Skip to content

fix and continuously validate SBOMs #1412

fix and continuously validate SBOMs

fix and continuously validate SBOMs #1412

Workflow file for this run

name: Build Images
on:
pull_request:
push:
workflow_dispatch:
jobs:
build-nginx-on-all-arches:
name: build-nginx-all-arches
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
arch: [x86_64, "386", armv7, aarch64, riscv64, s390x, ppc64le]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.1.5
with:
go-version-file: 'go.mod'
- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: build
run: |
make apko
./apko version
- name: build image
timeout-minutes: 15
run: |
./apko build ./examples/nginx.yaml nginx:build /tmp/nginx-${{ matrix.arch }}.tar --debug --arch ${{ matrix.arch }}
- name: Check SBOM Conformance
run: |
set -euxo pipefail
for f in *.spdx.json; do
echo ::group::sbom.json
cat $f
echo ::endgroup::
docker run --rm -v $(pwd)/$f:/sbom.json cgr.dev/chainguard/ntia-conformance-checker -v --file /sbom.json
done
build-all-examples-one-arch:
name: build-all-examples-amd64
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.1.5
with:
go-version: "1.21"
check-latest: true
- name: build
run: |
make apko
./apko version
- name: build images
timeout-minutes: 15
run: |
for cfg in $(find ./examples/ -name '*.yaml'); do
name=$(basename ${cfg} .yaml)
./apko build ${cfg} ${name}:build /tmp/${name}.tar --debug --arch amd64
done
build-alpine-source-date-epoch:
name: source-date-epoch
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.1.5
with:
go-version: "1.21"
check-latest: true
- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: build
run: |
make apko
./apko version
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build image (w/ source date epoch)
shell: bash
timeout-minutes: 15
env:
SOURCE_DATE_EPOCH: "0"
run: |
FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null)
for idx in {2..10}
do
NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null)
if [ "${FIRST}" = "${NEXT}" ]; then
echo "Build ${idx} matches."
else
echo "Build ${idx} differs: ${FIRST} and ${NEXT}"
exit 1
fi
done
build-alpine-build-date-epoch:
name: build-date-epoch
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.1.5
with:
go-version: "1.21"
check-latest: true
- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: build
run: |
make apko
./apko version
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build image (w/ build date epoch)
shell: bash
timeout-minutes: 15
run: |
# Without SOURCE_DATE_EPOCH set, the timestamp of the image will be computed to be
# the maximum build date of the resolved APKs.
FIRST=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null)
for idx in {2..10}
do
NEXT=$(./apko publish ./examples/alpine-base.yaml localhost:5000/alpine 2> /dev/null)
if [ "${FIRST}" = "${NEXT}" ]; then
echo "Build ${idx} matches."
else
echo "Build ${idx} differs: ${FIRST} and ${NEXT}"
exit 1
fi
done
annotations:
name: annotations
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.1.5
with:
go-version: "1.21"
check-latest: true
- uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- name: build
run: |
make apko
./apko version
# Build image with annotations.
ref=$(./apko publish ./examples/nginx.yaml localhost:5000/nginx)
# Check index annotations.
crane manifest $ref | jq -r '.annotations.foo' | grep bar
# Check per-image annotations.
crane manifest --platform=linux/arm64 $ref | jq -r '.annotations.foo' | grep bar