Skip to content

build(deps): bump step-security/harden-runner from 2.10.2 to 2.10.3 #2676

build(deps): bump step-security/harden-runner from 2.10.2 to 2.10.3

build(deps): bump step-security/harden-runner from 2.10.2 to 2.10.3 #2676

Workflow file for this run

name: Build Images
on:
pull_request:
branches: [ "main" ]
push:
branches: [ "main" ]
workflow_dispatch:
jobs:
# Build a single-arch nginx image for each arch.
build-nginx-on-all-arches:
name: build-nginx-all-arches
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
arch: [x86_64, aarch64]
steps:
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- name: Setup QEMU
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
- run: |
make apko
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx-${{ matrix.arch }}.tar --arch ${{ matrix.arch }}
- name: Check SBOM Conformance
run: |
set -euxo pipefail
if ! ls *.spdx.json; then
echo "no SBOMs found!"
exit 1
fi
for f in *.spdx.json; do
echo ::group::sbom.json
cat $f
echo ::endgroup::
docker run --rm -v $(pwd)/$f:/$f --entrypoint "sh" cgr.dev/chainguard/wolfi-base -c "apk add spdx-tools-java && tools-java Verify /$f"
done
build-all-examples-one-arch:
name: build-all-examples-amd64
permissions:
contents: read
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.platform }}
steps:
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- run: |
make apko
for cfg in $(find ./examples/ -name '*.yaml'); do
name=$(basename ${cfg} .yaml)
echo "Building ${name}..."
build_script=$(dirname ${cfg})/build.sh
if [ -f ${build_script} ]; then
${build_script} ./apko
else
./apko build ${cfg} ${name}:build /tmp/${name}.tar --arch amd64
fi
done
build-wolfi-source-date-epoch:
name: source-date-epoch
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build image (w/ source date epoch)
env:
SOURCE_DATE_EPOCH: "0"
run: |
make apko
FIRST=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null)
for idx in {2..10}
do
NEXT=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null)
if [ "${FIRST}" = "${NEXT}" ]; then
echo "Build ${idx} matches."
else
echo "Build ${idx} differs: ${FIRST} and ${NEXT}"
exit 1
fi
done
build-wolfi-build-date-epoch:
name: build-date-epoch
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build image (w/ build date epoch)
run: |
make apko
# Without SOURCE_DATE_EPOCH set, the timestamp of the image will be computed to be
# the maximum build date of the resolved APKs.
FIRST=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null)
for idx in {2..10}
do
NEXT=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null)
if [ "${FIRST}" = "${NEXT}" ]; then
echo "Build ${idx} matches."
else
echo "Build ${idx} differs: ${FIRST} and ${NEXT}"
exit 1
fi
done
annotations:
name: annotations
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5
with:
go-version-file: 'go.mod'
check-latest: true
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- run: |
make apko
# Build image with annotations.
ref=$(./apko publish ./examples/nginx.yaml localhost:5000/nginx --arch x86_64,aarch64)
# Check index annotations.
crane manifest $ref | jq -r '.annotations.foo' | grep bar
# Check per-image annotations.
crane manifest --platform=linux/arm64 $ref | jq -r '.annotations.foo' | grep bar
# Check per-image config labels.
crane config --platform=linux/arm64 $ref | jq -r '.config.Labels' | grep bar