Build Wolfi OS world from bootstrap #7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Wolfi OS world from bootstrap | |
| on: | |
| workflow_dispatch: | |
| # Only run one build at a time to prevent out of sync signatures | |
| concurrency: | |
| group: build-world-${{ github.ref }} | |
| jobs: | |
| build: | |
| name: Build packages | |
| if: github.repository == 'wolfi-dev/os' | |
| strategy: | |
| matrix: | |
| arch: [ "x86_64", "aarch64" ] | |
| fail-fast: false | |
| runs-on: wolfi-os-builder-${{ matrix.arch }} | |
| # Ensure this is deprivileged, isolated job | |
| # permissions: | |
| container: | |
| image: ghcr.io/wolfi-dev/sdk:latest@sha256:8a4c6c54d3cbdd3fd0207f629facc9df8b080605a6d30bd6474be5455633994e | |
| # TODO: Deprivilege | |
| options: | | |
| --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/fuse --security-opt seccomp=unconfined --security-opt apparmor:unconfined | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: 'Trust the github workspace' | |
| run: | | |
| # This is to avoid fatal errors about "dubious ownership" because we are | |
| # running inside of a container action with the workspace mounted in. | |
| git config --global --add safe.directory "$(pwd)" | |
| # Build with a local key, we'll resign this with the real key later | |
| - name: 'Generate local signing key' | |
| run: | | |
| make local-melange.rsa | |
| - name: 'Build Wolfi World' | |
| run: | | |
| wolfictl build \ | |
| -k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub \ | |
| -r https://packages.wolfi.dev/bootstrap/stage3 \ | |
| --arch=${{ matrix.arch }} \ | |
| -j10 | |
| postrun: | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| if: failure() | |
| steps: | |
| - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 | |
| id: slack | |
| with: | |
| payload: '{"text": "[build-wolfi-world] failure: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |