Update build_rocks.yaml #3
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2023 Canonical Ltd. | |
# See LICENSE file for licensing details. | |
name: Build images | |
on: | |
workflow_call: | |
inputs: | |
owner: | |
type: string | |
description: Registry owner to push the built images | |
default: "" | |
registry: | |
type: string | |
description: Registry to push the built images | |
default: "" | |
runs-on: | |
type: string | |
description: Image runner for building the images | |
default: ubuntu-22.04 | |
trivy-image-config: | |
type: string | |
description: Trivy YAML configuration for image testing that is checked in as part of the repo | |
working-directory: | |
type: string | |
description: The working directory for jobs | |
default: "./" | |
cache-action: | |
type: string | |
description: The cache action can either be "save" or "restore". | |
default: restore | |
outputs: | |
images: | |
description: List of images built | |
value: ${{ jobs.get-rocks.outputs.rocks }} | |
jobs: | |
get-rocks: | |
name: Get rocks | |
runs-on: ubuntu-22.04 | |
outputs: | |
rock-paths: ${{ env.ROCK_PATHS }} | |
rocks: "${{ env.ROCKS }}" | |
steps: | |
- name: Validate inputs | |
run: | | |
if [ "${{ inputs.cache-action }}" != "save" ] && [ "${{ inputs.cache-action }}" != "restore" ]; then | |
echo "Invalid value for cache-action. It must be 'save' or 'restore'" | |
exit 1 | |
fi | |
- uses: actions/checkout@v3 | |
- name: Get rock paths | |
working-directory: ${{ inputs.working-directory }} | |
run: | | |
lines=$(find . -type f -name rockcraft.yaml | wc -l) | |
if [ $lines -ne 0 ]; then | |
echo "ROCK_PATHS=$(find . -type f -name rockcraft.yaml | xargs realpath | xargs dirname | jq -Rsc '. / "\n" - [""]')" >> $GITHUB_ENV | |
echo "ROCKS=$(find . -type f -name rockcraft.yaml | xargs -l yq '.name' | jq -Rsc '. / "\n" - [""]')" >> $GITHUB_ENV | |
else | |
echo "ROCK_PATHS=$(echo "" | jq -Rsc '. / "\n" - [""]')" >> $GITHUB_ENV | |
echo "ROCKS=$(echo "" | jq -Rsc '. / "\n" - [""]')" >> $GITHUB_ENV | |
fi | |
build-rocks: | |
name: Build rock | |
runs-on: ${{ inputs.runs-on }} | |
needs: [get-rocks] | |
if: ${{ needs.get-rocks.outputs.rock-paths != '[]' }} | |
strategy: | |
matrix: | |
path: ${{ fromJSON(needs.get-rocks.outputs.rock-paths) }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Extract rock information | |
run: | | |
IMAGE_NAME=$(yq '.name' "${{ matrix.path }}/rockcraft.yaml") | |
IMAGE_BASE=$(yq '.base' "${{ matrix.path }}/rockcraft.yaml") | |
IMAGE_BUILD_BASE=$(yq '.["build-base"] // .base' "${{ matrix.path }}/rockcraft.yaml") | |
IMAGE_REF=${{ inputs.registry }}/${{ inputs.owner }}/$IMAGE_NAME:${{ github.run_id }} | |
INODE_NUM=$(ls -id ${{ matrix.path }} | cut -f 1 -d " ") | |
ROCKCRAFT_CONTAINER_NAME=rockcraft-$IMAGE_NAME-$INODE_NUM | |
echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV | |
echo "IMAGE_BASE=$IMAGE_BASE" >> $GITHUB_ENV | |
echo "IMAGE_BUILD_BASE=$IMAGE_BUILD_BASE" >> $GITHUB_ENV | |
echo "IMAGE_REF=$IMAGE_REF" >> $GITHUB_ENV | |
echo "ROCKCRAFT_CONTAINER_NAME=$ROCKCRAFT_CONTAINER_NAME" >> $GITHUB_ENV | |
- name: Generate rockcraft cache key | |
run: | | |
ROCKCRAFT_CACHE_KEY='rockcraft-cache?name=${{ env.IMAGE_NAME }}&base=${{ env.IMAGE_BUILD_BASE }}&build-base=${{ env.IMAGE_BUILD_BASE }}' | |
echo "ROCKCRAFT_CACHE_KEY=$ROCKCRAFT_CACHE_KEY" >> $GITHUB_ENV | |
- name: Restore rockcraft container cache | |
if: inputs.cache-action == 'restore' | |
uses: actions/cache/restore@v3 | |
id: rockcraft-cache | |
with: | |
path: ~/.rockcraft-cache/ | |
key: ${{ env.ROCKCRAFT_CACHE_KEY }} | |
- name: Setup lxd | |
uses: canonical/setup-lxd | |
- name: Import rockcraft container cache | |
if: steps.rockcraft-cache.outputs.cache-hit == 'true' | |
run: | | |
sudo lxc --project rockcraft import ~/.rockcraft-cache/${{ env.IMAGE_NAME }}.tar ${{ env.ROCKCRAFT_CONTAINER_NAME }} | |
- name: Build rock | |
uses: canonical/craft-actions/rockcraft-pack@main | |
with: | |
path: ${{ matrix.path }} | |
- name: Generate rockcraft container cache | |
if: inputs.cache-action == 'save' | |
run: | | |
mkdir -p ~/.rockcraft-cache | |
sudo lxc --project rockcraft export ${{ env.ROCKCRAFT_CONTAINER_NAME }} --compression none ~/.rockcraft-cache/${{ env.IMAGE_NAME }}.tar | |
- name: Delete rockcraft container cache | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
gh api \ | |
--method DELETE \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/repos/OWNER/REPO/actions/caches?key=${{ env.ROCKCRAFT_CACHE_KEY }} | |
- name: Save rockcraft container cache | |
if: inputs.cache-action == 'save' | |
uses: actions/cache/save@v3 | |
with: | |
path: ~/.rockcraft-cache/ | |
key: ${{ env.ROCKCRAFT_CACHE_KEY }} | |
- name: Upload rock to ghcr.io | |
run: | | |
skopeo --insecure-policy copy oci-archive:$(ls "${{ matrix.path }}"/*.rock) docker://$IMAGE_REF --dest-creds "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" | |
- name: Run Github Trivy Image Action | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ env.IMAGE_REF }} | |
trivy-config: ${{ inputs.trivy-image-config }} | |
exit-code: '1' | |
severity: 'CRITICAL,HIGH' | |
env: | |
TRIVY_USERNAME: ${{ github.actor }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} |