Skip to content
Build

Generate SBOM #208

Sign in to view logs

Generate SBOM

Generate SBOM #208

Workflow file for this run

.github/workflows/build-and-push-container.yml at 1609a90
name: Build
on:
workflow_dispatch:
pull_request:
branches: "*"
push:
branches:
- "main"
jobs:
build-matrix:
name: generate build matrix
runs-on:
- lab
outputs:
matrix: ${{ steps.matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: cargo-bins/cargo-binstall@main
- name: install whyq
run: |
set -euxo pipefail
sudo apt-get update
sudo apt-get install --yes --no-install-recommends jq
cargo binstall --no-confirm whyq
- name: generate test matrix
id: matrix
run: |
set -euxo pipefail
yq \
--compact-output \
--raw-output \
'"matrix=" + (.matrix | tostring)' builds.yml \
| tee -a "${GITHUB_OUTPUT}"
- name: report build plan
run: |
cat >> "${GITHUB_STEP_SUMMARY}" <<EOF
# Action plan
## Build matrix
\`\`\`yml
$(yq --yaml-output '.matrix' builds.yml)
\`\`\`
## Raw build flags file
\`\`\`yml
$(< ./nix/flags.nix)
\`\`\`
## Build versions
### env
\`\`\`yml
$(yq --yaml-output '.env' builds.yml)
\`\`\`
<details>
<summary>
## Raw \`builds.yml\` file
</summary>
\`\`\`yml
$(< builds.yml)
\`\`\`
</details>
<details>
<summary>
## Raw \`versions.nix\` file
</summary>
\`\`\`nix
$(< nix/versions.nix)
\`\`\`
</details>
EOF
build-and-push:
name: build
needs: build-matrix
runs-on:
- lab
timeout-minutes: 300
strategy:
matrix: ${{ fromJSON(needs.build-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v4
- name: install nix
uses: cachix/install-nix-action@v30
- name: confirm sources
run: ./scripts/confirm-sources.sh
- name: login to ghcr.io
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: "dtolnay/rust-toolchain@stable"
- uses: "cargo-bins/cargo-binstall@main"
- run: "cargo binstall --no-confirm just"
- run: "cargo binstall --no-confirm csview"
- run: |
sudo apt-get update
sudo apt-get install --yes --no-install-recommends graphviz
- name: setup nix cache
id: nix-package-cache
uses: actions/cache@v4
with:
path: /nix
key: /nixpkgs/${{ matrix.nixpkgs }}
- name: build
run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} build
- name: Generate SBOM
run: ./scripts/sbom.sh
- name: push
run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
- name: garbage collect
run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} nix-garbage-collector
- name: clean up symlinks in /tmp/dpdk-sys/builds
run: |
for f in /tmp/dpdk-sys/builds/*; do
[ -h "$f" ] && rm "$f"
done
- name: step summary
run: |
echo "# Outdated packages:" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.outdated.md >> $GITHUB_STEP_SUMMARY
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "# Runtime SBOM (gnu64):" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.runtime.sbom.md >> $GITHUB_STEP_SUMMARY
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "# Vuln scan (gnu64):" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.release.vulns.triage.md >> $GITHUB_STEP_SUMMARY
echo "" >> "$GITHUB_STEP_SUMMARY"
- uses: actions/upload-artifact@v4
with:
name: builds-${{ matrix.toolchain.key }}
path: /tmp/dpdk-sys/builds
# - name: Setup tmate session for debug
# if: ${{ failure() }}
# uses: mxschmitt/action-tmate@v3
# timeout-minutes: 30
# with:
# limit-access-to-actor: true