Skip to content
Test Chainguard Images

Update images digests (#555) #1468

Sign in to view logs

Update images digests (#555)

Update images digests (#555) #1468

Workflow file for this run

.github/workflows/mega-module.yaml at 76cf5bb
name: Test Chainguard Images
on:
pull_request:
branches: ['main']
push:
branches: ['main']
concurrency:
group: presubmit-build-${{ github.head_ref }}
cancel-in-progress: true
permissions: {}
jobs:
build-the-world:
runs-on: ubuntu-latest
permissions:
# WARNING: This is mattmoor being a bit *too* clever.
# We want to be able to test the reproducibility of things via the upstream
# check-reproducibility test, which requires ambient credentials, but those
# are only available to pull requests under two circumstances:
# 1. The trigger is `pull_request_target`, and
# 2. The pull request is from a branch on the main repo.
# However, this doesn't cause things to fail when the pull request is from a
# fork, it will just make the tf-cosign rules NOPs and the
# check-repoducibility skip.
#
# But why not just use pull_request_target?
# This is because to pull in breaking changes to apko, we will need to update
# our apko Go dependency and the APKO_IMAGE (below) in the same PR, and the
# latter cannot be checked with the former if the workflow is
# pull_request_target.
#
# All of that said, dependabot and digestabot PRs come from branches on the
# main repo, so the net effect of this SHOULD be that we get an error
# presubmit when digestabot wants to pull in an update that is not
# reproducible with the version of the apko Go library we depend on.
id-token: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
# In some cases, we runs out of disk space during tests, so this hack frees up approx 10G.
# See the following issue for more info: https://github.com/actions/runner-images/issues/2840#issuecomment-1284059930
- name: Free up runner disk space
shell: bash
run: |
set -x
sudo rm -rf /usr/share/dotnet
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: tf-apko
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: 'tf-apko/go.mod'
- working-directory: tf-apko
run: go build .
# Make cosign/crane CLI available to the tests
- uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: chainguard-images/images
path: images
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: '1.10.*'
terraform_wrapper: false
- uses: chainguard-dev/actions/setup-registry@939ece6bc39459fd24dde56e63ca93adf840031e # v1.2.1
with:
port: 5000
- working-directory: images
env:
TF_VAR_target_repository: ttl.sh/tf-apko
APKO_IMAGE: ghcr.io/wolfi-dev/apko:latest@sha256:c2178a02460296cc6283b6e2cb461782d9d48f933cc4f07722226c8e230ffa4e
run: |
terraform init
cat > ~/.terraformrc <<EOF
provider_installation {
dev_overrides {
"chainguard-dev/apko" = "${{ github.workspace }}/tf-apko"
}
}
EOF
terraform apply -auto-approve \
-target=module.go \
-target=module.jdk \
-target=module.python \
-target=module.scanner-test
- name: Upload imagetest logs
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "mega-module-imagetest-logs"
path: imagetest-logs