From 8a2f375c7ddbbf6870483c07033e06a16fa36ff6 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski Date: Wed, 28 Aug 2024 15:37:00 +0200 Subject: [PATCH 1/7] build older mesa package --- .github/dependabot.yml | 6 - .github/pull-request-template.md | 61 ------- .github/workflows/auto-approve.yaml | 31 ---- .github/workflows/build.yaml | 1 + .../workflows/postsubmit-bundle-build.yaml | 158 ------------------ .github/workflows/push-packages.yaml | 1 + mesa.yaml | 11 +- 7 files changed, 8 insertions(+), 261 deletions(-) delete mode 100644 .github/dependabot.yml delete mode 100644 .github/pull-request-template.md delete mode 100644 .github/workflows/auto-approve.yaml delete mode 100644 .github/workflows/postsubmit-bundle-build.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 123014908b..0000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,6 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" diff --git a/.github/pull-request-template.md b/.github/pull-request-template.md deleted file mode 100644 index 3fd988b8ad..0000000000 --- a/.github/pull-request-template.md +++ /dev/null @@ -1,61 +0,0 @@ - - - - -Fixes: - -Related: - -### Pre-review Checklist - - - -#### For new package PRs only - -- [ ] This PR is marked as fixing a pre-existing package request bug - - [ ] Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency -- [ ] REQUIRED - The package is available under an OSI-approved or FSF-approved license -- [ ] REQUIRED - The version of the package is still receiving security updates -- [ ] This PR links to the upstream project's support policy (e.g. `endoflife.date`) - -#### For new version streams - -- [ ] The upstream project actually supports multiple concurrent versions. -- [ ] Any subpackages include the version string in their package name (e.g. `name: ${{package.name}}-compat`) -- [ ] The package (and subpackages) `provides:` logical unversioned forms of the package (e.g. `nodejs`, `nodejs-lts`) -- [ ] If non-streamed package names no longer built, open PR to withdraw them (see [WITHDRAWING PACKAGES](https://github.com/wolfi-dev/os/blob/main/WITHDRAWING_PACKAGES.md)) - -#### For package updates (renames) in the base images - -When updating packages part of base images (i.e. cgr.dev/chainguard/wolfi-base or ghcr.io/wolfi-dev/sdk) -- [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk images successfully build -- [ ] REQUIRED cgr.dev/chainguard/wolfi-base and ghcr.io/wolfi-dev/sdk contain no obsolete (no longer built) packages -- [ ] Upon launch, does `apk upgrade --latest` successfully upgrades packages or performs no actions - -#### For security-related PRs - -- [ ] The security fix is recorded in the [advisories](https://github.com/wolfi-dev/advisories) repo - -#### For version bump PRs - -- [ ] The `epoch` field is reset to 0 - -#### For PRs that add patches - -- [ ] Patch source is documented diff --git a/.github/workflows/auto-approve.yaml b/.github/workflows/auto-approve.yaml deleted file mode 100644 index 4f82dbf527..0000000000 --- a/.github/workflows/auto-approve.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: automated-pr-approve -on: - workflow_dispatch: - schedule: - - cron: '*/45 * * * *' - -permissions: - contents: read - -jobs: - review-pr: - runs-on: ubuntu-latest - if: github.repository == 'wolfi-dev/os' - - permissions: - contents: read - pull-requests: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - name: Check out repository code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - run: | - ./scripts/auto-approve-pr.sh ${{ github.repository }} - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4d41260d54..b28abb4331 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -19,3 +19,4 @@ jobs: docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa.yaml diff --git a/.github/workflows/postsubmit-bundle-build.yaml b/.github/workflows/postsubmit-bundle-build.yaml deleted file mode 100644 index 1aef099a63..0000000000 --- a/.github/workflows/postsubmit-bundle-build.yaml +++ /dev/null @@ -1,158 +0,0 @@ -name: Bundle Build Wolfi Packages - -on: - schedule: - # Deploy at 7:23 AM (PST) every day. - - cron: "23 15 * * *" - workflow_dispatch: - inputs: - package_names: - required: false - type: string - default: "" - description: "comma separated list of package names to build. If empty, build all packages." - -# Only run one build at a time to prevent out of sync signatures. -concurrency: 'bundle-runner-a' - -permissions: - contents: read - -jobs: - build: - name: Build packages - if: github.repository == 'wolfi-dev/os' - - runs-on: ubuntu-latest - container: - image: ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 - - permissions: - id-token: write - contents: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - - name: 'Trust the github workspace' - run: | - # This is to avoid fatal errors about "dubious ownership" because we are - # running inside of a container action with the workspace mounted in. - git config --global --add safe.directory "$(pwd)" - - - name: Authenticate to Google Cloud - uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa" # v2.1.3 - with: - workload_identity_provider: "projects/567187841907/locations/global/workloadIdentityPools/bundle-post-wolfi/providers/github-provider" - service_account: "bundle-runner-post-wolfi@staging-images-183e.iam.gserviceaccount.com" - - name: Setup G Cloud SDK - uses: "google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200" # v2.0.11 - with: - install_components: 'gke-gcloud-auth-plugin' - - name: Print gcloud info - shell: bash - run: "gcloud info" - - name: Configure GCR auth - shell: bash - run: gcloud auth configure-docker - - name: Configure AR auth - shell: bash - run: gcloud auth configure-docker us-central1-docker.pkg.dev - - - name: Install sudo for gke-auth - shell: bash - run: apk add cmd:sudo - - - name: Make parent dir for gke-auth - shell: bash - run: mkdir -p /usr/local/bin - - - name: Connect to cluster - uses: "imjasonh/gke-auth@31f5c5f16489a15037d46b08903d983889c46ddf" # v0.2.0 - with: - cluster: "bundle-runner-a" - location: "us-central1" - project: "staging-images-183e" - - - name: kubectl test - shell: bash - run: | - apk add kubectl - kubectl get namespace kube-system - - - name: "Generate local signing key" - run: | - make local-melange.rsa - - - name: "bundle build" - shell: bash - env: - BUNDLE_REPO: us-central1-docker.pkg.dev/staging-images-183e/bundles - BUCKET: "wolfi-registry-destination/${{ github.run_id }}" - run: | - set -x - set -v - - COMMON_FLAGS=$(cat <<-END - --keyring-append ./local-melange.rsa.pub \ - --keyring-append https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - --repository-append https://packages.wolfi.dev/os - END - ) - - BUNDLE=$(wolfictl bundle \ - --bundle-base ghcr.io/wolfi-dev/sdk:latest@sha256:c4640fd2e678c3ffe171047e5d232e6d2ca9cf8fc5120ad8d71bef45bdfa92b3 \ - --bundle-repo "${BUNDLE_REPO}" \ - ${COMMON_FLAGS} \ - --runner bubblewrap \ - --pipeline-dir ./pipelines \ - ${{ github.event.inputs.package_names }} - ) - wolfictl build \ - --jobs 128 \ - --bucket "${BUCKET}" \ - --destination-bucket "${BUCKET}" \ - ${COMMON_FLAGS} \ - --k8s-namespace 'post-wolfi' \ - --service-account 'post-wolfi' \ - --trace /tmp/trace.json \ - --bundle "${BUNDLE}" - - - if: ${{ always() }} - name: 'Upload trace to GitHub Artifacts' - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: trace-build.json - path: /tmp/trace.json - if-no-files-found: warn - - postrun: - name: Notify Slack - runs-on: ubuntu-latest - if: failure() && false # TODO(kleung): remove `&& false` when ready to slack - needs: [build] - steps: - - name: Harden Runner - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0 - with: - egress-policy: audit - - - uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.3.0 - env: - SLACK_ICON: http://github.com/chainguard-dev.png?size=48 - SLACK_USERNAME: guardian - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_CHANNEL: chainguard-images-alerts - SLACK_MSG_AUTHOR: wolfi-bot - SLACK_COLOR: "#8E1600" - MSG_MINIMAL: "true" - SLACK_TITLE: "[bundle build wolfi] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" - SLACK_MESSAGE: | - https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 74ce41ee10..4404857cc4 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -27,6 +27,7 @@ jobs: docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 diff --git a/mesa.yaml b/mesa.yaml index 810e77368e..d01ebd8190 100644 --- a/mesa.yaml +++ b/mesa.yaml @@ -1,5 +1,6 @@ package: - name: mesa + # Mesa has been updated to 24.2.0 in main repo, most probably causing issues downstream + name: mesa2414 version: 24.1.4 epoch: 0 description: Mesa DRI OpenGL library @@ -119,17 +120,17 @@ data: subpackages: - range: libs - name: mesa-${{range.key}} - description: mesa ${{range.key}} + name: mesa2414-${{range.key}} + description: mesa2414 ${{range.key}} pipeline: - runs: | mkdir -p ${{targets.subpkgdir}}/usr/lib mv ${{targets.destdir}}/usr/lib/${{range.value}}.so* ${{targets.subpkgdir}}/usr/lib - - name: mesa-dev + - name: mesa2414-dev pipeline: - uses: split/dev - description: mesa dev + description: mesa2414 dev update: enabled: true From 647c1de7f34a5a2d4f034af003c3e73c95fc677c Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski Date: Wed, 28 Aug 2024 15:56:04 +0200 Subject: [PATCH 2/7] temp build only mesa and push --- .github/workflows/build.yaml | 19 ++++++++++++------- .github/workflows/push-packages.yaml | 22 +++++++++++++--------- 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b28abb4331..5c2ed65dea 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,6 +1,11 @@ name: Build -on: [pull_request] +# TODO: tmp comment +#on: [pull_request] +on: + push: + branches: + - nosuchbranch jobs: build-packages: @@ -13,10 +18,10 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build packages specific to this repo run: | - docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml +# docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa.yaml diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 4404857cc4..bf59839d51 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -1,10 +1,15 @@ name: Push packages on: + pull_request: push: branches: - main +permissions: + id-token: write + contents: read + jobs: build-packages: runs-on: ubuntu-latest @@ -21,19 +26,18 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build signed packages specific to this repo run: | - docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml +# docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml +# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa.yaml - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::524466471676:role/GitHub-OIDC-Role aws-region: us-east-1 - name: Upload index to s3 From ed05e513c4de9b2ad85cf2e1a86093c5a8c87ee3 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski Date: Wed, 28 Aug 2024 15:56:58 +0200 Subject: [PATCH 3/7] temp push on PR only --- .github/workflows/push-packages.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index bf59839d51..01cf23eb8d 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -1,10 +1,9 @@ name: Push packages -on: - pull_request: - push: - branches: - - main +on: [pull_request] +# push: +# branches: +# - main permissions: id-token: write From 183e4b3a3dbbd828f00f9a1edd2a7b5a3c8b26c7 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski Date: Wed, 28 Aug 2024 15:58:26 +0200 Subject: [PATCH 4/7] flip commented code --- .github/workflows/build.yaml | 15 ++++++++------- .github/workflows/push-packages.yaml | 14 +++++++------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5c2ed65dea..7815317ac6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,10 +18,11 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build packages specific to this repo run: | -# docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa.yaml + # docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml + diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 01cf23eb8d..752d19e1a6 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -25,13 +25,13 @@ jobs: # TODO: if new packages list grows, automation of listing packages would be handy - name: Build signed packages specific to this repo run: | -# docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml -# docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml - docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa.yaml + # docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml + # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 From 5007f432e65e1869a8e73dfda26ae34be52f3e40 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski Date: Wed, 28 Aug 2024 16:03:45 +0200 Subject: [PATCH 5/7] add repos --- mesa.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mesa.yaml b/mesa.yaml index d01ebd8190..1bdc10dd70 100644 --- a/mesa.yaml +++ b/mesa.yaml @@ -9,6 +9,10 @@ package: environment: contents: + keyring: + - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub + repositories: + - https://packages.wolfi.dev/os packages: - autoconf - automake From 8141426b6c926878282308135d5d367b6eea096d Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski Date: Thu, 29 Aug 2024 11:34:01 +0200 Subject: [PATCH 6/7] restore original workflows --- .github/workflows/build.yaml | 19 +++++++------------ .github/workflows/push-packages.yaml | 19 +++++++++---------- 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7815317ac6..712f9f1406 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,11 +1,6 @@ name: Build -# TODO: tmp comment -#on: [pull_request] -on: - push: - branches: - - nosuchbranch +on: [pull_request] jobs: build-packages: @@ -19,10 +14,10 @@ jobs: - name: Build packages specific to this repo run: | docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa.yaml - # docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --arch=x86_64 poppler.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml cgr.dev/chainguard/melange build --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml cgr.dev/chainguard/melange build --arch=x86_64 libspatialindex.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml cgr.dev/chainguard/melange build --arch=x86_64 mesa22.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml cgr.dev/chainguard/melange build --arch=x86_64 libjpeg-turbo2.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml cgr.dev/chainguard/melange build --arch=x86_64 tesseract52.yaml diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 752d19e1a6..2b94a3837d 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -1,9 +1,8 @@ name: Push packages -on: [pull_request] -# push: -# branches: -# - main + push: + branches: + - main permissions: id-token: write @@ -26,12 +25,12 @@ jobs: - name: Build signed packages specific to this repo run: | docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa.yaml:/work/mesa.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa.yaml - # docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml - # docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml + docker run --privileged --rm -v $(pwd):/work cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 poppler.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/font-liberation1.yaml:/work/font-liberation1.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 font-liberation1.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libspatialindex.yaml:/work/libspatialindex.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libspatialindex.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/mesa22.yaml:/work/mesa22.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 mesa22.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/libjpeg-turbo2.yaml:/work/libjpeg-turbo2.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 libjpeg-turbo2.yaml + docker run --privileged --rm -v $(pwd)/packages:/work/packages -v $(pwd)/tesseract52.yaml:/work/tesseract52.yaml -v $(pwd)/melange.rsa:/work/melange.rsa cgr.dev/chainguard/melange build --signing-key melange.rsa --arch=x86_64 tesseract52.yaml - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 From 01e934b1d6ebadabaf73eb6115a215409ce8a471 Mon Sep 17 00:00:00 2001 From: Tomasz Cichoszewski Date: Thu, 29 Aug 2024 11:41:12 +0200 Subject: [PATCH 7/7] missing on: --- .github/workflows/push-packages.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/push-packages.yaml b/.github/workflows/push-packages.yaml index 2b94a3837d..eef305b282 100644 --- a/.github/workflows/push-packages.yaml +++ b/.github/workflows/push-packages.yaml @@ -1,5 +1,6 @@ name: Push packages +on: push: branches: - main