build(deps): bump step-security/harden-runner from 2.10.2 to 2.10.3 #2676
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Images | |
on: | |
pull_request: | |
branches: [ "main" ] | |
push: | |
branches: [ "main" ] | |
workflow_dispatch: | |
jobs: | |
# Build a single-arch nginx image for each arch. | |
build-nginx-on-all-arches: | |
name: build-nginx-all-arches | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: [x86_64, aarch64] | |
steps: | |
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 | |
- run: | | |
make apko | |
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx-${{ matrix.arch }}.tar --arch ${{ matrix.arch }} | |
- name: Check SBOM Conformance | |
run: | | |
set -euxo pipefail | |
if ! ls *.spdx.json; then | |
echo "no SBOMs found!" | |
exit 1 | |
fi | |
for f in *.spdx.json; do | |
echo ::group::sbom.json | |
cat $f | |
echo ::endgroup:: | |
docker run --rm -v $(pwd)/$f:/$f --entrypoint "sh" cgr.dev/chainguard/wolfi-base -c "apk add spdx-tools-java && tools-java Verify /$f" | |
done | |
build-all-examples-one-arch: | |
name: build-all-examples-amd64 | |
permissions: | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: [ubuntu-latest, macos-latest] | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
- run: | | |
make apko | |
for cfg in $(find ./examples/ -name '*.yaml'); do | |
name=$(basename ${cfg} .yaml) | |
echo "Building ${name}..." | |
build_script=$(dirname ${cfg})/build.sh | |
if [ -f ${build_script} ]; then | |
${build_script} ./apko | |
else | |
./apko build ${cfg} ${name}:build /tmp/${name}.tar --arch amd64 | |
fi | |
done | |
build-wolfi-source-date-epoch: | |
name: source-date-epoch | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- uses: chainguard-dev/actions/setup-registry@main | |
with: | |
port: 5000 | |
- name: build image (w/ source date epoch) | |
env: | |
SOURCE_DATE_EPOCH: "0" | |
run: | | |
make apko | |
FIRST=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null) | |
for idx in {2..10} | |
do | |
NEXT=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null) | |
if [ "${FIRST}" = "${NEXT}" ]; then | |
echo "Build ${idx} matches." | |
else | |
echo "Build ${idx} differs: ${FIRST} and ${NEXT}" | |
exit 1 | |
fi | |
done | |
build-wolfi-build-date-epoch: | |
name: build-date-epoch | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- uses: chainguard-dev/actions/setup-registry@main | |
with: | |
port: 5000 | |
- name: build image (w/ build date epoch) | |
run: | | |
make apko | |
# Without SOURCE_DATE_EPOCH set, the timestamp of the image will be computed to be | |
# the maximum build date of the resolved APKs. | |
FIRST=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null) | |
for idx in {2..10} | |
do | |
NEXT=$(./apko publish ./examples/wolfi-base.yaml localhost:5000/wolfi --arch x86_64,aarch64 2> /dev/null) | |
if [ "${FIRST}" = "${NEXT}" ]; then | |
echo "Build ${idx} matches." | |
else | |
echo "Build ${idx} differs: ${FIRST} and ${NEXT}" | |
exit 1 | |
fi | |
done | |
annotations: | |
name: annotations | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v2.1.5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
- uses: chainguard-dev/actions/setup-registry@main | |
with: | |
port: 5000 | |
- run: | | |
make apko | |
# Build image with annotations. | |
ref=$(./apko publish ./examples/nginx.yaml localhost:5000/nginx --arch x86_64,aarch64) | |
# Check index annotations. | |
crane manifest $ref | jq -r '.annotations.foo' | grep bar | |
# Check per-image annotations. | |
crane manifest --platform=linux/arm64 $ref | jq -r '.annotations.foo' | grep bar | |
# Check per-image config labels. | |
crane config --platform=linux/arm64 $ref | jq -r '.config.Labels' | grep bar |