Skip to content
build

clean up sbom #261

Sign in to view logs

clean up sbom

clean up sbom #261

Workflow file for this run

.github/workflows/build-and-push-container.yml at ef03b44
name: build
on:
workflow_dispatch:
inputs:
debug_enabled:
type: boolean
description: "Run the build with tmate debugging enabled"
merge_group:
pull_request:
push:
branches:
- "main"
concurrency:
group: ${{ github.workflow }}
jobs:
matrix:
name: "matrix"
runs-on:
- lab
outputs:
matrix: ${{ steps.matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: cargo-bins/cargo-binstall@main
- name: install whyq
run: |
set -euxo pipefail
sudo apt-get update
sudo apt-get install --yes --no-install-recommends jq
cargo binstall --no-confirm whyq
- name: generate test matrix
id: matrix
run: |
set -euxo pipefail
yq \
--compact-output \
--raw-output \
'"matrix=" + (.matrix | tostring)' builds.yml \
| tee -a "${GITHUB_OUTPUT}"
- name: report build plan
run: |
cat >> "${GITHUB_STEP_SUMMARY}" <<EOF
# Action plan
## Build matrix
\`\`\`yml
$(yq --yaml-output '.matrix' builds.yml)
\`\`\`
## Raw build flags file
\`\`\`yml
$(< ./nix/flags.nix)
\`\`\`
## Build versions
### env
\`\`\`yml
$(yq --yaml-output '.env' builds.yml)
\`\`\`
<details>
<summary>
## Raw \`builds.yml\` file
</summary>
\`\`\`yml
$(< builds.yml)
\`\`\`
</details>
<details>
<summary>
## Raw \`versions.nix\` file
</summary>
\`\`\`nix
$(< nix/versions.nix)
\`\`\`
</details>
EOF
run:
name: run
needs: matrix
runs-on:
- lab
timeout-minutes: 300
strategy:
max-parallel: 3
matrix: ${{ fromJSON(needs.matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@v4
- name: install nix
uses: cachix/install-nix-action@v30
- name: login to ghcr.io
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: "dtolnay/rust-toolchain@stable"
- uses: "cargo-bins/cargo-binstall@main"
- run: |
cargo binstall --no-confirm just
- name: nix cache
uses: DeterminateSystems/magic-nix-cache-action@main
with:
diff-store: true
- name: confirm sources
run: ./scripts/confirm-sources.sh
- name: build + push
run: just --yes debug=true max_nix_builds=1 rust=${{matrix.toolchain.key}} push
- name: Install SBOM generator dependencies
run: |
for f in /tmp/dpdk-sys/builds/*; do
[ -h "$f" ] && rm "$f"
done
cargo binstall --no-confirm csview
sudo apt-get update
sudo apt-get install --yes --no-install-recommends graphviz
- name: Generate SBOM
run: ./scripts/sbom.sh
- name: step summary
continue-on-error: true # might fail due to $GITHUB_STEP_SUMMARY size limit of 1MB
run: |
echo "# Outdated packages:" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.outdated.md >> $GITHUB_STEP_SUMMARY
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "# Vuln scan (gnu64):" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.vulns.triage.md >> $GITHUB_STEP_SUMMARY
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "# Runtime SBOM (gnu64):" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
cat /tmp/dpdk-sys/builds/env.sysroot.gnu64.sbom.md >> $GITHUB_STEP_SUMMARY
echo "" >> "$GITHUB_STEP_SUMMARY"
- name: remove links from /tmp/dpdk-sys/builds
run: |
for f in /tmp/dpdk-sys/builds/*; do
[ -h "$f" ] && rm "$f"
done
- uses: actions/upload-artifact@v4
with:
name: builds-${{ matrix.toolchain.key }}
path: /tmp/dpdk-sys/builds
- name: Setup tmate session for debug
if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
uses: mxschmitt/action-tmate@v3
timeout-minutes: 60
with:
limit-access-to-actor: true
summary:
name: summary
if: ${{ always() }}
runs-on:
- lab
needs:
- run
steps:
- name: Flag any build matrix failures
if: ${{ needs.run.result != 'success' }}
run: exit 1