-
Notifications
You must be signed in to change notification settings - Fork 42
Expand file tree
/
Copy pathaction.yml
More file actions
118 lines (100 loc) · 3.91 KB
/
action.yml
File metadata and controls
118 lines (100 loc) · 3.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: build-image
description: Build Linux image
inputs:
tag: {type: string, required: true, description: Image tag}
arch: {type: string, required: true, description: Image arch}
repo: {type: string, required: true, description: Image repo}
push: {type: string, required: true, description: Whether to push the image}
retries: {type: string, default: '10', description: Number of times to retry the container build}
outputs:
hash_amd64:
value: "${{ steps.build.outputs.hash_amd64 }}"
hash_arm64:
value: "${{ steps.build.outputs.hash_arm64 }}"
runs:
using: composite
steps:
- name: Copy common scripts into features
uses: ./.github/actions/copy-common-scripts
- name: Install devcontainers CLI
uses: ./.github/actions/install-devcontainers-cli
- id: build
name: Build ${{ inputs.repo }}:${{ inputs.tag }}-${{ inputs.arch }}
shell: bash
env:
NODE_NO_WARNINGS: 1
arch: "${{ inputs.arch }}"
push: "${{ inputs.push }}"
repo: "${{ inputs.repo }}"
retries: "${{ inputs.retries }}"
tag: "${{ inputs.tag }}"
run: |
set -euo pipefail;
declare i=0;
declare -a outputs=();
if test "${push}" = true; then
outputs+=(--output "type=image,compression=zstd,force-compression=true,oci-mediatypes=true,load=true,name=${repo}");
# HACK: remove the `-t` arg from the `docker buildx build` command generated by `devcontainer build`
sed -i 's/,t.map(v=>l.push("-t",v))//g' "$(npm list -g | head -n1)"/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js;
fi
until devcontainer build \
--platform "linux/${arch}" \
--no-cache \
--image-name "${repo,,}:${tag}" \
--workspace-folder "$(realpath -m ./image)" \
"${outputs[@]}" 2>&1 \
| tee "${{ runner.temp }}/${arch}.log" 1>&2
do
if test "${i}" -lt "${retries}"; then
j=$((i++));
t=$((i * i * 5));
echo "Attempt $j failed! Trying again in $t seconds...";
sleep $t;
else
echo "Failed to build ${repo,,}:${tag}";
exit 1;
fi
done
echo "base_image=${repo,,}:${tag}" >> "$GITHUB_OUTPUT"
- id: embed-sbom
name: Embed SBOM into ${{ inputs.repo }}:${{ inputs.tag }}-${{ inputs.arch }}
shell: bash
env:
arch: "${{ inputs.arch }}"
base_image: "${{ steps.build.outputs.base_image }}"
push: "${{ inputs.push }}"
repo: "${{ inputs.repo }}"
tag: "${{ inputs.tag }}"
run: |
set -euo pipefail
if test -z "${base_image}"; then
echo "Base image tag missing"
exit 1
fi
action_dir="${GITHUB_ACTION_PATH:-$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)}"
sbom_dockerfile="${action_dir}/sbom.Dockerfile"
sbom_log="${RUNNER_TEMP}/sbom-${arch}.log"
output="type=image,compression=zstd,force-compression=true,oci-mediatypes=true,name=${repo,,}"
if test "${push}" = true; then
output+="\,push=true,push-by-digest=true"
else
output+="\,load=true"
fi
docker buildx build \
--platform "linux/${arch}" \
--tag "${repo,,}:${tag}" \
--build-context base="docker-image://${base_image}" \
--build-arg SYFT_VERSION="1.32.0" \
--build-arg SOURCE_IMAGE_NAME="${base_image}" \
--output "${output}" \
--file "${sbom_dockerfile}" \
"${action_dir}" 2>&1 | tee "${sbom_log}"
digest=""
if test "${push}" = true; then
digest="$(grep 'exporting manifest sha256:' "${sbom_log}" | tail -n1 | grep -oP 'sha256:\w+')"
if test -z "${digest}"; then
echo "Failed to determine pushed digest"
exit 1
fi
fi
echo "hash_${arch}=${digest}" >> "$GITHUB_OUTPUT"