diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 123014908be..00000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,6 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" diff --git a/.github/pull-request-template.md b/.github/pull-request-template.md deleted file mode 100644 index 3fd988b8ad3..00000000000 --- a/.github/pull-request-template.md +++ /dev/null @@ -1,61 +0,0 @@ - - - - -Fixes: - -Related: - -### Pre-review Checklist - - - -#### For new package PRs only - -- [ ] This PR is marked as fixing a pre-existing package request bug - - [ ] Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency -- [ ] REQUIRED - The package is available under an OSI-approved or FSF-approved license -- [ ] REQUIRED - The version of the package is still receiving security updates -- [ ] This PR links to the upstream project's support policy (e.g. `endoflife.date`) - -#### For new version streams - -- [ ] The upstream project actually supports multiple concurrent versions. -- [ ] Any subpackages include the version string in their package name (e.g. `name: ${{package.name}}-compat`) -- [ ] The package (and subpackages) `provides:` logical unversioned forms of the package (e.g. `nodejs`, `nodejs-lts`) -- [ ] If non-streamed package names no longer built, open PR to withdraw them (see [WITHDRAWING PACKAGES](https://github.com/wolfi-dev/os/blob/main/WITHDRAWING_PACKAGES.md)) - -#### For package updates (renames) in the base images - -When updating packages part of base images (i.e. cgr.dev/chainguard/wolfi-base or ghcr.io/wolfi-dev/sdk) -- [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk images successfully build -- [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk contain no obsolete (no longer built) packages -- [ ] Upon launch, does `apk upgrade --latest` successfully upgrades packages or performs no actions - -#### For security-related PRs - -- [ ] The security fix is recorded in the [advisories](https://github.com/wolfi-dev/advisories) repo - -#### For version bump PRs - -- [ ] The `epoch` field is reset to 0 - -#### For PRs that add patches - -- [ ] Patch source is documented diff --git a/.github/workflows/auto-approve.yaml b/.github/workflows/auto-approve.yaml deleted file mode 100644 index 4f82dbf527f..00000000000 --- a/.github/workflows/auto-approve.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: automated-pr-approve -on: - workflow_dispatch: - schedule: - - cron: '*/45 * * * *' - -permissions: - contents: read - -jobs: - review-pr: - runs-on: ubuntu-latest - if: github.repository == 'wolfi-dev/os' - - permissions: - contents: read - pull-requests: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - name: Check out repository code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - run: | - ./scripts/auto-approve-pr.sh ${{ github.repository }} - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4d41260d54c..b3e61eddbbb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,6 @@ name: Build on: [pull_request] - jobs: build-packages: runs-on: ubuntu-latest @@ -13,9 +12,10 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build packages specific to this repo run: | - docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa.yaml + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml + diff --git a/.github/workflows/postsubmit-bundle-build.yaml b/.github/workflows/postsubmit-bundle-build.yaml deleted file mode 100644 index 1aef099a638..00000000000 --- a/.github/workflows/postsubmit-bundle-build.yaml +++ /dev/null @@ -1,158 +0,0 @@ -name: Bundle Build Wolfi Packages - -on: - schedule: - # Deploy at 7:23 AM (PST) every day. - - cron: "23 15 * * *" - workflow_dispatch: - inputs: - package_names: - required: false - type: string - default: "" - description: "comma separated list of package names to build. If empty, build all packages." - -# Only run one build at a time to prevent out of sync signatures. -concurrency: 'bundle-runner-a' - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - runs-on: ubuntu-latest - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - - permissions: - id-token: write - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: Authenticate to Google Cloud - uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa" # v2.1.3 - with: - workload_identity_provider: "projects/567187841907/locations/global/workloadIdentityPools/bundle-post-wolfi/providers/github-provider" - service_account: "bundle-runner-post-wolfi@staging-images-183e.iam.gserviceaccount.com" - - name: Setup G Cloud SDK - uses: "google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200" # v2.0.11 - with: - install_components: 'gke-gcloud-auth-plugin' - - name: Print gcloud info - shell: bash - run: "gcloud info" - - name: Configure GCR auth - shell: bash - run: gcloud auth configure-docker - - name: Configure AR auth - shell: bash - run: gcloud auth configure-docker us-central1-docker.pkg.dev - - - name: Install sudo for gke-auth - shell: bash - run: apk add cmd:sudo - - - name: Make parent dir for gke-auth - shell: bash - run: mkdir -p /usr/local/bin - - - name: Connect to cluster - uses: "imjasonh/gke-auth@31f5c5f16489a15037d46b08903d983889c46ddf" # v0.2.0 - with: - cluster: "bundle-runner-a" - location: "us-central1" - project: "staging-images-183e" - - - name: kubectl test - shell: bash - run: | - apk add kubectl - kubectl get namespace kube-system - - - name: "Generate local signing key" - run: | - make local-melange.rsa - - - name: "bundle build" - shell: bash - env: - BUNDLE_REPO: us-central1-docker.pkg.dev/staging-images-183e/bundles - BUCKET: "wolfi-registry-destination/${{ github.run_id }}" - run: | - set -x - set -v - - COMMON_FLAGS=$(cat <<-END - --keyring-append ./local-melange.rsa.pub \ - --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - --repository-append https://packages.wolfi.dev/os - END - ) - - BUNDLE=$(wolfictl bundle \ - --bundle-base ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 \ - --bundle-repo "${BUNDLE_REPO}" \ - ${COMMON_FLAGS} \ - --runner bubblewrap \ - --pipeline-dir ./pipelines \ - ${{ github.event.inputs.package_names }} - ) - wolfictl build \ - --jobs 128 \ - --bucket "${BUCKET}" \ - --destination-bucket "${BUCKET}" \ - ${COMMON_FLAGS} \ - --k8s-namespace 'post-wolfi' \ - --service-account 'post-wolfi' \ - --trace /tmp/trace.json \ - --bundle "${BUNDLE}" - - - if: ${{ always() }} - name: 'Upload trace to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: trace-build.json - path: /tmp/trace.json - if-no-files-found: warn - - postrun: - name: Notify Slack - runs-on: ubuntu-latest - if: failure() && false # TODO(kleung): remove `&& false` when ready to slack - needs: [build] - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.3.0 - env: - SLACK_ICON: http://github.com/chainguard-dev.png?size=48 - SLACK_USERNAME: guardian - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_CHANNEL: chainguard-images-alerts - SLACK_MSG_AUTHOR: wolfi-bot - SLACK_COLOR: "#8E1600" - MSG_MINIMAL: "true" - SLACK_TITLE: "[bundle build wolfi] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" - SLACK_MESSAGE: | - https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 74ce41ee10e..382da1d703e 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -5,6 +5,10 @@ on: branches: - main +permissions: + id-token: write + contents: read + jobs: build-packages: runs-on: ubuntu-latest @@ -21,18 +25,17 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build signed packages specific to this repo run: | + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa.yaml docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::524466471676:role/GitHub-OIDC-Role aws-region: us-east-1 - name: Upload index to s3 diff --git a/mesa.yaml b/mesa.yaml index 810e77368ed..1bdc10dd70d 100644 --- a/mesa.yaml +++ b/mesa.yaml @@ -1,5 +1,6 @@ package: - name: mesa + # Mesa has been updated to 24.2.0 in main repo, most probably causing issues downstream + name: mesa2414 version: 24.1.4 epoch: 0 description: Mesa DRI OpenGL library @@ -8,6 +9,10 @@ package: environment: contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os packages: - autoconf - automake @@ -119,17 +124,17 @@ data: subpackages: - range: libs - name: mesa-${{range.key}} - description: mesa ${{range.key}} + name: mesa2414-${{range.key}} + description: mesa2414 ${{range.key}} pipeline: - runs: | mkdir -p ${{targets.subpkgdir}}/usr/lib mv ${{targets.destdir}}/usr/lib/${{range.value}}.so* ${{targets.subpkgdir}}/usr/lib - - name: mesa-dev + - name: mesa2414-dev pipeline: - uses: split/dev - description: mesa dev + description: mesa2414 dev update: enabled: true diff --git a/mesa22.yaml b/mesa22.yaml deleted file mode 100644 index 957909d502c..00000000000 --- a/mesa22.yaml +++ /dev/null @@ -1,136 +0,0 @@ -package: - name: mesa22 - version: 22.3.7 - epoch: 0 - description: Mesa DRI OpenGL library - copyright: - - license: MIT AND SGI-B-2.0 AND BSL-1.0 - -environment: - contents: - keyring: - - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - repositories: - - https://packages.wolfi.dev/os - packages: - - autoconf - - automake - - bison - - build-base - - busybox - - ca-certificates-bundle - - elfutils-dev - - eudev-dev - - expat-dev - - findutils - - flex - - gettext - - glslang-dev - - libdrm-dev - - libtool - - libva - - libva-dev - - libvdpau-dev - - libx11-dev - - libxcb-dev - - libxdamage-dev - - libxext-dev - - libxfixes-dev - - libxml2-dev - - libxrandr - - libxrandr-dev - - libxrender - - libxrender-dev - - libxshmfence-dev - - libxxf86vm-dev - - llvm15 - - llvm15-dev - - meson - - py3-mako - - py3-markupsafe - - py3-pygments - - py3-setuptools - - python3 - - vulkan-loader - - wayland-dev - - wayland-protocols - - xorgproto - - zlib-dev - - zstd-dev - - libpciaccess-dev - -pipeline: - - uses: fetch - with: - expected-sha256: 894ce2f4a1c2e76177cdd2284620192d0da3066b243eec2fbb1d7cf37f13042c - uri: https://mesa.freedesktop.org/archive/mesa-${{package.version}}.tar.xz - - - runs: | - export CFLAGS="$CFLAGS -O2 -g1" - export CXXFLAGS="$CXXFLAGS -O2 -g1" - export CPPFLAGS="$CPPFLAGS -O2 -g1" - - _dri_driverdir=/usr/lib/xorg/modules/dri - _gallium_drivers="r300,r600,radeonsi,nouveau,swrast,virgl,zink" - _vulkan_drivers="amd,swrast" - _vulkan_layers="device-select,overlay" - - PATH="$PATH:/usr/lib/llvm15/bin" \ - meson \ - --prefix=/usr \ - -Ddri-drivers-path=$_dri_driverdir \ - -Dgallium-drivers=$_gallium_drivers \ - -Dvulkan-drivers=$_vulkan_drivers \ - -Dvulkan-layers=$_vulkan_layers \ - -Dplatforms=x11,wayland \ - -Dllvm=enabled \ - -Dshared-llvm=enabled \ - -Dshared-glapi=enabled \ - -Dgbm=enabled \ - -Dglx=dri \ - -Dopengl=true \ - -Dosmesa=true \ - -Dgles1=enabled \ - -Dgles2=enabled \ - -Degl=enabled \ - -Dgallium-extra-hud=true \ - -Dgallium-xa=enabled \ - -Dgallium-vdpau=enabled \ - -Dgallium-va=enabled \ - -Dgallium-nine=true \ - -Db_ndebug=true \ - -Db_lto=false \ - . output - - meson configure --no-pager output - meson compile -C output - - DESTDIR="${{targets.destdir}}" meson install --no-rebuild -C output - - - uses: strip - -data: - - name: libs - items: - gles: libGLES* - egl: libEGL - gl: libGL - glapi: libglapi - xatracker: libxatracker* - osmesa: libOSMesa - gbm: libgbm - libd3dadapter9: d3d/d3dadapter9 - -subpackages: - - range: libs - name: mesa22-${{range.key}} - description: mesa22 ${{range.key}} - pipeline: - - runs: | - mkdir -p ${{targets.subpkgdir}}/usr/lib - mv ${{targets.destdir}}/usr/lib/${{range.value}}.so* ${{targets.subpkgdir}}/usr/lib - - - name: mesa22-dev - pipeline: - - uses: split/dev - description: mesa dev