11-dev + - libxcb-dev + - libxdamage-dev + - libxext-dev + - libxfixes-dev + - libxml2-dev + - libxrandr + - libxrandr-dev + - libxrender + - libxrender-dev + - libxshmfence-dev + - libxxf86vm-dev + - llvm15 + - llvm15-dev + - meson + - py3-mako + - py3-markupsafe + - py3-pygments + - py3-setuptools + - python3 + - vulkan-loader + - wayland-dev + - wayland-protocols + - xorgproto + - zlib-dev + - zstd-dev + - libpciaccess-dev + +pipeline: + - uses: fetch + with: + expected-sha256: 894ce2f4a1c2e76177cdd2284620192d0da3066b243eec2fbb1d7cf37f13042c + uri: https://mesa.freedesktop.org/archive/mesa-${{package.version}}.tar.xz + + - runs: | + export CFLAGS="$CFLAGS -O2 -g1" + export CXXFLAGS="$CXXFLAGS -O2 -g1" + export CPPFLAGS="$CPPFLAGS -O2 -g1" + + _dri_driverdir=/usr/lib/xorg/modules/dri + _gallium_drivers="r300,r600,radeonsi,nouveau,swrast,virgl,zink" + _vulkan_drivers="amd,swrast" + _vulkan_layers="device-select,overlay" + + PATH="$PATH:/usr/lib/llvm15/bin" \ + meson \ + --prefix=/usr \ + -Ddri-drivers-path=$_dri_driverdir \ + -Dgallium-drivers=$_gallium_drivers \ + -Dvulkan-drivers=$_vulkan_drivers \ + -Dvulkan-layers=$_vulkan_layers \ + -Dplatforms=x11,wayland \ + -Dllvm=enabled \ + -Dshared-llvm=enabled \ + -Dshared-glapi=enabled \ + -Dgbm=enabled \ + -Dglx=dri \ + -Dopengl=true \ + -Dosmesa=true \ + -Dgles1=enabled \ + -Dgles2=enabled \ + -Degl=enabled \ + -Dgallium-extra-hud=true \ + -Dgallium-xa=enabled \ + -Dgallium-vdpau=enabled \ + -Dgallium-va=enabled \ + -Dgallium-nine=true \ + -Db_ndebug=true \ + -Db_lto=false \ + . output + + meson configure --no-pager output + meson compile -C output + + DESTDIR="${{targets.destdir}}" meson install --no-rebuild -C output + + - uses: strip + +data: + - name: libs + items: + gles: libGLES* + egl: libEGL + gl: libGL + glapi: libglapi + xatracker: libxatracker* + osmesa: libOSMesa + gbm: libgbm + libd3dadapter9: d3d/d3dadapter9 + +subpackages: + - range: libs + name: mesa-${{range.key}} + description: mesa ${{range.key}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/lib + mv ${{targets.destdir}}/usr/lib/${{range.value}}.so* ${{targets.subpkgdir}}/usr/lib + + - name: mesa-dev + pipeline: + - uses: split/dev + description: mesa dev + +update: + enabled: true + release-monitor: + identifier: 1970 From 19da84468e9663d091b2ba4d0171565f689be00c Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Thu, 20 Jun 2024 14:36:33 +0200 Subject: [PATCH 12/15] fixed names for mesa22 subpackages (#16) --- mesa22.yaml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/mesa22.yaml b/mesa22.yaml index 8437fa5412..957909d502 100644 --- a/mesa22.yaml +++ b/mesa22.yaml @@ -123,19 +123,14 @@ data: subpackages: - range: libs - name: mesa-${{range.key}} - description: mesa ${{range.key}} + name: mesa22-${{range.key}} + description: mesa22 ${{range.key}} pipeline: - runs: | mkdir -p ${{targets.subpkgdir}}/usr/lib mv ${{targets.destdir}}/usr/lib/${{range.value}}.so* ${{targets.subpkgdir}}/usr/lib - - name: mesa-dev + - name: mesa22-dev pipeline: - uses: split/dev description: mesa dev - -update: - enabled: true - release-monitor: - identifier: 1970 From b0f2cdb1e4b44288795a8f3de9119964eb7674a6 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Fri, 21 Jun 2024 13:37:41 +0200 Subject: [PATCH 13/15] Tomasz/jpeg turbo2 (#17) * added libjpeg-turbo2 package * build new package --- .github/workflows/build.yaml | 1 + .github/workflows/push-packages.yaml | 1 + libjpeg-turbo2.yaml | 66 ++++++++++++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 libjpeg-turbo2.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a7902ccd1b..d7e0451160 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -17,3 +17,4 @@ jobs: docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index f2d22553fc..3aab5184d2 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -25,6 +25,7 @@ jobs: docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 diff --git a/libjpeg-turbo2.yaml b/libjpeg-turbo2.yaml new file mode 100644 index 0000000000..45e43750b6 --- /dev/null +++ b/libjpeg-turbo2.yaml @@ -0,0 +1,66 @@ +package: + name: libjpeg-turbo2 + version: 2.0.3 + epoch: 1 + description: "Accelerated baseline JPEG compression and decompression library" + copyright: + - license: BSD-3-Clause AND IJG AND Zlib + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - build-base + - ca-certificates-bundle + - cmake + - nasm + - samurai # use ninja pkg later? + - wolfi-base + +pipeline: + - uses: git-checkout + with: + repository: https://github.com/libjpeg-turbo/libjpeg-turbo + tag: ${{package.version}} + expected-commit: 5db6a6819d0f904e0b58f34ae928fea234adb1a0 + + - runs: | + cmake -B build -G Ninja \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_INSTALL_LIBDIR=/usr/lib \ + -DBUILD_SHARED_LIBS=True \ + -DCMAKE_BUILD_TYPE=MinSizeRel \ + -DWITH_JPEG8=1 + cmake --build build + + - runs: | + DESTDIR="${{targets.destdir}}" cmake --install build + + - uses: strip + +subpackages: + - name: "libjpeg-turbo2-dev" + description: "headers for libjpeg-turbo2" + pipeline: + - uses: split/dev + + - name: "libjpeg-turbo2-doc" + description: "libjpeg-turbo2 documentation" + pipeline: + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/share/doc/libjpeg-turbo + mv doc/* "${{targets.subpkgdir}}"/usr/share/doc/libjpeg-turbo + dependencies: + runtime: + - libjpeg-turbo-dev + + - name: "libjpeg-turbo2-utils" + description: "Utilities for manipulating JPEG images" + pipeline: + - runs: | + mkdir -p "${{targets.subpkgdir}}"/usr/bin + mv "${{targets.destdir}}"/usr/bin/* "${{targets.subpkgdir}}"/usr/bin + From 30aea826748cd6e57e086da4672c95a2085a0c85 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Fri, 21 Jun 2024 14:35:19 +0200 Subject: [PATCH 14/15] fix libjpeg-turbo2 runtime (#18) --- libjpeg-turbo2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libjpeg-turbo2.yaml b/libjpeg-turbo2.yaml index 45e43750b6..94a6e08870 100644 --- a/libjpeg-turbo2.yaml +++ b/libjpeg-turbo2.yaml @@ -55,7 +55,7 @@ subpackages: mv doc/* "${{targets.subpkgdir}}"/usr/share/doc/libjpeg-turbo dependencies: runtime: - - libjpeg-turbo-dev + - libjpeg-turbo2-dev - name: "libjpeg-turbo2-utils" description: "Utilities for manipulating JPEG images" From a8dd35c28d2966e6bf8969412dd4eed24d531a1f Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski <56021254+tomasz-h2o@users.noreply.github.com> Date: Tue, 25 Jun 2024 14:05:52 +0200 Subject: [PATCH 15/15] Tomasz/tesseract52 (#19) * new package tesseract52 * build new package --- .github/workflows/build.yaml | 1 + .github/workflows/push-packages.yaml | 1 + tesseract52.yaml | 154 +++++++++++++++++++++++++++ 3 files changed, 156 insertions(+) create mode 100644 tesseract52.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d7e0451160..4d41260d54 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,3 +18,4 @@ jobs: docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 3aab5184d2..74ce41ee10 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -26,6 +26,7 @@ jobs: docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 diff --git a/tesseract52.yaml b/tesseract52.yaml new file mode 100644 index 0000000000..729c16a0f6 --- /dev/null +++ b/tesseract52.yaml @@ -0,0 +1,154 @@ +package: + name: tesseract52 + version: 5.2.0 + epoch: 2 + description: Tesseract Open Source OCR Engine (5.2.0) + copyright: + - license: Apache-2.0 + +environment: + contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os + packages: + - autoconf + - automake + - build-base + - busybox + - ca-certificates-bundle + - cairo-dev + - cmake + - curl-dev + - expat-dev + - fontconfig-config + - fontconfig-dev + - fribidi-dev + - glib-dev + - harfbuzz-dev + - icu-dev + - leptonica-dev + - libarchive-dev + - libfontconfig1 + - libjpeg-turbo-dev + - libxft-dev + - opencl-dev + - pango + - pango-dev + - pkgconf + - pkgconf-dev + +data: + - name: langs + items: + afr: + ara: + aze: + bel: + ben: + bul: + cat: + ces: + chi_sim: + chi_tra: + chr: + dan: + deu: + eng: + enm: + epo: + equ: + est: + eus: + fin: + fra: + frk: + frm: + glg: + grc: + heb: + hin: + hrv: + hun: + ind: + isl: + ita: + ita_old: + jpn: + kan: + kat: + khm: + kor: + lav: + lit: + mal: + mkd: + mlt: + msa: + nld: + nor: + osd: + pol: + por: + ron: + rus: + slk: + slv: + spa: + spa_old: + sqi: + srp: + swa: + swe: + tam: + tel: + tgl: + tha: + tur: + ukr: + vie: + +vars: + tessdata-version: 4.1.0 + +pipeline: + - uses: git-checkout + with: + repository: https://github.com/tesseract-ocr/tesseract + tag: ${{package.version}} + expected-commit: 5ad5325a0aa8effc47ca033625b6a51682f82767 + + # Training data is stored in a separate repository + - uses: git-checkout + with: + repository: https://github.com/tesseract-ocr/tessdata + destination: tessdata-${{vars.tessdata-version}} + tag: ${{vars.tessdata-version}} + expected-commit: 4767ea922bcc460e70b87b1d303ebdfed0897da8 + + - runs: | + # They have some hardcoded include paths + ln -s /usr/include/pango-1.0 /usr/include/pango + + - uses: cmake/configure + with: + opts: -DTESSDATA_PREFIX=/usr/share -DUSE_SYSTEM_ICU=on + + - uses: cmake/build + + - uses: cmake/install + + - uses: strip + +subpackages: + - name: tesseract52-dev + pipeline: + - uses: split/dev + + - range: langs + name: tesseract52-${{range.key}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/share/tessdata + mv tessdata-${{vars.tessdata-version}}/${{range.key}}.traineddata ${{targets.subpkgdir}}/usr/share/tessdata/