From 33098b3d51ecee77ca7630e3b800d71dc6657a45 Mon Sep 17 00:00:00 2001 From: Josh Dolitsky Date: Wed, 7 Jun 2023 16:56:59 -0500 Subject: [PATCH 1/4] Drop dependency on monopod, convert all images to terraform Signed-off-by: Josh Dolitsky --- .github/workflows/digestabot.yaml | 22 -- .github/workflows/presubmit-build.yaml | 87 ++++---- .github/workflows/release.yaml | 103 ++++----- .gitignore | 7 + hack/matrix.sh | 17 ++ hack/melange-build.sh | 26 +++ images/alpine-base/configs/latest.apko.yaml | 4 +- images/alpine-base/image.yaml | 4 - images/alpine-base/main.tf | 35 +++ .../alpine-base/{test.sh => tests/01-echo.sh} | 0 images/alpine-base/tests/main.tf | 14 ++ images/apko/configs/latest.apko.yaml | 8 - images/apko/image.yaml | 7 - images/apko/main.tf | 35 +++ images/apko/{test.sh => tests/01-version.sh} | 0 images/apko/tests/main.tf | 14 ++ images/gcc-musl/LICENSE | 201 ------------------ images/gcc-musl/configs/latest.apko.yaml | 6 +- images/gcc-musl/image.yaml | 6 - images/gcc-musl/main.tf | 41 ++++ images/gcc-musl/tests/main.tf | 14 ++ images/melange/configs/latest.apko.yaml | 8 - images/melange/image.yaml | 7 - images/melange/main.tf | 35 +++ .../melange/{test.sh => tests/01-version.sh} | 0 images/melange/tests/main.tf | 14 ++ images/musl-dynamic/configs/latest.apko.yaml | 6 +- images/musl-dynamic/image.yaml | 6 - images/musl-dynamic/main.tf | 41 ++++ images/musl-dynamic/tests/main.tf | 14 ++ images/sdk/configs/latest.apko.yaml | 9 +- images/sdk/configs/latest.melange.yaml | 1 + images/sdk/image.yaml | 8 - images/sdk/main.tf | 35 +++ .../{test.sh => tests/01-has-all-tools.sh} | 0 images/sdk/tests/main.tf | 14 ++ images/wolfictl/configs/latest.apko.yaml | 8 - images/wolfictl/image.yaml | 7 - images/wolfictl/main.tf | 35 +++ images/wolfictl/{test.sh => tests/01-runs.sh} | 0 images/wolfictl/tests/main.tf | 14 ++ tflib/publisher/main.tf | 25 +++ tflib/version-tags/main.tf | 14 ++ 43 files changed, 538 insertions(+), 414 deletions(-) delete mode 100644 .github/workflows/digestabot.yaml create mode 100644 .gitignore create mode 100755 hack/matrix.sh create mode 100755 hack/melange-build.sh delete mode 100644 images/alpine-base/image.yaml create mode 100644 images/alpine-base/main.tf rename images/alpine-base/{test.sh => tests/01-echo.sh} (100%) create mode 100644 images/alpine-base/tests/main.tf delete mode 100644 images/apko/image.yaml create mode 100644 images/apko/main.tf rename images/apko/{test.sh => tests/01-version.sh} (100%) create mode 100644 images/apko/tests/main.tf delete mode 100644 images/gcc-musl/LICENSE delete mode 100644 images/gcc-musl/image.yaml create mode 100644 images/gcc-musl/main.tf create mode 100644 images/gcc-musl/tests/main.tf delete mode 100644 images/melange/image.yaml create mode 100644 images/melange/main.tf rename images/melange/{test.sh => tests/01-version.sh} (100%) create mode 100644 images/melange/tests/main.tf delete mode 100644 images/musl-dynamic/image.yaml create mode 100644 images/musl-dynamic/main.tf create mode 100644 images/musl-dynamic/tests/main.tf delete mode 100644 images/sdk/image.yaml create mode 100644 images/sdk/main.tf rename images/sdk/{test.sh => tests/01-has-all-tools.sh} (100%) create mode 100644 images/sdk/tests/main.tf delete mode 100644 images/wolfictl/image.yaml create mode 100644 images/wolfictl/main.tf rename images/wolfictl/{test.sh => tests/01-runs.sh} (100%) create mode 100644 images/wolfictl/tests/main.tf create mode 100644 tflib/publisher/main.tf create mode 100644 tflib/version-tags/main.tf diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml deleted file mode 100644 index b8ffca31..00000000 --- a/.github/workflows/digestabot.yaml +++ /dev/null @@ -1,22 +0,0 @@ -name: Image digest update - -on: - workflow_dispatch: - schedule: - - cron: "0 1 * * *" - -jobs: - image-update: - name: Image digest update - runs-on: ubuntu-latest - - permissions: - contents: write - pull-requests: write - id-token: write - - steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - uses: chainguard-dev/actions/digesta-bot@main - with: - token: ${{ secrets.DIGEST_BOT_WOLFI_PAT }} diff --git a/.github/workflows/presubmit-build.yaml b/.github/workflows/presubmit-build.yaml index 1d9e9ac1..35321b48 100644 --- a/.github/workflows/presubmit-build.yaml +++ b/.github/workflows/presubmit-build.yaml @@ -1,55 +1,64 @@ on: pull_request: jobs: - presubmit-matrix: + generate-matrix: runs-on: ubuntu-latest outputs: matrix: ${{ steps.generate-matrix.outputs.matrix }} steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - id: files - uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1 - with: - format: csv - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - with: - repository: chainguard-images/images - - id: generate-matrix - uses: ./.github/actions/generate-matrix - with: - modified-files: ${{ steps.files.outputs.all }} - repository: chainguard-images/images - presubmit-build: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - id: generate-matrix + run: | + set -x + # TODO: set ONLY env var based on changed files + matrix="$(ONLY="${{ inputs.only }}" ./hack/matrix.sh)" + echo "matrix=${matrix}" >> $GITHUB_OUTPUT + build: runs-on: ubuntu-latest - needs: presubmit-matrix + needs: generate-matrix strategy: fail-fast: false - matrix: ${{ fromJson(needs.presubmit-matrix.outputs.matrix) }} + matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} + permissions: + id-token: write + packages: write + contents: read steps: + + # Setup required tooling etc. + - name: Setup QEMU + if: ${{ matrix.melangeConfig != '' }} + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 + - uses: hashicorp/setup-terraform@v2 + with: + terraform_version: '1.3.*' + terraform_wrapper: false + + # Checkout this repo's source code - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + + # Build custom package using melange (if specified) + - id: melange + if: ${{ matrix.melangeConfig != '' }} + uses: chainguard-dev/actions/melange-build@main with: - repository: chainguard-images/images - - name: Add additional inputs - id: augmented-inputs + multi-config: ${{ matrix.melangeConfig }} + empty-workspace: false + workdir: images/${{ matrix.imageName }} + sign-with-temporary-key: true + archs: x86_64,aarch64 + + # Setup local registry + - uses: chainguard-dev/actions/setup-registry@main + with: + port: 5000 + + # Build and push image using terraform-provider-apko + - name: Build image with apko/terraform env: - EXTRA_INPUT_APKO_IMAGE: ghcr.io/wolfi-dev/apko:latest@sha256:94c1512d9c359148059a13cb8df972d15f196e5901f0132238d0376e0bfb597c + TF_VAR_target_repository: localhost:5000/${{ matrix.imageName }} run: | - # convert env vars beginning with "EXTRA_INPUT_" - # to camelcased input variables passed to next step set -x - echo '${{ toJSON(matrix) }}' > inputs.json - for kv in `env | grep '^EXTRA_INPUT_' | sed 's/^EXTRA_INPUT_//'`; do - k="$(echo "${kv}" | cut -d "=" -f1 | tr '[:upper:]' '[:lower:]' | sed -r 's/(.)_+(.)/\1\U\2/g;s/^[a-z]/\U&/' | sed 's/.*/\l&/')" - v="$(echo "${kv}" | cut -d "=" -f2)" - cat inputs.json | jq -c '. + {'${k}': "'${v}'"}' > inputs.json.tmp - mv inputs.json.tmp inputs.json - done - echo "augmented-inputs=$(cat inputs.json | tr -d '\n')" >> $GITHUB_OUTPUT - - uses: ./.github/actions/build-image - with: ${{ fromJSON(steps.augmented-inputs.outputs.augmented-inputs) }} - presubmit-roundup: - runs-on: ubuntu-latest - needs: presubmit-build - steps: - - run: | - echo "all matrix jobs completed" + cd images/${{ matrix.imageName }}/ + terraform init + terraform apply -auto-approve diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8822bb5a..1ee32a4b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,58 +18,13 @@ jobs: outputs: matrix: ${{ steps.generate-matrix.outputs.matrix }} steps: - - # On push to main branch, only build images necessary - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - if: ${{ github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' }} - - id: files - if: ${{ github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' }} - uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1 - with: - format: csv - - # Checkout public repo to get actions - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - with: - repository: chainguard-images/images - - # For nightly builds, build every image - - id: generate-matrix-schedule - if: ${{ github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.only == '' ) }} - uses: ./.github/actions/generate-matrix - with: - repository: chainguard-images/images - - # On push to main branch, only build images necessary - - id: generate-matrix-main - if: ${{ github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' }} - uses: ./.github/actions/generate-matrix - with: - repository: chainguard-images/images - modified-files: ${{ steps.files.outputs.all }} - - # For manual builds, build only the image requested - - id: generate-matrix-manual - if: ${{ github.event_name == 'workflow_dispatch' && inputs.only != '' }} - uses: ./.github/actions/generate-matrix - with: - repository: chainguard-images/images - modified-files: images/${{ inputs.only }}/image.yaml - - # Generate the final matrix for build based on the above - id: generate-matrix run: | set -x - trap "rm -f matrix.json matrix-unique-images.json" EXIT - echo '${{ steps.generate-matrix-manual.outputs.matrix }}' > matrix.json - [[ "$(cat matrix.json)" != "" ]] || echo '${{ steps.generate-matrix-schedule.outputs.matrix }}' > matrix.json - [[ "$(cat matrix.json)" != "" ]] || echo '${{ steps.generate-matrix-main.outputs.matrix }}' > matrix.json - echo "matrix=$(cat matrix.json)" >> $GITHUB_OUTPUT - echo '${{ steps.generate-matrix-manual.outputs.matrix-unique-images }}' > matrix-unique-images.json - [[ "$(cat matrix-unique-images.json)" != "" ]] || echo '${{ steps.generate-matrix-schedule.outputs.matrix-unique-images }}' > matrix-unique-images.json - [[ "$(cat matrix-unique-images.json)" != "" ]] || echo '${{ steps.generate-matrix-main.outputs.matrix-unique-images }}' > matrix-unique-images.json - echo "matrix-unique-images=$(cat matrix-unique-images.json)" >> $GITHUB_OUTPUT - + # TODO: set ONLY env var based on changed files + matrix="$(ONLY="${{ inputs.only }}" ./hack/matrix.sh)" + echo "matrix=${matrix}" >> $GITHUB_OUTPUT build: runs-on: ubuntu-latest needs: generate-matrix @@ -81,24 +36,44 @@ jobs: packages: write contents: read steps: + + # Setup required tooling etc. + - name: Setup QEMU + if: ${{ matrix.melangeConfig != '' }} + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 + - uses: hashicorp/setup-terraform@v2 + with: + terraform_version: '1.3.*' + terraform_wrapper: false + + # Checkout this repo's source code - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + + # Build custom package using melange (if specified) + - id: melange + if: ${{ matrix.melangeConfig != '' }} + uses: chainguard-dev/actions/melange-build@main with: - repository: chainguard-images/images - - name: Add additional inputs - id: augmented-inputs + multi-config: ${{ matrix.melangeConfig }} + empty-workspace: false + workdir: images/${{ matrix.imageName }} + sign-with-temporary-key: true + archs: x86_64,aarch64 + + # Auth to GitHub Container Registry (ghcr.io) + - name: Login to registry + run: | + set -x + echo "${{ github.token }}" | docker login \ + -u "${{ github.repository_owner }}" \ + --password-stdin ghcr.io + + # Build and push image using terraform-provider-apko + - name: Build image with apko/terraform env: - EXTRA_INPUT_APKO_IMAGE: ghcr.io/wolfi-dev/apko:latest@sha256:94c1512d9c359148059a13cb8df972d15f196e5901f0132238d0376e0bfb597c + TF_VAR_target_repository: ghcr.io/${{ github.repository_owner }}/${{ matrix.imageName }} run: | - # convert env vars beginning with "EXTRA_INPUT_" - # to camelcased input variables passed to next step set -x - echo '${{ toJSON(matrix) }}' > inputs.json - for kv in `env | grep '^EXTRA_INPUT_' | sed 's/^EXTRA_INPUT_//'`; do - k="$(echo "${kv}" | cut -d "=" -f1 | tr '[:upper:]' '[:lower:]' | sed -r 's/(.)_+(.)/\1\U\2/g;s/^[a-z]/\U&/' | sed 's/.*/\l&/')" - v="$(echo "${kv}" | cut -d "=" -f2)" - cat inputs.json | jq -c '. + {'${k}': "'${v}'"}' > inputs.json.tmp - mv inputs.json.tmp inputs.json - done - echo "augmented-inputs=$(cat inputs.json | tr -d '\n')" >> $GITHUB_OUTPUT - - uses: ./.github/actions/release-image - with: ${{ fromJSON(steps.augmented-inputs.outputs.augmented-inputs) }} + cd images/${{ matrix.imageName }}/ + terraform init + terraform apply -auto-approve diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..c5c33557 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +**/.terraform* +**/terraform* +**/melange.rsa* +**/packages/ +**/*.tar +**/*.cdx +**/*.spdx.json diff --git a/hack/matrix.sh b/hack/matrix.sh new file mode 100755 index 00000000..9557b301 --- /dev/null +++ b/hack/matrix.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# This script is used in .github/workflows/release.yaml +# to dynamically generate a build matrix based on repo contents + +set -e +matrix='{"include":[]}' +for name in `find images -mindepth 1 -maxdepth 1 -type d | sed 's|images/||' | sort | xargs`; do + [[ "${ONLY}" == "" || "${ONLY}" == "${name}" ]] || continue + entry='{imageName: "'${name}'"}' + melange_config="$(cd images/${name} && find . -name '*.melange.yaml' | sed 's|./||')" + if [[ "${melange_config}" != "" ]]; then + entry="{imageName: \"${name}\", melangeConfig: \"${melange_config}\"}" + fi + matrix="$(echo "${matrix}" | jq -c ".include += [${entry}]")" +done +echo "${matrix}" diff --git a/hack/melange-build.sh b/hack/melange-build.sh new file mode 100755 index 00000000..ed57587a --- /dev/null +++ b/hack/melange-build.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +# This script is used for local development +# to generate the packages/ for a specific image +# using melange + +set -e + +IMAGE="${1}" + +if [[ "${IMAGE}" == "" ]]; then + echo "usage: ./melange-build.sh " + exit 1 +fi + +if [[ ! -f melange.rsa ]]; then + melange keygen +fi + +cd "images/${IMAGE}" + +melange build \ + --arch amd64,arm64 \ + --signing-key ../../melange.rsa \ + --out-dir ../../packages/ \ + configs/*.melange.yaml diff --git a/images/alpine-base/configs/latest.apko.yaml b/images/alpine-base/configs/latest.apko.yaml index add97da2..93b0173b 100644 --- a/images/alpine-base/configs/latest.apko.yaml +++ b/images/alpine-base/configs/latest.apko.yaml @@ -1,9 +1,7 @@ contents: - repositories: - - https://dl-cdn.alpinelinux.org/alpine/edge/main packages: - alpine-baselayout-data - - alpine-release + - alpine-release==3 # TODO: unlock this, some issue using terraform - apk-tools - busybox - libc-utils diff --git a/images/alpine-base/image.yaml b/images/alpine-base/image.yaml deleted file mode 100644 index 7f486af1..00000000 --- a/images/alpine-base/image.yaml +++ /dev/null @@ -1,4 +0,0 @@ -ref: ghcr.io/wolfi-dev/alpine-base -versions: - - apko: - config: configs/latest.apko.yaml diff --git a/images/alpine-base/main.tf b/images/alpine-base/main.tf new file mode 100644 index 00000000..2f940a2e --- /dev/null +++ b/images/alpine-base/main.tf @@ -0,0 +1,35 @@ +terraform { + required_providers { + apko = { source = "chainguard-dev/apko" } + oci = { source = "chainguard-dev/oci" } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +provider "apko" { + extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] + extra_keyring = [] + default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] +} + +module "latest" { + source = "../../tflib/publisher" + target_repository = var.target_repository + config = file("${path.module}/configs/latest.apko.yaml") + extra_packages = [] +} + +module "test-latest" { + source = "./tests" + digest = module.latest.image_ref +} + +resource "oci_tag" "version-tags" { + depends_on = [ module.test-latest ] + for_each = toset(["latest"]) + digest_ref = module.latest.image_ref + tag = "${each.key}" +} diff --git a/images/alpine-base/test.sh b/images/alpine-base/tests/01-echo.sh similarity index 100% rename from images/alpine-base/test.sh rename to images/alpine-base/tests/01-echo.sh diff --git a/images/alpine-base/tests/main.tf b/images/alpine-base/tests/main.tf new file mode 100644 index 00000000..32faeb14 --- /dev/null +++ b/images/alpine-base/tests/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + oci = { source = "chainguard-dev/oci" } + } +} + +variable "digest" { + description = "The image digest to run tests over." +} + +data "oci_exec_test" "echo" { + digest = var.digest + script = "${path.module}/01-echo.sh" +} diff --git a/images/apko/configs/latest.apko.yaml b/images/apko/configs/latest.apko.yaml index 837d5106..2b678d1f 100644 --- a/images/apko/configs/latest.apko.yaml +++ b/images/apko/configs/latest.apko.yaml @@ -1,8 +1,4 @@ contents: - keyring: - - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - repositories: - - https://packages.wolfi.dev/os packages: - alpine-keys - ca-certificates-bundle @@ -19,7 +15,3 @@ work-dir: /work entrypoint: command: /usr/bin/apko cmd: --help - -archs: - - x86_64 - - aarch64 diff --git a/images/apko/image.yaml b/images/apko/image.yaml deleted file mode 100644 index 749f3b91..00000000 --- a/images/apko/image.yaml +++ /dev/null @@ -1,7 +0,0 @@ -ref: ghcr.io/wolfi-dev/apko -versions: - - melange: - configs: - - configs/latest.melange.yaml - apko: - config: configs/latest.apko.yaml diff --git a/images/apko/main.tf b/images/apko/main.tf new file mode 100644 index 00000000..771337b0 --- /dev/null +++ b/images/apko/main.tf @@ -0,0 +1,35 @@ +terraform { + required_providers { + apko = { source = "chainguard-dev/apko" } + oci = { source = "chainguard-dev/oci" } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +provider "apko" { + extra_repositories = ["https://packages.wolfi.dev/os", "${path.module}/../../packages"] + extra_keyring = ["https://packages.wolfi.dev/os/wolfi-signing.rsa.pub", "${path.module}/../../melange.rsa.pub"] + default_archs = ["arm64", "amd64"] +} + +module "latest" { + source = "../../tflib/publisher" + target_repository = var.target_repository + config = file("${path.module}/configs/latest.apko.yaml") + extra_packages = ["wolfi-baselayout"] +} + +module "test-latest" { + source = "./tests" + digest = module.latest.image_ref +} + +resource "oci_tag" "version-tags" { + depends_on = [ module.test-latest ] + for_each = toset(["latest"]) + digest_ref = module.latest.image_ref + tag = "${each.key}" +} diff --git a/images/apko/test.sh b/images/apko/tests/01-version.sh similarity index 100% rename from images/apko/test.sh rename to images/apko/tests/01-version.sh diff --git a/images/apko/tests/main.tf b/images/apko/tests/main.tf new file mode 100644 index 00000000..12f5ea92 --- /dev/null +++ b/images/apko/tests/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + oci = { source = "chainguard-dev/oci" } + } +} + +variable "digest" { + description = "The image digest to run tests over." +} + +data "oci_exec_test" "echo" { + digest = var.digest + script = "${path.module}/01-version.sh" +} diff --git a/images/gcc-musl/LICENSE b/images/gcc-musl/LICENSE deleted file mode 100644 index 261eeb9e..00000000 --- a/images/gcc-musl/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/images/gcc-musl/configs/latest.apko.yaml b/images/gcc-musl/configs/latest.apko.yaml index 3ee1dbed..e09daf99 100644 --- a/images/gcc-musl/configs/latest.apko.yaml +++ b/images/gcc-musl/configs/latest.apko.yaml @@ -1,12 +1,10 @@ contents: - repositories: - - https://dl-cdn.alpinelinux.org/alpine/edge/main packages: - ca-certificates-bundle - alpine-baselayout-data - - alpine-release + - alpine-release==3 - gcc - - musl-dev + - musl-dev==1 - busybox paths: diff --git a/images/gcc-musl/image.yaml b/images/gcc-musl/image.yaml deleted file mode 100644 index 08c3036a..00000000 --- a/images/gcc-musl/image.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ref: ghcr.io/wolfi-dev/gcc-musl -versions: - - apko: - config: configs/latest.apko.yaml - extractTagsFrom: - package: gcc diff --git a/images/gcc-musl/main.tf b/images/gcc-musl/main.tf new file mode 100644 index 00000000..0392667f --- /dev/null +++ b/images/gcc-musl/main.tf @@ -0,0 +1,41 @@ +terraform { + required_providers { + apko = { source = "chainguard-dev/apko" } + oci = { source = "chainguard-dev/oci" } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +provider "apko" { + extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] + extra_keyring = [] + default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] +} + +module "latest" { + source = "../../tflib/publisher" + target_repository = var.target_repository + config = file("${path.module}/configs/latest.apko.yaml") + extra_packages = [] +} + +module "test-latest" { + source = "./tests" + digest = module.latest.image_ref +} + +module "version-tags" { + source = "../../tflib/version-tags" + package = "gcc" + config = module.latest.config +} + +resource "oci_tag" "version-tags" { + depends_on = [ module.test-latest ] + for_each = toset(concat(["latest"], module.version-tags.tag_list)) + digest_ref = module.latest.image_ref + tag = "${each.key}" +} diff --git a/images/gcc-musl/tests/main.tf b/images/gcc-musl/tests/main.tf new file mode 100644 index 00000000..12f5ea92 --- /dev/null +++ b/images/gcc-musl/tests/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + oci = { source = "chainguard-dev/oci" } + } +} + +variable "digest" { + description = "The image digest to run tests over." +} + +data "oci_exec_test" "echo" { + digest = var.digest + script = "${path.module}/01-version.sh" +} diff --git a/images/melange/configs/latest.apko.yaml b/images/melange/configs/latest.apko.yaml index d4be4a18..24697a46 100644 --- a/images/melange/configs/latest.apko.yaml +++ b/images/melange/configs/latest.apko.yaml @@ -1,8 +1,4 @@ contents: - keyring: - - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - repositories: - - https://packages.wolfi.dev/os packages: - alpine-keys - ca-certificates-bundle @@ -20,7 +16,3 @@ work-dir: /work entrypoint: command: /usr/bin/melange cmd: --help - -archs: - - x86_64 - - aarch64 diff --git a/images/melange/image.yaml b/images/melange/image.yaml deleted file mode 100644 index 8c9c2b18..00000000 --- a/images/melange/image.yaml +++ /dev/null @@ -1,7 +0,0 @@ -ref: ghcr.io/wolfi-dev/melange -versions: - - melange: - configs: - - configs/latest.melange.yaml - apko: - config: configs/latest.apko.yaml diff --git a/images/melange/main.tf b/images/melange/main.tf new file mode 100644 index 00000000..771337b0 --- /dev/null +++ b/images/melange/main.tf @@ -0,0 +1,35 @@ +terraform { + required_providers { + apko = { source = "chainguard-dev/apko" } + oci = { source = "chainguard-dev/oci" } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +provider "apko" { + extra_repositories = ["https://packages.wolfi.dev/os", "${path.module}/../../packages"] + extra_keyring = ["https://packages.wolfi.dev/os/wolfi-signing.rsa.pub", "${path.module}/../../melange.rsa.pub"] + default_archs = ["arm64", "amd64"] +} + +module "latest" { + source = "../../tflib/publisher" + target_repository = var.target_repository + config = file("${path.module}/configs/latest.apko.yaml") + extra_packages = ["wolfi-baselayout"] +} + +module "test-latest" { + source = "./tests" + digest = module.latest.image_ref +} + +resource "oci_tag" "version-tags" { + depends_on = [ module.test-latest ] + for_each = toset(["latest"]) + digest_ref = module.latest.image_ref + tag = "${each.key}" +} diff --git a/images/melange/test.sh b/images/melange/tests/01-version.sh similarity index 100% rename from images/melange/test.sh rename to images/melange/tests/01-version.sh diff --git a/images/melange/tests/main.tf b/images/melange/tests/main.tf new file mode 100644 index 00000000..12f5ea92 --- /dev/null +++ b/images/melange/tests/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + oci = { source = "chainguard-dev/oci" } + } +} + +variable "digest" { + description = "The image digest to run tests over." +} + +data "oci_exec_test" "echo" { + digest = var.digest + script = "${path.module}/01-version.sh" +} diff --git a/images/musl-dynamic/configs/latest.apko.yaml b/images/musl-dynamic/configs/latest.apko.yaml index 51c95096..3da772a6 100644 --- a/images/musl-dynamic/configs/latest.apko.yaml +++ b/images/musl-dynamic/configs/latest.apko.yaml @@ -1,8 +1,6 @@ contents: - repositories: - - https://dl-cdn.alpinelinux.org/alpine/edge/main packages: - alpine-baselayout-data - - alpine-release + - alpine-release==3 # TODO: unlock this, some issue using terraform - ca-certificates-bundle - - musl + - musl==1 # TODO: unlock this, some issue using terraform diff --git a/images/musl-dynamic/image.yaml b/images/musl-dynamic/image.yaml deleted file mode 100644 index e05d301b..00000000 --- a/images/musl-dynamic/image.yaml +++ /dev/null @@ -1,6 +0,0 @@ -ref: ghcr.io/wolfi-dev/musl-dynamic -versions: - - apko: - config: configs/latest.apko.yaml - extractTagsFrom: - package: musl diff --git a/images/musl-dynamic/main.tf b/images/musl-dynamic/main.tf new file mode 100644 index 00000000..78466ce6 --- /dev/null +++ b/images/musl-dynamic/main.tf @@ -0,0 +1,41 @@ +terraform { + required_providers { + apko = { source = "chainguard-dev/apko" } + oci = { source = "chainguard-dev/oci" } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +provider "apko" { + extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] + extra_keyring = [] + default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] +} + +module "latest" { + source = "../../tflib/publisher" + target_repository = var.target_repository + config = file("${path.module}/configs/latest.apko.yaml") + extra_packages = [] +} + +module "test-latest" { + source = "./tests" + digest = module.latest.image_ref +} + +module "version-tags" { + source = "../../tflib/version-tags" + package = "musl" + config = module.latest.config +} + +resource "oci_tag" "version-tags" { + depends_on = [ module.test-latest ] + for_each = toset(concat(["latest"], module.version-tags.tag_list)) + digest_ref = module.latest.image_ref + tag = "${each.key}" +} diff --git a/images/musl-dynamic/tests/main.tf b/images/musl-dynamic/tests/main.tf new file mode 100644 index 00000000..f2bbad05 --- /dev/null +++ b/images/musl-dynamic/tests/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + oci = { source = "chainguard-dev/oci" } + } +} + +variable "digest" { + description = "The image digest to run tests over." +} + +data "oci_exec_test" "echo" { + digest = var.digest + script = "${path.module}/01-dockerfile-c-build.sh" +} diff --git a/images/sdk/configs/latest.apko.yaml b/images/sdk/configs/latest.apko.yaml index b0704557..28825a47 100644 --- a/images/sdk/configs/latest.apko.yaml +++ b/images/sdk/configs/latest.apko.yaml @@ -1,16 +1,9 @@ contents: - keyring: - - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - repositories: - - https://packages.wolfi.dev/os packages: - ca-certificates-bundle - wolfi-baselayout - sdk - grype + entrypoint: command: /usr/bin/sdk - -archs: - - x86_64 - - aarch64 diff --git a/images/sdk/configs/latest.melange.yaml b/images/sdk/configs/latest.melange.yaml index 6a12a82b..90941ee3 100644 --- a/images/sdk/configs/latest.melange.yaml +++ b/images/sdk/configs/latest.melange.yaml @@ -22,6 +22,7 @@ package: - bubblewrap - tree - alpine-keys + - grype environment: contents: diff --git a/images/sdk/image.yaml b/images/sdk/image.yaml deleted file mode 100644 index 6cd662c5..00000000 --- a/images/sdk/image.yaml +++ /dev/null @@ -1,8 +0,0 @@ -ref: ghcr.io/wolfi-dev/sdk -versions: - - melange: - mount: true - configs: - - configs/latest.melange.yaml - apko: - config: configs/latest.apko.yaml diff --git a/images/sdk/main.tf b/images/sdk/main.tf new file mode 100644 index 00000000..771337b0 --- /dev/null +++ b/images/sdk/main.tf @@ -0,0 +1,35 @@ +terraform { + required_providers { + apko = { source = "chainguard-dev/apko" } + oci = { source = "chainguard-dev/oci" } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +provider "apko" { + extra_repositories = ["https://packages.wolfi.dev/os", "${path.module}/../../packages"] + extra_keyring = ["https://packages.wolfi.dev/os/wolfi-signing.rsa.pub", "${path.module}/../../melange.rsa.pub"] + default_archs = ["arm64", "amd64"] +} + +module "latest" { + source = "../../tflib/publisher" + target_repository = var.target_repository + config = file("${path.module}/configs/latest.apko.yaml") + extra_packages = ["wolfi-baselayout"] +} + +module "test-latest" { + source = "./tests" + digest = module.latest.image_ref +} + +resource "oci_tag" "version-tags" { + depends_on = [ module.test-latest ] + for_each = toset(["latest"]) + digest_ref = module.latest.image_ref + tag = "${each.key}" +} diff --git a/images/sdk/test.sh b/images/sdk/tests/01-has-all-tools.sh similarity index 100% rename from images/sdk/test.sh rename to images/sdk/tests/01-has-all-tools.sh diff --git a/images/sdk/tests/main.tf b/images/sdk/tests/main.tf new file mode 100644 index 00000000..fd88839b --- /dev/null +++ b/images/sdk/tests/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + oci = { source = "chainguard-dev/oci" } + } +} + +variable "digest" { + description = "The image digest to run tests over." +} + +data "oci_exec_test" "echo" { + digest = var.digest + script = "${path.module}/01-has-all-tools.sh" +} diff --git a/images/wolfictl/configs/latest.apko.yaml b/images/wolfictl/configs/latest.apko.yaml index 87f27c81..8ad4079e 100644 --- a/images/wolfictl/configs/latest.apko.yaml +++ b/images/wolfictl/configs/latest.apko.yaml @@ -1,8 +1,4 @@ contents: - keyring: - - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub - repositories: - - https://packages.wolfi.dev/os packages: - ca-certificates-bundle - wolfi-baselayout @@ -18,7 +14,3 @@ entrypoint: command: /usr/bin/wolfictl command: -h - -archs: - - x86_64 - - aarch64 diff --git a/images/wolfictl/image.yaml b/images/wolfictl/image.yaml deleted file mode 100644 index 44baa2ef..00000000 --- a/images/wolfictl/image.yaml +++ /dev/null @@ -1,7 +0,0 @@ -ref: ghcr.io/wolfi-dev/wolfictl -versions: - - melange: - configs: - - configs/latest.melange.yaml - apko: - config: configs/latest.apko.yaml diff --git a/images/wolfictl/main.tf b/images/wolfictl/main.tf new file mode 100644 index 00000000..771337b0 --- /dev/null +++ b/images/wolfictl/main.tf @@ -0,0 +1,35 @@ +terraform { + required_providers { + apko = { source = "chainguard-dev/apko" } + oci = { source = "chainguard-dev/oci" } + } +} + +variable "target_repository" { + description = "The docker repo into which the image and attestations should be published." +} + +provider "apko" { + extra_repositories = ["https://packages.wolfi.dev/os", "${path.module}/../../packages"] + extra_keyring = ["https://packages.wolfi.dev/os/wolfi-signing.rsa.pub", "${path.module}/../../melange.rsa.pub"] + default_archs = ["arm64", "amd64"] +} + +module "latest" { + source = "../../tflib/publisher" + target_repository = var.target_repository + config = file("${path.module}/configs/latest.apko.yaml") + extra_packages = ["wolfi-baselayout"] +} + +module "test-latest" { + source = "./tests" + digest = module.latest.image_ref +} + +resource "oci_tag" "version-tags" { + depends_on = [ module.test-latest ] + for_each = toset(["latest"]) + digest_ref = module.latest.image_ref + tag = "${each.key}" +} diff --git a/images/wolfictl/test.sh b/images/wolfictl/tests/01-runs.sh similarity index 100% rename from images/wolfictl/test.sh rename to images/wolfictl/tests/01-runs.sh diff --git a/images/wolfictl/tests/main.tf b/images/wolfictl/tests/main.tf new file mode 100644 index 00000000..23becc6c --- /dev/null +++ b/images/wolfictl/tests/main.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + oci = { source = "chainguard-dev/oci" } + } +} + +variable "digest" { + description = "The image digest to run tests over." +} + +data "oci_exec_test" "echo" { + digest = var.digest + script = "${path.module}/01-runs.sh" +} diff --git a/tflib/publisher/main.tf b/tflib/publisher/main.tf new file mode 100644 index 00000000..db9b7d5e --- /dev/null +++ b/tflib/publisher/main.tf @@ -0,0 +1,25 @@ +variable "target_repository" {} + +variable "config" {} + +variable "extra_packages" { + type = list(string) + default = ["wolfi-baselayout"] +} + +module "this" { + source = "chainguard-dev/apko/publisher" + version = "0.0.4" + + target_repository = var.target_repository + config = var.config + extra_packages = var.extra_packages +} + +output "image_ref" { + value = module.this.image_ref +} + +output "config" { + value = module.this.config +} \ No newline at end of file diff --git a/tflib/version-tags/main.tf b/tflib/version-tags/main.tf new file mode 100644 index 00000000..2053cd79 --- /dev/null +++ b/tflib/version-tags/main.tf @@ -0,0 +1,14 @@ +variable "config" { + description = "The resolved apko configuration." +} + +variable "package" { + type = string + description = "The name of the package from which to extract version tags." +} + +output "tag_list" { + value = [ + for x in var.config.contents.packages : regexall("(((([a-z0-9]+)(?:[.][a-z0-9]+)?)(?:[.][a-z0-9]+)?)(?:[-][a-z0-9]+)?)", trimprefix(x, "${var.package}=")) if startswith(x, "${var.package}=") + ][0][0] +} From 47d007b0aaccac25a7f326a3e402e2dd38c08825 Mon Sep 17 00:00:00 2001 From: Josh Dolitsky Date: Thu, 8 Jun 2023 15:32:42 -0500 Subject: [PATCH 2/4] address review comments Signed-off-by: Josh Dolitsky --- images/alpine-base/configs/latest.apko.yaml | 2 +- images/alpine-base/main.tf | 6 ++---- images/apko/main.tf | 2 +- images/gcc-musl/main.tf | 6 ++---- images/melange/main.tf | 2 +- images/musl-dynamic/configs/latest.apko.yaml | 4 ++-- images/musl-dynamic/main.tf | 6 ++---- images/sdk/configs/latest.melange.yaml | 1 - images/sdk/main.tf | 2 +- images/wolfictl/main.tf | 2 +- 10 files changed, 13 insertions(+), 20 deletions(-) diff --git a/images/alpine-base/configs/latest.apko.yaml b/images/alpine-base/configs/latest.apko.yaml index 93b0173b..a3b98b64 100644 --- a/images/alpine-base/configs/latest.apko.yaml +++ b/images/alpine-base/configs/latest.apko.yaml @@ -1,7 +1,7 @@ contents: packages: - alpine-baselayout-data - - alpine-release==3 # TODO: unlock this, some issue using terraform + - alpine-release==3 # TODO(#33): unlock this - apk-tools - busybox - libc-utils diff --git a/images/alpine-base/main.tf b/images/alpine-base/main.tf index 2f940a2e..cb041961 100644 --- a/images/alpine-base/main.tf +++ b/images/alpine-base/main.tf @@ -11,15 +11,13 @@ variable "target_repository" { provider "apko" { extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] - extra_keyring = [] - default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] } module "latest" { source = "../../tflib/publisher" target_repository = var.target_repository config = file("${path.module}/configs/latest.apko.yaml") - extra_packages = [] + extra_packages = [] # The default pulls in wolfi-baselayout which cannot be used in alpine } module "test-latest" { @@ -31,5 +29,5 @@ resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = "${each.key}" + tag = each.key } diff --git a/images/apko/main.tf b/images/apko/main.tf index 771337b0..68d2db5d 100644 --- a/images/apko/main.tf +++ b/images/apko/main.tf @@ -31,5 +31,5 @@ resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = "${each.key}" + tag = each.key } diff --git a/images/gcc-musl/main.tf b/images/gcc-musl/main.tf index 0392667f..4e9bd1d5 100644 --- a/images/gcc-musl/main.tf +++ b/images/gcc-musl/main.tf @@ -11,15 +11,13 @@ variable "target_repository" { provider "apko" { extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] - extra_keyring = [] - default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] } module "latest" { source = "../../tflib/publisher" target_repository = var.target_repository config = file("${path.module}/configs/latest.apko.yaml") - extra_packages = [] + extra_packages = [] # The default pulls in wolfi-baselayout which cannot be used in alpine } module "test-latest" { @@ -37,5 +35,5 @@ resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] for_each = toset(concat(["latest"], module.version-tags.tag_list)) digest_ref = module.latest.image_ref - tag = "${each.key}" + tag = each.key } diff --git a/images/melange/main.tf b/images/melange/main.tf index 771337b0..68d2db5d 100644 --- a/images/melange/main.tf +++ b/images/melange/main.tf @@ -31,5 +31,5 @@ resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = "${each.key}" + tag = each.key } diff --git a/images/musl-dynamic/configs/latest.apko.yaml b/images/musl-dynamic/configs/latest.apko.yaml index 3da772a6..099ec1e9 100644 --- a/images/musl-dynamic/configs/latest.apko.yaml +++ b/images/musl-dynamic/configs/latest.apko.yaml @@ -1,6 +1,6 @@ contents: packages: - alpine-baselayout-data - - alpine-release==3 # TODO: unlock this, some issue using terraform + - alpine-release==3 # TODO(#33): unlock this - ca-certificates-bundle - - musl==1 # TODO: unlock this, some issue using terraform + - musl==1 # TODO(#33): unlock this diff --git a/images/musl-dynamic/main.tf b/images/musl-dynamic/main.tf index 78466ce6..58b8e5d7 100644 --- a/images/musl-dynamic/main.tf +++ b/images/musl-dynamic/main.tf @@ -11,15 +11,13 @@ variable "target_repository" { provider "apko" { extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] - extra_keyring = [] - default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] } module "latest" { source = "../../tflib/publisher" target_repository = var.target_repository config = file("${path.module}/configs/latest.apko.yaml") - extra_packages = [] + extra_packages = [] # The default pulls in wolfi-baselayout which cannot be used in alpine } module "test-latest" { @@ -37,5 +35,5 @@ resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] for_each = toset(concat(["latest"], module.version-tags.tag_list)) digest_ref = module.latest.image_ref - tag = "${each.key}" + tag = each.key } diff --git a/images/sdk/configs/latest.melange.yaml b/images/sdk/configs/latest.melange.yaml index 90941ee3..6a12a82b 100644 --- a/images/sdk/configs/latest.melange.yaml +++ b/images/sdk/configs/latest.melange.yaml @@ -22,7 +22,6 @@ package: - bubblewrap - tree - alpine-keys - - grype environment: contents: diff --git a/images/sdk/main.tf b/images/sdk/main.tf index 771337b0..68d2db5d 100644 --- a/images/sdk/main.tf +++ b/images/sdk/main.tf @@ -31,5 +31,5 @@ resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = "${each.key}" + tag = each.key } diff --git a/images/wolfictl/main.tf b/images/wolfictl/main.tf index 771337b0..68d2db5d 100644 --- a/images/wolfictl/main.tf +++ b/images/wolfictl/main.tf @@ -31,5 +31,5 @@ resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = "${each.key}" + tag = each.key } From 8c34ee5dccaef4c9cd212daf6a80a848134b1646 Mon Sep 17 00:00:00 2001 From: Josh Dolitsky Date: Thu, 8 Jun 2023 15:52:33 -0500 Subject: [PATCH 3/4] remove unnecessary for_each, put back default_archs Signed-off-by: Josh Dolitsky --- images/alpine-base/main.tf | 4 ++-- images/apko/main.tf | 3 +-- images/gcc-musl/main.tf | 1 + images/melange/main.tf | 3 +-- images/musl-dynamic/main.tf | 1 + images/sdk/main.tf | 3 +-- images/wolfictl/main.tf | 3 +-- 7 files changed, 8 insertions(+), 10 deletions(-) diff --git a/images/alpine-base/main.tf b/images/alpine-base/main.tf index cb041961..fc0db861 100644 --- a/images/alpine-base/main.tf +++ b/images/alpine-base/main.tf @@ -11,6 +11,7 @@ variable "target_repository" { provider "apko" { extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] + default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] } module "latest" { @@ -27,7 +28,6 @@ module "test-latest" { resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] - for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = each.key + tag = "latest" } diff --git a/images/apko/main.tf b/images/apko/main.tf index 68d2db5d..80668427 100644 --- a/images/apko/main.tf +++ b/images/apko/main.tf @@ -29,7 +29,6 @@ module "test-latest" { resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] - for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = each.key + tag = "latest" } diff --git a/images/gcc-musl/main.tf b/images/gcc-musl/main.tf index 4e9bd1d5..ae5264d1 100644 --- a/images/gcc-musl/main.tf +++ b/images/gcc-musl/main.tf @@ -11,6 +11,7 @@ variable "target_repository" { provider "apko" { extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] + default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] } module "latest" { diff --git a/images/melange/main.tf b/images/melange/main.tf index 68d2db5d..80668427 100644 --- a/images/melange/main.tf +++ b/images/melange/main.tf @@ -29,7 +29,6 @@ module "test-latest" { resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] - for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = each.key + tag = "latest" } diff --git a/images/musl-dynamic/main.tf b/images/musl-dynamic/main.tf index 58b8e5d7..7d9518d9 100644 --- a/images/musl-dynamic/main.tf +++ b/images/musl-dynamic/main.tf @@ -11,6 +11,7 @@ variable "target_repository" { provider "apko" { extra_repositories = ["https://dl-cdn.alpinelinux.org/alpine/edge/main"] + default_archs = ["386", "amd64", "arm64", "arm/v6", "arm/v7", "ppc64le", "riscv64", "s390x"] } module "latest" { diff --git a/images/sdk/main.tf b/images/sdk/main.tf index 68d2db5d..80668427 100644 --- a/images/sdk/main.tf +++ b/images/sdk/main.tf @@ -29,7 +29,6 @@ module "test-latest" { resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] - for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = each.key + tag = "latest" } diff --git a/images/wolfictl/main.tf b/images/wolfictl/main.tf index 68d2db5d..80668427 100644 --- a/images/wolfictl/main.tf +++ b/images/wolfictl/main.tf @@ -29,7 +29,6 @@ module "test-latest" { resource "oci_tag" "version-tags" { depends_on = [ module.test-latest ] - for_each = toset(["latest"]) digest_ref = module.latest.image_ref - tag = each.key + tag = "latest" } From 22eab3bc21e38f42ce2f382ba8f37b1ffe274cee Mon Sep 17 00:00:00 2001 From: Josh Dolitsky Date: Thu, 8 Jun 2023 17:39:39 -0500 Subject: [PATCH 4/4] add presubmit-roundup Signed-off-by: Josh Dolitsky --- .github/workflows/presubmit-build.yaml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/presubmit-build.yaml b/.github/workflows/presubmit-build.yaml index 35321b48..8149e2fa 100644 --- a/.github/workflows/presubmit-build.yaml +++ b/.github/workflows/presubmit-build.yaml @@ -1,7 +1,7 @@ on: pull_request: jobs: - generate-matrix: + presubmit-matrix: runs-on: ubuntu-latest outputs: matrix: ${{ steps.generate-matrix.outputs.matrix }} @@ -13,12 +13,13 @@ jobs: # TODO: set ONLY env var based on changed files matrix="$(ONLY="${{ inputs.only }}" ./hack/matrix.sh)" echo "matrix=${matrix}" >> $GITHUB_OUTPUT - build: + + presubmit-build: runs-on: ubuntu-latest - needs: generate-matrix + needs: presubmit-matrix strategy: fail-fast: false - matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} + matrix: ${{ fromJson(needs.presubmit-matrix.outputs.matrix) }} permissions: id-token: write packages: write @@ -62,3 +63,19 @@ jobs: cd images/${{ matrix.imageName }}/ terraform init terraform apply -auto-approve + + presubmit-roundup: + needs: + - presubmit-build + runs-on: ubuntu-latest + if: always() + steps: + - uses: technote-space/workflow-conclusion-action@45ce8e0eb155657ab8ccf346ade734257fd196a5 # v3.0.3 + + - if: ${{ env.WORKFLOW_CONCLUSION == 'success' }} + working-directory: /tmp + run: echo ${{ env.WORKFLOW_CONCLUSION }} && exit 0 + + - if: ${{ env.WORKFLOW_CONCLUSION == 'failure' }} + working-directory: /tmp + run: echo ${{ env.WORKFLOW_CONCLUSION }} && exit 1