Merge branch 'main' of github.com:canonical/oci-factory into ROCKS-54…

…3_charmed-oci-factory-we
canonical · Oct 16, 2023 · bd98a55 · bd98a55
2 parents 6004dad + 1c79f83
commit bd98a55
Show file tree

Hide file tree

Showing 14 changed files with 214 additions and 14 deletions.
diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml
@@ -390,6 +390,7 @@ jobs:
           if-no-files-found: error
 
       - name: Upload to GHCR
+        id: upload-image
         env:
           GHCR_REPO: ghcr.io/${{ github.repository_owner }}/oci-factory
           GHCR_USERNAME: ${{ github.actor }}
@@ -403,6 +404,9 @@ jobs:
 
           source="oci:${oci_images}"
 
+          digest="$(skopeo inspect $source | jq -r .Digest)"
+          echo "digest=$digest" >> $GITHUB_OUTPUT
+
           ./src/image/tag_and_publish.sh "${source}" \
             ${{ matrix.name }} \
             ${{ steps.rename-oci-archive.outputs.canonical-tag }}
@@ -417,7 +421,9 @@ jobs:
           IMAGE_NAME: ${{ matrix.name }}
           SWIFT_CONTAINER_NAME: ${{ vars.SWIFT_CONTAINER_NAME }}
         run: |
-          jq <<< '${{ toJSON(matrix) }}' > build_metadata.json
+          jq --arg base "${{ steps.get-track.outputs.base }}" \
+            --arg digest "${{ steps.upload-image.outputs.digest }}" \
+            '. + {base: $base, digest: $digest}' <<< '${{ toJSON(matrix) }}' > build_metadata.json
           ./src/uploads/upload_to_swift.sh \
             ${{ matrix.name }} \
             ${{ steps.get-track.outputs.track }} \

diff --git a/oci/grafana/.trivyignore b/oci/grafana/.trivyignore
@@ -0,0 +1,4 @@
+# Upstream CVEs
+
+# goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors.
+CVE-2023-37788
diff --git a/oci/grafana/_releases.json b/oci/grafana/_releases.json
@@ -0,0 +1,44 @@
+{
+    "10.0.3-22.04": {
+        "stable": {
+            "target": "2"
+        },
+        "candidate": {
+            "target": "10.0.3-22.04_stable"
+        },
+        "beta": {
+            "target": "10.0.3-22.04_candidate"
+        },
+        "edge": {
+            "target": "10.0.3-22.04_beta"
+        }
+    },
+    "10.0-22.04": {
+        "stable": {
+            "target": "2"
+        },
+        "candidate": {
+            "target": "10.0-22.04_stable"
+        },
+        "beta": {
+            "target": "10.0-22.04_candidate"
+        },
+        "edge": {
+            "target": "10.0-22.04_beta"
+        }
+    },
+    "10-22.04": {
+        "stable": {
+            "target": "2"
+        },
+        "candidate": {
+            "target": "10-22.04_stable"
+        },
+        "beta": {
+            "target": "10-22.04_candidate"
+        },
+        "edge": {
+            "target": "10-22.04_beta"
+        }
+    }
+}
diff --git a/oci/loki/.trivyignore b/oci/loki/.trivyignore
@@ -0,0 +1,6 @@
+# Upstream CVEs
+
+# github.com/docker/distribution - DoS from malicious API request
+CVE-2023-2253
+# github.com/docker/docker - Encrypted overlay network may be unauthenticated
+CVE-2023-28840
diff --git a/oci/loki/_releases.json b/oci/loki/_releases.json
@@ -0,0 +1,44 @@
+{
+    "2.8.4-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2.8.4-22.04_stable"
+        },
+        "beta": {
+            "target": "2.8.4-22.04_candidate"
+        },
+        "edge": {
+            "target": "2.8.4-22.04_beta"
+        }
+    },
+    "2.8-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2.8-22.04_stable"
+        },
+        "beta": {
+            "target": "2.8-22.04_candidate"
+        },
+        "edge": {
+            "target": "2.8-22.04_beta"
+        }
+    },
+    "2-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2-22.04_stable"
+        },
+        "beta": {
+            "target": "2-22.04_candidate"
+        },
+        "edge": {
+            "target": "2-22.04_beta"
+        }
+    }
+}
diff --git a/oci/mimir/.trivyignore b/oci/mimir/.trivyignore
@@ -0,0 +1,4 @@
+# Upstream CVEs
+
+# golang.org/x/net - avoid quadratic complexity in HPACK decoding
+CVE-2022-41723
diff --git a/oci/mimir/_releases.json b/oci/mimir/_releases.json
@@ -0,0 +1,44 @@
+{
+    "2.6.0-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2.6.0-22.04_stable"
+        },
+        "beta": {
+            "target": "2.6.0-22.04_candidate"
+        },
+        "edge": {
+            "target": "2.6.0-22.04_beta"
+        }
+    },
+    "2.6-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2.6-22.04_stable"
+        },
+        "beta": {
+            "target": "2.6-22.04_candidate"
+        },
+        "edge": {
+            "target": "2.6-22.04_beta"
+        }
+    },
+    "2-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2-22.04_stable"
+        },
+        "beta": {
+            "target": "2-22.04_candidate"
+        },
+        "edge": {
+            "target": "2-22.04_beta"
+        }
+    }
+}
diff --git a/oci/mock-docker-image/_releases.json b/oci/mock-docker-image/_releases.json
@@ -1,15 +1,15 @@
 {
     "1.3-22.04": {
         "beta": {
-            "target": "214"
+            "target": "216"
         },
         "edge": {
             "target": "1.3-22.04_beta"
         }
     },
     "1.3": {
         "edge": {
-            "target": "214"
+            "target": "216"
         }
     }
 }
diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json
@@ -12,13 +12,13 @@
     },
     "1.0-22.04": {
         "candidate": {
-            "target": "124"
+            "target": "125"
         },
         "beta": {
-            "target": "124"
+            "target": "125"
         },
         "edge": {
-            "target": "124"
+            "target": "125"
         }
     },
     "test": {

diff --git a/oci/prometheus/_releases.json b/oci/prometheus/_releases.json
@@ -1,7 +1,7 @@
 {
     "2.46.0-22.04": {
         "stable": {
-            "target": "2"
+            "target": "3"
         },
         "candidate": {
             "target": "2.46.0-22.04_stable"
@@ -15,7 +15,7 @@
     },
     "2.46-22.04": {
         "stable": {
-            "target": "2"
+            "target": "3"
         },
         "candidate": {
             "target": "2.46-22.04_stable"
@@ -29,7 +29,7 @@
     },
     "2-22.04": {
         "stable": {
-            "target": "2"
+            "target": "3"
         },
         "candidate": {
             "target": "2-22.04_stable"

diff --git a/oci/prometheus/image.yaml b/oci/prometheus/image.yaml
@@ -1,19 +1,18 @@
 version: 1
-
 upload:
   - source: canonical/prometheus-rock
-    commit: c7a8b4eeaf34b1bf7f7cb7bdf71e90369fb60031
+    commit: 4521b60dec190d3254901de3d9d2147cf806dc2b
     directory: 2.46.0
     release:
       2.46.0-22.04:
-        end-of-life: "2024-08-01T00:00:00Z"
+        end-of-life: "2024-09-08T00:00:00Z"
         risks:
           - stable
       2.46-22.04:
-        end-of-life: "2024-08-01T00:00:00Z"
+        end-of-life: "2024-09-08T00:00:00Z"
         risks:
           - stable
       2-22.04:
-        end-of-life: "2024-08-01T00:00:00Z"
+        end-of-life: "2024-09-08T00:00:00Z"
         risks:
           - stable
diff --git a/oci/traefik/.trivyignore b/oci/traefik/.trivyignore
@@ -0,0 +1,4 @@
+# Upstream CVEs
+
+# github.com/docker/docker - Encrypted overlay network may be unauthenticated
+CVE-2023-28840
diff --git a/oci/traefik/_releases.json b/oci/traefik/_releases.json
@@ -0,0 +1,44 @@
+{
+    "2.10.4-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2.10.4-22.04_stable"
+        },
+        "beta": {
+            "target": "2.10.4-22.04_candidate"
+        },
+        "edge": {
+            "target": "2.10.4-22.04_beta"
+        }
+    },
+    "2.10-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2.10-22.04_stable"
+        },
+        "beta": {
+            "target": "2.10-22.04_candidate"
+        },
+        "edge": {
+            "target": "2.10-22.04_beta"
+        }
+    },
+    "2-22.04": {
+        "stable": {
+            "target": "1"
+        },
+        "candidate": {
+            "target": "2-22.04_stable"
+        },
+        "beta": {
+            "target": "2-22.04_candidate"
+        },
+        "edge": {
+            "target": "2-22.04_beta"
+        }
+    }
+}
diff --git a/src/uploads/infer_image_track.py b/src/uploads/infer_image_track.py
@@ -76,3 +76,4 @@ def get_release_from_codename(codename: str) -> str:
 
 with open(os.environ["GITHUB_OUTPUT"], "a") as gh_out:
     print(f"track={track}", file=gh_out)
+    print(f"base=ubuntu:{base_release}", file=gh_out)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -76,3 +76,4 @@ def get_release_from_codename(codename: str) -> str:

		with open(os.environ["GITHUB_OUTPUT"], "a") as gh_out:
		print(f"track={track}", file=gh_out)
		print(f"base=ubuntu:{base_release}", file=gh_out)