chainguard-images / actions Goto Github PK

View Code? Open in Web Editor NEW

16.0 16.0 22.0 340 KB

GitHub actions for the chainguard-images

License: Apache License 2.0

Go 100.00%

github-actions

actions's People

Contributors

Stargazers

Watchers

actions's Issues

Using multiple tags with apko-publish?

Hi again,

is it possible to use multiple tags with the apko-publish action? Using two instances of the action would build the image twice, I guess.

Something like this:

    tag:
      - ghcr.io/chainguard-dev/apko-example:latest
      - ghcr.io/chainguard-dev/apko-example:1.2.3

Thanks in advance,
Johannes

Confusion due to chainguard-images/actions and chainguard-dev/actions

I know it might be hard to move things now they might be used, but I got really confused by chainguard-images AND chainguard-dev both having a actions repository:

Maybe those could be merged? Or is there a specific reason for some of them being in chainguard-images (and others being duplicated, like apko-build)?

Kind Regards,
Johannes

Use cosign 1.8.0 and `verify-attestation` for vulnz checking

Opening this to track integrating @vaikas work to use Cue + verify-attestation in cosign 1.8 to check scan results for vulnerabilities.

I think we should support taking a Cue policy input, and default it to roughly match today's semantics as an example.

Actions include removed apko options

Description

See chainguard-dev/apko@a1d2154

Several options are removed from apko publish

	cmd.Flags().StringVar(&packageVersionTag, "package-version-tag", "", "Tag the final image with the version of the package passed in")
	cmd.Flags().BoolVar(&packageVersionTagStem, "package-version-tag-stem", false, "add additional tags by stemming the package version")
	cmd.Flags().StringVar(&packageVersionTagPrefix, "package-version-tag-prefix", "", "prefix for package version tag(s)")
	cmd.Flags().StringVar(&tagSuffix, "tag-suffix", "", "suffix to use for automatically generated tags")
	cmd.Flags().StringVar(&stageTags, "stage-tags", "", "path to file to write list of tags to instead of publishing them")

This means all the examples in https://github.com/chainguard-dev/hello-melange-apko/tree/main are failing the CICD.

Actions include removed apj

Description

apko-publish GH action fails due to unknown `--debug` flag

Description

The --debug flag was removed as part of chainguard-dev/apko#1011, which causes GH workflows using the apko-publish GH action to fail with:

Error: unknown flag: --debug
2024/01/16 21:50:48 error during command execution: unknown flag: --debug

I've opened #129 to leverage the newly added --log-level flag instead.

2 arguments required, but only 1 is mandatory in GHA code

Description

I'm trying to use the apko-publish action, with almost all fields using default values, like:

      - uses: distroless/actions/apko-publish@main
        with:
          # Config is the configuration file to use for the image build.
          # Optional, will use .apko.yaml without a defined one.
          # config: .apko.yaml
          # Tag is the tag that will be published.
          # Required.
          tag: ${{ env.IMAGE_TAG }}
          # Image Refs is the path to a file where apko should emit a newline
          # delimited list of published image digests.
          # Optional, will use a temporary file when unspecified.
          # image_refs: foo.images
          # Enable debug while testing
          debug: true
          generic-user: ${{ env.ACR_USERNAME }}
          generic-pass: ${{ secrets.ACR_PASSWORD }}

From what I can see in the apko-publish/action.yaml file the only required parameter is tag, but when running it, I get the following error:

Error: requires at least 2 arg(s), only received 1
2023/04/26 09:45:07 error during command execution: requires at least 2 arg(s), only received 1

The complete run log shows like this:

Run distroless/actions/apko-publish@main
  with:
    debug: true
    generic-user: <redacted>
    generic-pass: <redacted>
    config: .apko.yaml
    repository_owner: <redacted>
    repository: <redacted>
    token: ***
    image_refs: /tmp/apko.images
    automount-src: /home/runner/work/docker/docker/.apko-automount
    automount-dest: /work
    package-version-tag-stem: false
  env:
    ACR_REGISTRY: <redacted>
    ACR_USERNAME: <redacted>
    DOCKER_DIR: core-openjdk/6.0.0-17-new-relic-8.1.0
    VERSION_NUMBER: 6
    IMAGE_TAGS: <redacted>/core-openjdk:6.0.0-17-new-relic-8.1.0,<redacted>/core-openjdk:6
/usr/bin/docker run --name ghcriowolfidevapkolatest_e54c1c --label 6c044[2](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:2) --workdir /github/workspace --rm -e "ACR_REGISTRY" -e "ACR_USERNAME" -e "DOCKER_DIR" -e "VERSION_NUMBER" -e "IMAGE_TAGS" -e "INPUT_TAG" -e "INPUT_DEBUG" -e "INPUT_GENERIC-USER" -e "INPUT_GENERIC-PASS" -e "INPUT_CONFIG" -e "INPUT_REPOSITORY_OWNER" -e "INPUT_REPOSITORY" -e "INPUT_TOKEN" -e "INPUT_IMAGE_REFS" -e "INPUT_STAGE_TAGS" -e "INPUT_KEYRING-APPEND" -e "INPUT_REPOSITORY-APPEND" -e "INPUT_ARCHS" -e "INPUT_BUILD-OPTIONS" -e "INPUT_SOURCE-DATE-EPOCH" -e "INPUT_USE-DOCKER-MEDIATYPES" -e "INPUT_AUTOMOUNT-SRC" -e "INPUT_AUTOMOUNT-DEST" -e "INPUT_PACKAGE-VERSION-TAG" -e "INPUT_PACKAGE-VERSION-TAG-STEM" -e "INPUT_PACKAGE-VERSION-TAG-PREFIX" -e "INPUT_TAG-SUFFIX" -e "INPUT_SBOM-PATH" -e "GITHUB_ACTOR" -e "GITHUB_TOKEN" -e "REPOSITORY" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true --entrypoint "/bin/sh" -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/docker/docker":"/github/workspace" ghcr.io/wolfi-dev/apko:latest  "-c" "set -o errexit
set -o pipefail

if [[ \"midocker\" != \"\" && \"***\" != \"\" ]]; then
  echo \"***\" | \
    /usr/bin/apko login -u \"midocker\" \
      --password-stdin \"$(echo \"\" | cut -d'/' -f1)\"
fi

if [ -d \"/home/runner/work/docker/docker/.apko-automount\" ]; then
  echo \"Creating copy of /home/runner/work/docker/docker/.apko-automount at /work\"
  cp -r \"/home/runner/work/docker/docker/.apko-automount\" \"/work\"
fi
[ -n \"\" ] && export SOURCE_DATE_EPOCH=''
[ -n \"\" ] && keys=\"-k \"
[ -n \"\" ] && repos=\"-r \"
[ -n  \"\" ] && archs=\"--arch \"
build_options=\"\"
if [ -n \"\" ]; then
  opts=\"\"
  for opt in ${opts//,/ }; do
    build_options=\"${build_options} --build-option ${opt}\"
  done
fi

packageVersionTag=\"--package-version-tag=\"
if [ \"\" == \"\" ]; then
  repo=$(echo $REPOSITORY | cut -d'/' -f2)
  packageVersionTag=\"--package-version-tag=$repo\"
fi
packageVersionTagPrefix=\"--package-version-tag-prefix=\"

tagSuffix=\"--tag-suffix=\"
sbomPath=\"--sbom-path=\"

export DIGEST_FILE=$(mktemp)
/usr/bin/apko publish \
   \
  --package-version-tag-stem \
  '--debug' \
  --image-refs=\"/tmp/apko.images\" --stage-tags=\"\" .apko.yaml  $keys $repos $archs $build_options $packageVersionTag $packageVersionTagPrefix $tagSuffix $sbomPath | tee ${DIGEST_FILE}
echo EXIT CODE: $?
echo ::set-output name=digest::$(cat ${DIGEST_FILE})
"
202[3](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:3)/0[4](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:4)/26 09:4[5](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:5):07 logged in via /github/home/.docker/config.json
Error: requires at least 2 arg(s), only received 1
2023/04/2[6](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:6) 09:45:0[7](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:7) error during command execution: requires at least 2 arg(s), only received 1

Any advice for how I can (try to) debug it further, or any tips of how to use it properly ?

apko-publish action uses deprecated "set-output" command.

Description

Just FYI, I saw the following warning at the end of a run of the apko-publish action. The action apparently worked fine, but this should be fixed before it is being deprecated...

Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Actions are still referring to "distroless/actions" instead of "chainguard-images/actions"?

Hi,

not sure if this is intentional or just a leftover, but the action READMEs still contain references to the distroless/actions repository.

E.g. here:

uses: distroless/actions/apko-publish@main

Kind Regards,
Johannes

Allow providing a private key to sign images with `apko-snapshot`

Hey 👋🏻

Description

The existing apko-snapshot action allows the signing of images with "keyless" signing, which is based on identities (see). Even though this is the recommended approach, there are cases where it may be interesting to let users be responsible for the key management.

If this makes sense for the project, I can open a pull request adding this feature.

Let me know your thoughts. Thanks!

Add exclude_tags input to tags workflow

Add exclude_tags input to tags workflow, which takes a comma-separated list of tags to explicitly not check in order to save time for images which have many (1000+) tags.

cc @priyawadhwa

Add ability to remove sbom generation

Hello!

I am trying to remove the SBOM generation happening within our CICD build action, but regardless of where I pass the sbom=false we seem to still get sbom generated.

I've tried passing this in in build-options: in both the action itself, and in the workflow.
In the action I recieve an error " 2023/11/20 13:19:15 error during command execution: unknown flag: --build-option "

In the build workflow the message "❕ x86_64 | Not generating SBOMs (WantSBOM = false)" yet the sbom stil gets generated and pushed to our registry.

I may be doing something wrong here, but if not can this be considered as a feature later on?

Thank you!

How to use the apko-publish action with an APK image built in a previous step?

I am building a APK package, that is not (yet) included in Wolfi, in a Github Action.

After the package build, I would like to use that package in the apko-publish action to create an image using the local repository created by the previous step.

I have not found documentation on how to do that, unfortunately.

I got it working, so if someone wants to do something similar:
https://github.com/kastl-ars/wolfi-apkrane

Would you accept a PR adding an example to the README in the action's folder?

Kind Regards,
Johannes

P.S.: Thanks for creating all of the actions, especially apko-publish is really easy to use...

Error when using action: apko not found

Description

When using the apko-publish action, the following error is returned:

/bin/sh: /usr/bin/apko: not found

When debugging the issue, it appears that the image wolfi-dev/sdk should be used instead of wolfi-dev/apko:

echo PLEASE USE ghcr.io/wolfi-dev/sdk INSTEAD; exit 1

❯ crane config ghcr.io/wolfi-dev/apko:latest | jq .                   
{
  "architecture": "amd64",
  "author": "github.com/chainguard-dev/apko",
  "created": "2024-05-13T17:38:35Z",
  "history": [
    {
      "author": "apko",
      "created": "2024-05-13T17:38:35Z",
      "created_by": "apko",
      "comment": "This is an apko single-layer image"
    }
  ],
  "os": "linux",
  "rootfs": {
    "type": "layers",
    "diff_ids": [
      "sha256:b1e08228bcaad8a845ac36d9c2cfdb7da7d040e1311ed42fd79b1fbcb2851763"
    ]
  },
  "config": {
    "Cmd": [
      "-c",
      "echo PLEASE USE ghcr.io/wolfi-dev/sdk INSTEAD; exit 1"
    ],
    "Entrypoint": [
      "/bin/sh"
    ],
    "Env": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
      "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
    ]
  }
}

tags workflow wipes out apko.images file

Since #47 , the file apko.images goes missing:

Run cat apko.images | sed 's/$/\n/g' | grep -v '^$' | jq -R -s -c 'split("\n")[:-1]' | jq .
cat: apko.images: No such file or directory
[]
cat: apko.images: No such file or directory

maybe something related to git checkout

cc @priyawadhwa

Security Policy violation SECURITY.md

This issue was automatically created by Allstar.

Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.

To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/chainguard-images/actions/security/policy to enable.

For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

apko-publish action publishes funny tags?

Description

I just built this image using the apko-publish action (which was painless and pleasant, so a big THANK YOU):

https://github.com/kastl-ars/wolfi-node-with-bash/pkgs/container/wolfi-node-with-bash

It seems to work properly, but I am not sure if the tags are what they should be:

sha256-98e61a83fe048008e8f3dd4e0fefd3368531f8175101b94294a29b3a77587ae9.sbom

I never saw tags including a sbom suffix, so I am a little puzzled. The image has a latest tag, which I defined in the configuration file I gave to apko.

(Not sure how GitHub picks the one it shows on top, i.e. the most prominent one that can by copy&pasted. I would prefer to have the simple latest up there, but that might not be in the action's power?)

Kind Regards,
Johannes

Use the version of a package inside the image as the tag?

Is it possible to use the version of one of the packages installed in the image as a tag for the image? If the main "component" of an image is e.g. argocd-cli, then this could have the corresponding argocd-cli version as tag.

If not, this would be a nice feature to have.

Security Policy violation Branch Protection

This issue was automatically created by Allstar.

Security Policy Violation
Dismiss stale reviews not configured for branch main

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

chainguard-images / actions Goto Github PK

actions's People

Contributors

Stargazers

Watchers

Forkers

actions's Issues

Recommend Projects

Recommend Topics

Recommend Org