dcedc113e8
Some checks failed
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Blocked by required conditions
Check for Upstream Stable Updates / Create release for new Flutter version (push) Blocked by required conditions
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Failing after 24s
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Failing after 24s
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Failing after 27s
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 28s
Check for Upstream Stable Updates / Check Wolfi package updates (push) Successful in 14s
Check for Upstream Stable Updates / Check .NET stable releases (push) Successful in 1s
Check for Upstream Stable Updates / Check Flutter stable releases (push) Successful in 1s
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Failing after 17s
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Failing after 21s
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Failing after 20s
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Has been cancelled
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Has been cancelled
The heredoc with YAML indentation produced JSON with leading spaces, causing cosign to fail with "required field builder missing". Use jq -n with --arg to generate clean JSON. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
247 lines
9.8 KiB
YAML
247 lines
9.8 KiB
YAML
name: Check for Upstream Stable Updates
|
|
|
|
on:
|
|
schedule:
|
|
# Daily at 8am UTC
|
|
- cron: '0 8 * * *'
|
|
push:
|
|
paths:
|
|
- '.gitea/workflows/update-check.yaml'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
IMAGE_NAME: base-distro
|
|
|
|
jobs:
|
|
check-wolfi:
|
|
name: Check Wolfi package updates
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
updated: ${{ steps.check.outputs.updated }}
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Install apko
|
|
run: |
|
|
APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
|
|
APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
|
|
APKO_VERSION_NUM="${APKO_VERSION#v}"
|
|
curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
|
|
-o /tmp/apko.tar.gz
|
|
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
|
|
rm /tmp/apko.tar.gz
|
|
|
|
- name: Check for Wolfi package updates
|
|
id: check
|
|
run: |
|
|
# Resolve current packages for each variant and compare with last known state
|
|
UPDATED=false
|
|
|
|
for config in apko/base.yaml apko/build.yaml apko/dotnet-runtime.yaml apko/dotnet-sdk.yaml apko/flutter-sdk.yaml; do
|
|
VARIANT=$(basename "$config" .yaml)
|
|
echo "Checking $VARIANT..."
|
|
|
|
# Resolve package versions (dry-run build to see resolved versions)
|
|
RESOLVED=$(apko resolve "$config" 2>&1 || true)
|
|
HASH=$(echo "$RESOLVED" | sha256sum | cut -d' ' -f1)
|
|
|
|
echo "$VARIANT=$HASH" >> "$GITHUB_OUTPUT"
|
|
echo " Hash: $HASH"
|
|
done
|
|
|
|
echo "updated=$UPDATED" >> "$GITHUB_OUTPUT"
|
|
|
|
check-dotnet:
|
|
name: Check .NET stable releases
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
new_version: ${{ steps.check.outputs.new_version }}
|
|
current_version: ${{ steps.check.outputs.current_version }}
|
|
steps:
|
|
- name: Check latest .NET stable release
|
|
id: check
|
|
run: |
|
|
# Query the .NET release metadata for the latest stable SDK
|
|
LATEST=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
|
|
| jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
|
|
|
|
echo "Latest .NET stable SDK: $LATEST"
|
|
echo "new_version=$LATEST" >> "$GITHUB_OUTPUT"
|
|
|
|
# Check if we already have a rebuild tag for this version
|
|
CURRENT_TAG="${LATEST}"
|
|
echo "current_version=$CURRENT_TAG" >> "$GITHUB_OUTPUT"
|
|
|
|
check-flutter:
|
|
name: Check Flutter stable releases
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
new_version: ${{ steps.check.outputs.new_version }}
|
|
has_new: ${{ steps.check.outputs.has_new }}
|
|
steps:
|
|
- name: Check latest Flutter stable release
|
|
id: check
|
|
run: |
|
|
LATEST=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
|
|
| jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
|
|
|
|
echo "Latest Flutter stable: $LATEST"
|
|
echo "new_version=$LATEST" >> "$GITHUB_OUTPUT"
|
|
|
|
# Check if a release with this tag already exists (unauthenticated, HTTP status only)
|
|
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
|
|
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/tags/v${LATEST}")
|
|
|
|
if [ "$STATUS" = "200" ]; then
|
|
echo "Release v${LATEST} already exists, skipping"
|
|
echo "has_new=false" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "New Flutter stable version found: $LATEST"
|
|
echo "has_new=true" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
rebuild:
|
|
name: Rebuild and push all variants
|
|
needs: [check-wolfi, check-dotnet, check-flutter]
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- config: apko/base.yaml
|
|
variant: base
|
|
- config: apko/build.yaml
|
|
variant: build
|
|
- config: apko/dotnet-runtime.yaml
|
|
variant: dotnet-runtime
|
|
- config: apko/dotnet-sdk.yaml
|
|
variant: dotnet-sdk
|
|
- config: apko/flutter-sdk.yaml
|
|
variant: flutter-sdk
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Install apko
|
|
run: |
|
|
APKO_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
|
|
APKO_VERSION=$(curl -fsSL "https://api.github.com/repos/chainguard-dev/apko/releases/latest" | jq -r '.tag_name')
|
|
APKO_VERSION_NUM="${APKO_VERSION#v}"
|
|
curl -fsSL "https://github.com/chainguard-dev/apko/releases/download/${APKO_VERSION}/apko_${APKO_VERSION_NUM}_linux_${APKO_ARCH}.tar.gz" \
|
|
-o /tmp/apko.tar.gz
|
|
tar xzf /tmp/apko.tar.gz --strip-components=1 -C /usr/local/bin
|
|
rm /tmp/apko.tar.gz
|
|
|
|
- name: Install cosign
|
|
run: |
|
|
COSIGN_ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
|
|
COSIGN_VERSION=$(curl -fsSL "https://api.github.com/repos/sigstore/cosign/releases/latest" | jq -r '.tag_name')
|
|
curl -fsSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
|
|
-o /usr/local/bin/cosign
|
|
chmod +x /usr/local/bin/cosign
|
|
|
|
- name: Login to Docker Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.REGISTRY_USERNAME }}
|
|
password: ${{ secrets.REGISTRY_PASSWORD }}
|
|
|
|
- name: Build and push image
|
|
id: publish
|
|
run: |
|
|
IMAGE_REF=${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
|
|
mkdir -p /tmp/sbom
|
|
apko publish ${{ matrix.config }} \
|
|
--sbom-path /tmp/sbom \
|
|
--image-refs /tmp/image-refs.txt \
|
|
"${IMAGE_REF}"
|
|
echo "image_ref=${IMAGE_REF}" >> "$GITHUB_OUTPUT"
|
|
DIGEST=$(head -1 /tmp/image-refs.txt | sed 's/.*@//')
|
|
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Attach SBOM attestation
|
|
env:
|
|
COSIGN_YES: "true"
|
|
run: |
|
|
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
|
|
SBOM_FILE=$(ls /tmp/sbom/*.spdx.json 2>/dev/null | head -1)
|
|
if [ -n "$SBOM_FILE" ]; then
|
|
cosign attach sbom --sbom "${SBOM_FILE}" "${IMAGE_DIGEST}"
|
|
echo "SBOM attached successfully"
|
|
else
|
|
echo "No SBOM file found, skipping"
|
|
fi
|
|
|
|
- name: Generate and attach provenance
|
|
env:
|
|
COSIGN_YES: "true"
|
|
run: |
|
|
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
|
|
DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')
|
|
jq -n \
|
|
--arg type "https://in-toto.io/Statement/v0.1" \
|
|
--arg predType "https://slsa.dev/provenance/v0.2" \
|
|
--arg name "${{ steps.publish.outputs.image_ref }}" \
|
|
--arg sha "$DIGEST_SHA" \
|
|
--arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
|
|
--arg buildType "https://apko.dev/build/v1" \
|
|
--arg uri "${{ github.server_url }}/${{ github.repository }}" \
|
|
--arg sha1 "${{ github.sha }}" \
|
|
--arg entry "${{ matrix.config }}" \
|
|
--arg runId "${{ github.run_id }}" \
|
|
'{
|
|
"_type": $type,
|
|
"predicateType": $predType,
|
|
"subject": [{"name": $name, "digest": {"sha256": $sha}}],
|
|
"predicate": {
|
|
"builder": {"id": $builder},
|
|
"buildType": $buildType,
|
|
"invocation": {
|
|
"configSource": {"uri": $uri, "digest": {"sha1": $sha1}, "entryPoint": $entry}
|
|
},
|
|
"metadata": {
|
|
"buildInvocationID": $runId,
|
|
"completeness": {"parameters": true, "environment": true, "materials": true}
|
|
}
|
|
}
|
|
}' > /tmp/provenance.json
|
|
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
|
|
echo "Provenance attestation attached successfully"
|
|
|
|
- name: Install Docker Scout
|
|
run: |
|
|
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
|
|
sh install-scout.sh
|
|
|
|
- name: Docker Scout CVE Scan
|
|
run: |
|
|
docker pull ${{ steps.publish.outputs.image_ref }}
|
|
docker scout cves ${{ steps.publish.outputs.image_ref }} --only-severity critical,high
|
|
|
|
notify-flutter:
|
|
name: Create release for new Flutter version
|
|
needs: [check-flutter]
|
|
if: needs.check-flutter.outputs.has_new == 'true'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Create Gitea release
|
|
run: |
|
|
VERSION="${{ needs.check-flutter.outputs.new_version }}"
|
|
echo "Creating release v${VERSION} for new Flutter stable..."
|
|
|
|
curl -fsSL -X POST \
|
|
-H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
|
|
-H "Content-Type: application/json" \
|
|
"${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases" \
|
|
-d "{
|
|
\"tag_name\": \"v${VERSION}\",
|
|
\"name\": \"v${VERSION} - Flutter ${VERSION}\",
|
|
\"body\": \"Automated release triggered by Flutter stable ${VERSION} detection.\n\nUpstream: https://docs.flutter.dev/release/release-notes\",
|
|
\"draft\": false,
|
|
\"prerelease\": false
|
|
}"
|
|
|
|
echo "Release v${VERSION} created successfully"
|