Build rsd via Melange/Apko

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
egibs · Jun 19, 2024 · b3f9388 · b3f9388
1 parent 9054b03
commit b3f9388
Show file tree

Hide file tree

Showing 6 changed files with 124 additions and 2 deletions.
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -0,0 +1,34 @@
+name: Build rsd via apko
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
+        with:
+          go-version: 1.22
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb
+      - run: |
+          go install chainguard.dev/apko@latest
+          go install chainguard.dev/melange@latest
+      - run: |
+          sudo apt -y update
+          sudo apt -y install bubblewrap
+      - run: |
+          make rsd-apko
+          make rsd-docker
+      - run: |
+          docker run --rm rsd:latest-amd64
+          docker run --rm rsd:latest-arm64
diff --git a/.gitignore b/.gitignore
@@ -17,4 +17,13 @@ Cargo.lock
 rsd
 
 # in-repo SBOMs
-sbom.json
+sbom*.json
+
+# Melange
+packages/
+melange.rsa
+melange.rsa.pub
+
+# Apko
+
+rsd.tar
diff --git a/Makefile b/Makefile
@@ -1,5 +1,17 @@
 .PHONY: build docker fmt fmt-check test release sbom
 
+keygen:
+	melange keygen
+
+rsd-melange: keygen
+	melange build --arch arm64,x86_64 rsd.yaml --signing-key melange.rsa
+
+rsd-apko: rsd-melange
+	apko build rsd.apko.yaml rsd:latest rsd.tar
+
+rsd-docker:
+	docker load < rsd.tar
+
 build:
 	rustc -C target-feature=+crt-static src/main.rs -o rsd
 

diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ I've been writing YARA rules recently and knowing how to locate information like
 
 ## What works for now?
 
-- Building locally via `rustc` or via Dockerfile
+- Building locally via `rustc`, Docker, or Apko (via Melange)
 - ELF binaries
 
 ## Usage

diff --git a/rsd.apko.yaml b/rsd.apko.yaml
@@ -0,0 +1,20 @@
+contents:
+  repositories:
+    - '@local packages'
+  keyring:
+    - melange.rsa.pub
+  packages:
+    - rsd@local
+
+entrypoint:
+  command: /usr/bin/rsd
+
+accounts:
+  groups:
+    - groupname: rsd
+      gid: 61924
+  users:
+    - username: rsd
+      uid: 61924
+
+archs: [aarch64, x86_64]
diff --git a/rsd.yaml b/rsd.yaml
@@ -0,0 +1,47 @@
+package:
+  name: rsd
+  version: 0.2.0
+  epoch: 0
+  description: "Rust implemention of xxd -e -l 64"
+  copyright:
+    - license: Apache-2.0
+
+environment:
+  contents:
+    keyring:
+      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+    repositories:
+      - https://packages.wolfi.dev/os
+    packages:
+      - build-base
+      - busybox
+      - ca-certificates-bundle
+      - libgit2-dev
+      - rust~1.79
+      - zlib-dev
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/egibs/rsd
+      expected-commit: 9054b032b03a7680a697a0b199b97614010be7f0
+
+  - runs: make build
+
+  - runs: |
+      mkdir -p ${{targets.destdir}}/usr/bin
+      cp rsd ${{targets.destdir}}/usr/bin/rsd
+
+  - uses: strip
+
+update:
+  enabled: true
+  github:
+    identifier: egibs/rsd
+    strip-prefix: v
+    tag-filter-prefix: v
+
+test:
+  pipeline:
+    - runs: |
+        /usr/bin/rsd