-
Notifications
You must be signed in to change notification settings - Fork 19
140 lines (120 loc) · 4.23 KB
/
.build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Reusable build workflow
on:
workflow_call:
inputs:
image:
required: true
type: string
melange-config:
required: false
type: string
default: ''
registry:
required: false
type: string
default: ''
jobs:
build:
runs-on: ${{ matrix.runner }}
if: inputs.melange-config != ''
strategy:
fail-fast: false
matrix:
arch: ["x86_64", "aarch64"]
include:
- arch: "aarch64"
runner: "ubuntu-latest-arm"
- arch: "x86_64"
runner: "ubuntu-latest"
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# TODO: Replace this with custom wolfi image
- run: |
sudo apt update -y && \
sudo apt install unzip curl cmake pkg-config -y
- id: melange
uses: chainguard-dev/actions/melange-build@main
with:
multi-config: ${{ inputs.melange-config }}
empty-workspace: false
workdir: images/${{ inputs.image }}
sign-with-temporary-key: true
archs: ${{ matrix.arch }}
- name: 'Upload built packages archive to Github Artifacts'
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.image }}-${{ matrix.arch }}
path: ./packages
retention-days: 1 # Low ttl since this is just an intermediary used once
if-no-files-found: error
publish:
runs-on: ubuntu-latest
needs: build
if: always() && (needs.build.result == 'success' || needs.build.result == 'skipped')
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# TODO: Replace this with custom wolfi image
- run: |
sudo apt update -y && \
sudo apt install unzip curl git -y
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: '1.5.*'
terraform_wrapper: false
# Setup melange
- uses: chainguard-dev/actions/setup-melange@main
if: inputs.melange-config != ''
# Fetch the build stages back down
- name: 'Download package archives'
if: inputs.melange-config != ''
uses: actions/download-artifact@v4
with:
name: ${{ inputs.image }}-aarch64
path: ./packages
- name: 'Download package archives'
if: inputs.melange-config != ''
uses: actions/download-artifact@v4
with:
name: ${{ inputs.image }}-x86_64
path: ./packages
# Prepare the index for terraform
- if: inputs.melange-config != ''
run: |
# Generate a single key expected by the terraform build
melange keygen melange.rsa
for arch in "x86_64" "aarch64"; do
# Not strictly needed, but might as well while we're here
melange sign -k melange.rsa packages/$arch/*.apk
# Rebuild the index
melange index -o packages/$arch/APKINDEX.tar.gz packages/$arch/*.apk
melange sign-index --signing-key melange.rsa packages/$arch/APKINDEX.tar.gz
done
# Setup local registry
- uses: chainguard-dev/actions/setup-registry@main
if: inputs.registry == ''
with:
port: 5000
# Auth to GitHub Container Registry (ghcr.io)
- name: Login to registry
if: inputs.registry != ''
run: |
set -x
echo "${{ github.token }}" | docker login \
-u "${{ github.repository_owner }}" \
--password-stdin ghcr.io
# Build and push image using terraform-provider-apko
- name: Build image with apko/terraform
env:
TF_VAR_target_repository: ${{ inputs.registry != '' && inputs.registry || format('localhost:5000/{0}', inputs.image) }}
run: |
set -x
terraform init
terraform apply -auto-approve -target=module.${{inputs.image}}