Update images digests #1099
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test Chainguard Images | |
on: | |
pull_request: | |
branches: ['main'] | |
push: | |
branches: ['main'] | |
concurrency: | |
group: presubmit-build-${{ github.head_ref }} | |
cancel-in-progress: true | |
permissions: | |
# WARNING: This is mattmoor being a bit *too* clever. | |
# We want to be able to test the reproducibility of things via the upstream | |
# check-reproducibility test, which requires ambient credentials, but those | |
# are only available to pull requests under two circumstances: | |
# 1. The trigger is `pull_request_target`, and | |
# 2. The pull request is from a branch on the main repo. | |
# However, this doesn't cause things to fail when the pull request is from a | |
# fork, it will just make the tf-cosign rules NOPs and the | |
# check-repoducibility skip. | |
# | |
# But why not just use pull_request_target? | |
# This is because to pull in breaking changes to apko, we will need to update | |
# our apko Go dependency and the APKO_IMAGE (below) in the same PR, and the | |
# latter cannot be checked with the former if the workflow is | |
# pull_request_target. | |
# | |
# All of that said, dependabot and digestabot PRs come from branches on the | |
# main repo, so the net effect of this SHOULD be that we get an error | |
# presubmit when digestabot wants to pull in an update that is not | |
# reproducible with the version of the apko Go library we depend on. | |
id-token: write | |
jobs: | |
build-the-world: | |
runs-on: ubuntu-latest | |
steps: | |
# In some cases, we runs out of disk space during tests, so this hack frees up approx 10G. | |
# See the following issue for more info: https://github.com/actions/runner-images/issues/2840#issuecomment-1284059930 | |
- name: Free up runner disk space | |
shell: bash | |
run: | | |
set -x | |
sudo rm -rf /usr/share/dotnet | |
sudo rm -rf "$AGENT_TOOLSDIRECTORY" | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
path: tf-apko | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: 'tf-apko/go.mod' | |
- working-directory: tf-apko | |
run: go build . | |
# Make cosign/crane CLI available to the tests | |
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
repository: chainguard-images/images | |
path: images | |
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
with: | |
terraform_version: '1.10.*' | |
terraform_wrapper: false | |
- uses: chainguard-dev/actions/setup-registry@main | |
with: | |
port: 5000 | |
- working-directory: images | |
env: | |
TF_VAR_target_repository: localhost:5000/tf-apko | |
APKO_IMAGE: ghcr.io/wolfi-dev/sdk:latest@sha256:16e9a8071daca8c3b60ebac49acabe6a97b07fe7238ac29768dafb149eb9a710 | |
run: | | |
terraform init | |
cat > ~/.terraformrc <<EOF | |
provider_installation { | |
dev_overrides { | |
"chainguard-dev/apko" = "${{ github.workspace }}/tf-apko" | |
} | |
} | |
EOF | |
terraform apply -auto-approve \ | |
-target=module.go \ | |
-target=module.jdk \ | |
-target=module.python \ | |
-target=module.scanner-test | |
- name: Upload imagetest logs | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: "mega-module-imagetest-logs" | |
path: imagetest-logs |