Skip to content

Update images digests #1095

Update images digests

Update images digests #1095

Workflow file for this run

name: Test Chainguard Images
on:
pull_request:
branches: ['main']
push:
branches: ['main']
concurrency:
group: presubmit-build-${{ github.head_ref }}
cancel-in-progress: true
permissions:
# WARNING: This is mattmoor being a bit *too* clever.
# We want to be able to test the reproducibility of things via the upstream
# check-reproducibility test, which requires ambient credentials, but those
# are only available to pull requests under two circumstances:
# 1. The trigger is `pull_request_target`, and
# 2. The pull request is from a branch on the main repo.
# However, this doesn't cause things to fail when the pull request is from a
# fork, it will just make the tf-cosign rules NOPs and the
# check-repoducibility skip.
#
# But why not just use pull_request_target?
# This is because to pull in breaking changes to apko, we will need to update
# our apko Go dependency and the APKO_IMAGE (below) in the same PR, and the
# latter cannot be checked with the former if the workflow is
# pull_request_target.
#
# All of that said, dependabot and digestabot PRs come from branches on the
# main repo, so the net effect of this SHOULD be that we get an error
# presubmit when digestabot wants to pull in an update that is not
# reproducible with the version of the apko Go library we depend on.
id-token: write
jobs:
build-the-world:
runs-on: ubuntu-latest
steps:
# In some cases, we runs out of disk space during tests, so this hack frees up approx 10G.
# See the following issue for more info: https://github.com/actions/runner-images/issues/2840#issuecomment-1284059930
- name: Free up runner disk space
shell: bash
run: |
set -x
sudo rm -rf /usr/share/dotnet
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: tf-apko
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: 'tf-apko/go.mod'
- working-directory: tf-apko
run: go build .
# Make cosign/crane CLI available to the tests
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: chainguard-images/images
path: images
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: '1.10.*'
terraform_wrapper: false
- uses: chainguard-dev/actions/setup-registry@main
with:
port: 5000
- working-directory: images
env:
TF_VAR_target_repository: localhost:5000/tf-apko
APKO_IMAGE: ghcr.io/wolfi-dev/sdk:latest@sha256:6d49f779092c0bfacb2296654376aac5607dd946a5cd077f06e05e89a2341495
run: |
terraform init
cat > ~/.terraformrc <<EOF
provider_installation {
dev_overrides {
"chainguard-dev/apko" = "${{ github.workspace }}/tf-apko"
}
}
EOF
terraform apply -auto-approve \
-target=module.go \
-target=module.jdk \
-target=module.python \
-target=module.scanner-test
- name: Upload imagetest logs
if: always()
uses: actions/upload-artifact@v4
with:
name: "mega-module-imagetest-logs"
path: imagetest-logs