Skip to content

Commit

Permalink
Publish nativelink-worker image for C++
Browse files Browse the repository at this point in the history
This should make it easier to spin up test instances for C++ projects.
The nativelink worker image may now be fetched from:

```
ghcr.io/tracemachina/nativelink-worker-lre-cc:<sometag>
```

Since the toolchain images are somewhat more complex than the minimal
`nativelink` image, we now use trivy to scan images for vulnerabilities.
The database for these scans is fetched dynamically. This breaks perfect
reproducibility for the image publishing workflow when rolling
back/reverting, but ensures that new commits aren't checked against
outdated vulnerability databases.
  • Loading branch information
aaronmondal committed Mar 26, 2024
1 parent 09b32c9 commit 30f2b1c
Show file tree
Hide file tree
Showing 6 changed files with 47 additions and 14 deletions.
19 changes: 15 additions & 4 deletions .github/workflows/image.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,16 @@ permissions: read-all

jobs:
publish-image:
strategy:
fail-fast: false
matrix:
image: [image, nativelink-worker-lre-cc]
name: Publish ${{ matrix.image }}
runs-on: large-ubuntu-22.04
permissions:
packages: write
id-token: write
security-events: write
steps:

- name: Checkout
Expand All @@ -35,14 +41,19 @@ jobs:
- name: Test image
run: |
nix run .#local-image-test
nix run .#local-image-test ${{ matrix.image }}
- name: Upload image
run: |
nix run .#publish-ghcr
nix run .#publish-ghcr ${{ matrix.image }}
env:
GHCR_REGISTRY: ghcr.io
GHCR_REGISTRY: ghcr.io/${{ github.repository_owner }}
GHCR_USERNAME: ${{ github.actor }}
GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
GHCR_IMAGE_NAME: ${{ github.repository }}
if: github.ref == 'refs/heads/main'

- name: Upload trivy scan results to GitHub Security tab
uses: >- # v2.16.3
github/codeql-action/upload-sarif@592977e6ae857384aa79bb31e7a1d62d63449ec5
with:
sarif_file: 'trivy-results.sarif'
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ __pycache__
result
.bazelrc.user
MODULE.bazel.lock
trivy-results.sarif
3 changes: 2 additions & 1 deletion flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@
inherit (nix2container.packages.${system}.nix2container) buildImage;

rbe-autogen = import ./local-remote-execution/rbe-autogen.nix {inherit pkgs nativelink buildImage;};
createWorker = import ./tools/create-worker.nix {inherit pkgs nativelink buildImage;};
createWorker = import ./tools/create-worker.nix {inherit pkgs nativelink buildImage self;};
in rec {
_module.args.pkgs = import self.inputs.nixpkgs {
inherit system;
Expand Down Expand Up @@ -203,6 +203,7 @@
pkgs.cilium-cli
pkgs.yarn
pkgs.vale
pkgs.trivy

# Additional tools from within our development environment.
local-image-test
Expand Down
10 changes: 10 additions & 0 deletions tools/create-worker.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
pkgs,
nativelink,
buildImage,
self,
...
}: let
# A temporary directory. Note that this doesn't set any permissions. Those
Expand Down Expand Up @@ -99,5 +100,14 @@ in
config = {
User = user;
WorkingDir = "/home/${user}";
Labels = {
"org.opencontainers.image.description" = "NativeLink worker generated from ${image.imageName}.";
"org.opencontainers.image.documentation" = "https://github.com/TraceMachina/nativelink";
"org.opencontainers.image.licenses" = "Apache-2.0";
"org.opencontainers.image.revision" = "${self.rev or self.dirtyRev or "dirty"}";
"org.opencontainers.image.source" = "https://github.com/TraceMachina/nativelink";
"org.opencontainers.image.title" = "NativeLink worker for ${image.imageName}";
"org.opencontainers.image.vendor" = "Trace Machina, Inc.";
};
};
}
11 changes: 8 additions & 3 deletions tools/local-image-test.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,23 @@
pkgs.writeShellScriptBin "local-image-test" ''
set -xeuo pipefail
echo "Testing image: $1"
# Commit hashes would not be a good choice here as they are not
# fully dependent on the inputs to the image. For instance, amending
# nothing would still lead to a new hash. Instead we use the
# derivation hash as the tag so that the tag is reused if the image
# didn't change.
IMAGE_TAG=$(nix eval .#image.imageTag --raw)
IMAGE_TAG=$(nix eval .#$1.imageTag --raw)
IMAGE_NAME=$(nix eval .#$1.imageName --raw)
nix run .#image.copyTo \
docker-daemon:nativelink:''${IMAGE_TAG}
docker-daemon:''${IMAGE_NAME}:''${IMAGE_TAG}
# Ensure that the image has minimal closure size.
CI=1 ${pkgs.dive}/bin/dive \
nativelink:''${IMAGE_TAG} \
''${IMAGE_NAME}:''${IMAGE_TAG} \
--highestWastedBytes=0
${pkgs.trivy}/bin/trivy image ''${IMAGE_NAME}:''${IMAGE_TAG}
''
17 changes: 11 additions & 6 deletions tools/publish-ghcr.nix
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,12 @@ pkgs.writeShellScriptBin "publish-ghcr" ''
# nothing would still lead to a new hash. Instead we use the
# derivation hash as the tag so that the tag is reused if the image
# didn't change.
#
# If a positional argument is passed it overrides the tag value.
IMAGE_TAG=''${1:-$(nix eval .#image.imageTag --raw)}
IMAGE_TAG=$(nix eval .#$1.imageTag --raw)
IMAGE_NAME=$(nix eval .#$1.imageName --raw)
TAGGED_IMAGE=''${GHCR_REGISTRY}/''${GHCR_IMAGE_NAME,,}:''${IMAGE_TAG}
TAGGED_IMAGE=''${GHCR_REGISTRY,,}/''${IMAGE_NAME}:''${IMAGE_TAG}
nix run .#image.copyTo docker://''${TAGGED_IMAGE}
nix run .#$1.copyTo docker://''${TAGGED_IMAGE}
echo $GHCR_PASSWORD | ${pkgs.cosign}/bin/cosign \
login \
Expand All @@ -30,10 +29,16 @@ pkgs.writeShellScriptBin "publish-ghcr" ''
${pkgs.cosign}/bin/cosign \
sign \
--yes \
''${GHCR_REGISTRY}/''${GHCR_IMAGE_NAME,,}@$( \
''${GHCR_REGISTRY,,}/''${IMAGE_NAME}@$( \
${pkgs.skopeo}/bin/skopeo \
inspect \
--format "{{ .Digest }}" \
docker://''${TAGGED_IMAGE} \
)
${pkgs.trivy}/bin/trivy \
image \
--format sarif \
''${TAGGED_IMAGE} \
> trivy-results.sarif
''

0 comments on commit 30f2b1c

Please sign in to comment.