-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into update-trixie
- Loading branch information
Showing
14 changed files
with
294 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file | ||
|
||
version: 2 | ||
updates: | ||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
schedule: | ||
interval: "weekly" | ||
reviewers: | ||
- "gardenlinux/garden-linux-maintainers" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Garden Linux Builder CI Workflows | ||
|
||
## `build.yml` | ||
|
||
Build container images on all branches. | ||
|
||
For pushes on the `main` branch, tags based on the git sha are created and pushed to the container registry and a pseudo-release called `latest` is updated on GitHub. | ||
This allows users to follow a rolling-release approach if they desire. | ||
|
||
## `release.yml` | ||
|
||
Tag container images and create GitHub Releases. | ||
This workflow only runs on demand (workflow dispatch). | ||
It should be run if a new release is desired. | ||
The workflow dispatch needs a parameter `component` which specifies which version component should be increased. | ||
This is either `minor` (the default) or `major`. | ||
`major` should be picked in cases where the new version has breaking changes (for example between the `build` script and the container image). | ||
|
||
## `differential-shellcheck.yml` | ||
|
||
Finds new warnings using [shellcheck](https://www.shellcheck.net) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
#!/usr/bin/python | ||
|
||
""" | ||
Determine next version number for versions of a schema like v1.0 | ||
based on existing git tags and which component to bump (minor/major). | ||
""" | ||
|
||
import subprocess | ||
import re | ||
import sys | ||
import os | ||
|
||
|
||
def convert_version_to_sortable_int(major, minor): | ||
return major * 1000 + minor | ||
|
||
|
||
def determine_most_recent_existing_version(): | ||
tags = subprocess.run(["git", "tag"], capture_output=True).stdout.splitlines() | ||
|
||
versions = [] | ||
|
||
for t in tags: | ||
tag = t.decode() | ||
if re.match(r"v[0-9]+.[0-9]+", tag): | ||
tag_without_prefix = tag[1:] | ||
components = tag_without_prefix.split(".") | ||
assert len(components) == 2 | ||
major_int = int(components[0]) | ||
minor_int = int(components[1]) | ||
versions.append( | ||
{ | ||
"tag": tag, | ||
"sortNumber": convert_version_to_sortable_int(major_int, minor_int), | ||
"major": major_int, | ||
"minor": minor_int, | ||
} | ||
) | ||
|
||
if len(versions) == 0: | ||
print("No existing versions found") | ||
return { | ||
"tag": "v0.0", | ||
"sortNumber": convert_version_to_sortable_int(0, 0), | ||
"major": 0, | ||
"minor": 0, | ||
} | ||
|
||
def keyToSortVersions(v): | ||
return v["sortNumber"] | ||
|
||
versions.sort(key=keyToSortVersions, reverse=True) | ||
print(f"Sorted list of versions: {versions}") | ||
highest_existing_version_number = versions[0] | ||
|
||
return highest_existing_version_number | ||
|
||
|
||
def bump(most_recent_version, component_to_bump): | ||
new_version = "" | ||
|
||
if component_to_bump == "major": | ||
new_major = most_recent_version["major"] + 1 | ||
new_version = f"v{new_major}.0" | ||
elif component_to_bump == "minor": | ||
new_minor = most_recent_version["minor"] + 1 | ||
major = most_recent_version["major"] | ||
new_version = f"v{major}.{new_minor}" | ||
else: | ||
raise ( | ||
f"Invalid component provided: {component_to_bump}, only major or minor are supported." | ||
) | ||
|
||
return new_version | ||
|
||
|
||
def determine_component_to_bump(): | ||
if sys.argv[1] not in ["major", "minor"]: | ||
raise ("Usage: bump.py (major|minor)") | ||
return sys.argv[1] | ||
|
||
|
||
def main(): | ||
component_to_bump = determine_component_to_bump() | ||
most_recent_version = determine_most_recent_existing_version() | ||
new_version = bump(most_recent_version, component_to_bump) | ||
|
||
if os.getenv("GITHUB_OUTPUT"): | ||
with open(os.environ["GITHUB_OUTPUT"], "a") as file_handle: | ||
print(f"newVersion={new_version}", file=file_handle) | ||
else: | ||
print(f"No GitHub env found. New version is {new_version}") | ||
|
||
|
||
if __name__ == "__main__": | ||
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
name: Differential ShellCheck | ||
on: | ||
push: | ||
branches: | ||
- main | ||
- rel-* | ||
pull_request: | ||
branches: | ||
- main | ||
- rel-* | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
lint: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
# required for all workflows | ||
security-events: write | ||
|
||
# only required for workflows in private repositories | ||
actions: read | ||
contents: read | ||
|
||
steps: | ||
- name: Repository checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- id: ShellCheck | ||
name: Differential ShellCheck | ||
uses: redhat-plumbers-in-action/differential-shellcheck@91e2582e40236f831458392d905578d680baa138 # pin@aa647ec4466543e8555c2c3b648124a9813cee44 | ||
with: | ||
token: ${{ secrets.GITHUB_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
name: Release | ||
on: | ||
workflow_dispatch: | ||
inputs: | ||
component: | ||
description: 'Version component to increment (Use *minor* unless we have breaking changes)' | ||
required: true | ||
type: choice | ||
options: | ||
- minor | ||
- major | ||
jobs: | ||
release-new-version: | ||
runs-on: ubuntu-latest | ||
if: github.ref == 'refs/heads/main' && github.event.inputs.component != '' | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
- run: echo Version Component to Increase is ${{ github.event.inputs.component }} | ||
- name: get next version number | ||
run: .github/workflows/bump.py ${{ github.event.inputs.component }} | ||
id: bump | ||
- run: echo New version number ${{ steps.bump.outputs.newVersion }} | ||
- name: tag container image | ||
run: | | ||
SHA=$(git rev-parse HEAD) | ||
podman login -u token -p ${{ github.token }} ghcr.io | ||
podman pull ghcr.io/${{ github.repository }}:amd64-"$SHA" | ||
podman pull ghcr.io/${{ github.repository }}:arm64-"$SHA" | ||
podman manifest create ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }} | ||
podman manifest add ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }} ghcr.io/${{ github.repository }}:amd64-"$SHA" | ||
podman manifest add ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }} ghcr.io/${{ github.repository }}:arm64-"$SHA" | ||
podman manifest push ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }} | ||
sed -i 's|container_image=localhost/builder|container_image=ghcr.io/${{ github.repository }}:${{ steps.bump.outputs.newVersion }}|' build | ||
- name: git tag | ||
run: | | ||
git tag ${{ steps.bump.outputs.newVersion }} | ||
git push origin ${{ steps.bump.outputs.newVersion }} | ||
- name: create release (new version) | ||
run: | | ||
release="$(.github/workflows/release.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }} create ${{ steps.bump.outputs.newVersion }} "Builder (${{ steps.bump.outputs.newVersion }})")" | ||
.github/workflows/release.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }} upload "$release" download/build |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,28 @@ | ||
FROM debian:trixie AS mv_data | ||
FROM debian:testing AS mv_data | ||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends build-essential ca-certificates git | ||
RUN git clone --depth=1 https://github.com/nkraetzschmar/mv_data | ||
RUN git clone --depth=1 https://github.com/gardenlinux/mv_data | ||
RUN make -C mv_data install | ||
|
||
FROM debian:trixie AS aws-kms-pkcs11 | ||
FROM debian:testing AS aws-kms-pkcs11 | ||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends build-essential awscli ca-certificates cmake git libcurl4-openssl-dev libengine-pkcs11-openssl libjson-c-dev libssl-dev libp11-kit-dev libp11-dev zlib1g-dev | ||
RUN git clone --depth=1 --recurse-submodules -b 1.11.25 https://github.com/aws/aws-sdk-cpp | ||
RUN mkdir aws-sdk-cpp/.build && cd aws-sdk-cpp/.build && cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DBUILD_ONLY="kms;acm-pca" .. && make -j "$(nproc)" install | ||
RUN git clone --depth=1 -b v0.0.10 https://github.com/JackOfMostTrades/aws-kms-pkcs11 | ||
RUN git clone --depth=1 -b v0.0.10 https://github.com/gardenlinux/aws-kms-pkcs11 | ||
RUN cd aws-kms-pkcs11 && make -j "$(nproc)" AWS_SDK_STATIC=y install | ||
RUN cp "/usr/lib/$(uname -m)-linux-gnu/pkcs11/aws_kms_pkcs11.so" /aws_kms_pkcs11.so | ||
|
||
FROM debian:trixie | ||
FROM debian:testing | ||
|
||
LABEL org.opencontainers.image.source="https://github.com/gardenlinux/builder" | ||
LABEL org.opencontainers.image.description="Builder for Garden Linux" | ||
|
||
COPY pkg.list /pkg.list | ||
RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends $(cat /pkg.list) && rm /pkg.list | ||
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends $(cat /pkg.list) && rm /pkg.list | ||
COPY --from=mv_data /usr/bin/mv_data /usr/bin/mv_data | ||
COPY --from=aws-kms-pkcs11 /aws_kms_pkcs11.so /aws_kms_pkcs11.so | ||
RUN mv /aws_kms_pkcs11.so "/usr/lib/$(uname -m)-linux-gnu/pkcs11/aws_kms_pkcs11.so" | ||
COPY builder /builder | ||
RUN mkdir /builder/cert | ||
COPY setup_namespace /usr/sbin/setup_namespace | ||
RUN echo 'root:0:65536' | tee /etc/subuid /etc/subgid > /dev/null | ||
RUN echo 'root:1:65535' | tee /etc/subuid /etc/subgid > /dev/null | ||
ENTRYPOINT [ "/usr/sbin/setup_namespace" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.