diff --git a/.github/workflows/distroless.yml b/.github/workflows/distroless.yml index 16973324ec3..2bc8a4efd2b 100644 --- a/.github/workflows/distroless.yml +++ b/.github/workflows/distroless.yml @@ -18,7 +18,7 @@ defaults: env: ARCH_TO_BUILD_IMAGES: amd64 - REPOSITORY: ${{ github.repository_owner }} + ORGANIZATION: ${{ github.repository_owner }} jobs: build_base_image: @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-20.04 permissions: packages: write - environment: release + # environment: release steps: - name: Checkout @@ -34,36 +34,46 @@ jobs: with: ref: ${{ github.event.inputs.commit_sha }} + - name: Generate Signing Key + run: docker run --rm -v "${PWD}":/work cgr.dev/chainguard/melange keygen + - name: Build Erlang Image - run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/erlang_package.yaml --arch ${{ env.ARCH_TO_BUILD_IMAGES }} + run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/erlang_package.yaml -k melange.rsa.pub --signing-key melange.rsa --arch ${{ env.ARCH_TO_BUILD_IMAGES }} - name: Build Elixir Image - run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/elixir_package.yaml --arch ${{ env.ARCH_TO_BUILD_IMAGES }} + run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/elixir_package.yaml -k melange.rsa.pub --signing-key melange.rsa --arch ${{ env.ARCH_TO_BUILD_IMAGES }} - name: Build Builder Image - run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/builder_image.yaml ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest builder_image.tar + run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/builder_image.yaml -k melange.rsa.pub ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest builder_image.tar - name: Build Base Image - run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/base_image.yaml ghcr.io/${REPOSITORY}/ockam-elixir-base:latest base_image.tar + run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/base_image.yaml -k melange.rsa.pub ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest base_image.tar - name: Load Images run: | docker load < base_image.tar docker load < builder_image.tar + - uses: docker/login-action@bc135a1993a1d0db3e9debefa0cfcb70443cc94c # v2.1.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push Images run: | - docker tag ghcr.io/${REPOSITORY}/ockam-elixir-base:latest-${$ARCH_TO_BUILD_IMAGES} docker tag ghcr.io/${REPOSITORY}/ockam-elixir-base:latest - docker push ghcr.io/${REPOSITORY}/ockam-elixir-base:latest + docker tag ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest-${{ env.ARCH_TO_BUILD_IMAGES }} ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest + docker push ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest - docker tag ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest-${$ARCH_TO_BUILD_IMAGES} docker tag ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest - docker push ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest + docker tag ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest-${{ env.ARCH_TO_BUILD_IMAGES }} ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest + docker push ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest - name: Get Image ref id: image_ref run: | - base=$(docker image inspect ghcr.io/${REPOSITORY}/ockam-elixir-base:latest | jq -r .[0].Id) - builder=$(docker image inspect ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest | jq -r .[0].Id) + base=$(docker image inspect ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest | jq -r .[0].Id) + builder=$(docker image inspect ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest | jq -r .[0].Id) echo "BUILDER=$builder" >> $GITHUB_OUTPUT echo "BASE=$base" >> $GITHUB_OUTPUT @@ -77,12 +87,12 @@ jobs: with: cosign_private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}' cosign_password: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' - image: 'ghcr.io/${REPOSITORY}/ockam-elixir-base:latest' + image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest' ref: ${{ steps.image_ref.outputs.BASE }} - uses: build-trust/.github/actions/image_cosign@custom-actions with: cosign_private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}' cosign_password: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' - image: 'ghcr.io/${REPOSITORY}/ockam-elixir-builder:latest' + image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest' ref: ${{ steps.image_ref.outputs.BUILDER }} diff --git a/tools/docker/healthcheck/Dockerfile b/tools/docker/healthcheck/Dockerfile index 42bc8b898a5..786cd9c7b78 100644 --- a/tools/docker/healthcheck/Dockerfile +++ b/tools/docker/healthcheck/Dockerfile @@ -1,14 +1,14 @@ # Stage 1 - Build elixir release of ockam_healthcheck elixir app -FROM cgr.dev/chainguard/wolfi-base AS elixir-app-release-build +FROM ghcr.io/build-trust/ockam-elixir-builder:latest AS elixir-app-release-build -RUN set -xe; \ - apk add curl xz bash elixir erlang-dev git openssl ca-certificates ncurses gcc gcc-12 glibc-dev libstdc++-12 glibc gcc llvm-libcxx-16 +COPY --from=cgr.dev/chainguard/wolfi-base /bin /bin +COPY --from=cgr.dev/chainguard/wolfi-base /usr/bin /usr/bin ENV PATH=/root/.cargo/bin:$PATH COPY . /work -RUN set -xe; \ +RUN set -ex; \ cd work; \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain none -y; \ + rustup-init --no-update-default-toolchain -y; \ rustup show; \ cargo --version; \ cd implementations/elixir/ockam/ockam_healthcheck; \ @@ -19,14 +19,15 @@ RUN set -xe; \ # Stage 2 - Create container and copy executables in above step -FROM cgr.dev/chainguard/wolfi-base AS app +FROM ghcr.io/build-trust/ockam-elixir-base:latest AS app + +COPY --from=cgr.dev/chainguard/wolfi-base /bin /bin +COPY --from=cgr.dev/chainguard/wolfi-base /usr/bin /usr/bin COPY --from=elixir-app-release-build /work/implementations/elixir/ockam/ockam_healthcheck/_build/prod/rel/ockam_healthcheck /opt/ockam_healthcheck ENV LANG=C.UTF-8 -RUN apk add ncurses gcc - EXPOSE 4000 ENTRYPOINT ["/opt/ockam_healthcheck/bin/ockam_healthcheck"] diff --git a/tools/docker/wolfi/builder_image.yaml b/tools/docker/wolfi/builder_image.yaml index 7fb427dca79..0c2193b681c 100644 --- a/tools/docker/wolfi/builder_image.yaml +++ b/tools/docker/wolfi/builder_image.yaml @@ -23,7 +23,7 @@ contents: - rustup - zlib - zlib-dev - - elixir-1_15 + - elixir-1_14 - erlang-24 - erlang-24-dev - openssl diff --git a/tools/docker/wolfi/elixir_package.yaml b/tools/docker/wolfi/elixir_package.yaml index 03ca7137aa5..d76fb1f5cb8 100644 --- a/tools/docker/wolfi/elixir_package.yaml +++ b/tools/docker/wolfi/elixir_package.yaml @@ -1,4 +1,3 @@ -# docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build elixir_package.yaml --arch amd64 -k melange.rsa.pub --signing-key melange.rsa # Builds a pinned version of the elixir package package: name: elixir-1_14