Skip to content

Bump the docker group with 3 updates #481

Bump the docker group with 3 updates

Bump the docker group with 3 updates #481

Workflow file for this run

name: spel repo builder
on:
# Run on demand
workflow_dispatch:
# Run pull requests against the main branch
pull_request:
branches: [main]
paths:
- 'Dockerfile.*'
- '.github/workflows/build.yml'
- 'package-templates/**'
# Run when a release is created
release:
types: [released]
permissions:
id-token: write
concurrency:
group: ${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
BuildRepo:
name: build-repo-el${{ matrix.el_version }}
runs-on: ubuntu-latest
strategy:
matrix:
el_version: [8, 9]
env:
SPEL_RELEASE_RELEASE: 4
AWS_DEFAULT_REGION: us-east-1
REPO_ENDPOINT: https://spel-packages.cloudarmor.io
REPO_BUCKET: spel-packages
REPO_PREFIX: repo
GPG_NAME: SPEL Packages <[email protected]>
DOCKER_NAME: spel-packages-el${{ matrix.el_version }}
REPO_PATH: .repo/el${{ matrix.el_version }}
steps:
- name: Maximize build space
run: |
set -xeuo pipefail
echo "Available storage:"
sudo df -h
echo
sudo rm -rf /usr/share/dotnet
sudo rm -rf /usr/local/lib/android
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/share/boost
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo apt-get remove -y '^aspnetcore-.*' > /dev/null
sudo apt-get remove -y '^dotnet-.*' > /dev/null
sudo apt-get remove -y '^llvm-.*' > /dev/null
sudo apt-get remove -y 'php.*' > /dev/null
sudo apt-get remove -y '^mongodb-.*' > /dev/null
sudo apt-get remove -y '^mysql-.*' > /dev/null
sudo apt-get remove -y azure-cli google-chrome-stable firefox mono-devel libgl1-mesa-dri --fix-missing > /dev/null
sudo apt-get autoremove -y > /dev/null
sudo apt-get clean > /dev/null
sudo docker image prune --all --force > /dev/null
echo "Available storage:"
sudo df -h
echo
- name: Clone this git repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Install aws-cli
uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367
- name: Retrieve existing spel-packages yum repo
run: |
mkdir -p ./${{ env.REPO_PATH }}
aws s3 sync --no-sign-request --exact-timestamps --endpoint-url ${{ env.REPO_ENDPOINT }} s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }} ./${{ env.REPO_PATH }}
- name: Get pinned versions
run: |
echo "AMAZONLINUX_VERSION=$(make amazonlinux/version)" | tee -a "$GITHUB_ENV"
echo "EL_VERSION=$(make el${{ matrix.el_version }}/version)" | tee -a "$GITHUB_ENV"
echo "GOLANG_VERSION=$(make golang/version)" | tee -a "$GITHUB_ENV"
echo "GOMPLATE_VERSION=$(make gomplate/version)" | tee -a "$GITHUB_ENV"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
- name: Build el${{ matrix.el_version }} repo
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
with:
file: Dockerfile.el${{ matrix.el_version }}
context: .
load: true
tags: spel-packages-el${{ matrix.el_version }}
build-args: |
AMZN_VERSION=${{ env.AMAZONLINUX_VERSION }}
EL_VERSION=${{ env.EL_VERSION }}
GOLANG_VERSION=${{ env.GOLANG_VERSION }}
GOMPLATE_VERSION=${{ env.GOMPLATE_VERSION }}
EPEL_RELEASE_URL=https://dl.fedoraproject.org/pub/epel/epel-release-latest-${{ matrix.el_version }}.noarch.rpm
SPEL_RELEASE_BASEURL=${{ env.REPO_ENDPOINT }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }}
SPEL_RELEASE_RELEASE=${{ env.SPEL_RELEASE_RELEASE }}
- name: Copy built packages to host
run: |
docker run -dit --rm \
--name ${{ env.DOCKER_NAME }} \
${{ env.DOCKER_NAME }}
docker cp ${{ env.DOCKER_NAME }}:/spel-packages/builder/repo/. ./${{ env.REPO_PATH }}/
- name: Import GPG key
if: github.event_name != 'pull_request'
id: import_gpg
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Sign packages
if: github.event_name != 'pull_request'
run: |
mapfile -t PACKAGES < <(find ./${{ env.REPO_PATH }}/packages -name '*.rpm' -type f)
rpmsign --addsign \
--define='%_gpg_name ${{ env.GPG_NAME }}' \
--define='%_signature gpg' \
"${PACKAGES[@]}"
- name: Create yum repo and copy repodata to host
run: |
rm -rf ./${{ env.REPO_PATH }}/repodata
docker cp ./${{ env.REPO_PATH }} ${{ env.DOCKER_NAME }}:/spel-packages/repo
docker exec ${{ env.DOCKER_NAME }} createrepo /spel-packages/repo
docker cp ${{ env.DOCKER_NAME }}:/spel-packages/repo/repodata ./${{ env.REPO_PATH }}/
- name: Sign yum repodata
if: github.event_name != 'pull_request'
run: |
gpg --batch --yes \
--detach-sign --armor \
-u '${{ env.GPG_NAME }}' \
./${{ env.REPO_PATH }}/repodata/repomd.xml
docker cp ./${{ env.REPO_PATH }}/repodata/repomd.xml.asc ${{ env.DOCKER_NAME }}:/spel-packages/repo/repodata
# upload repo artifact before testing them to troubleshoot failures
- name: Store repo as artifact
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029
with:
name: spel-repo-el${{ matrix.el_version }}
path: .repo/el${{ matrix.el_version }}
retention-days: 3
- name: Test signed packages and yum repo
if: github.event_name != 'pull_request'
run: |
docker exec \
${{ env.DOCKER_NAME }} \
bash -c 'yum install -y --setopt=skip_missing_names_on_install=False $(<packages-built)'
docker stop ${{ env.DOCKER_NAME }}
- name: Test unsigned packages and yum repo
if: github.event_name == 'pull_request'
run: |
docker exec \
${{ env.DOCKER_NAME }} \
bash -c 'yum install -y --nogpgcheck --setopt=skip_missing_names_on_install=False $(<packages-built)'
docker stop ${{ env.DOCKER_NAME }}
- name: configure aws credentials
if: github.event_name != 'pull_request'
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
aws-region: us-east-1
- name: Validate credential
if: github.event_name != 'pull_request'
run: aws sts get-caller-identity
- name: Push repo to s3 bucket
if: github.event_name != 'pull_request'
run: |
SPEL_DOD_CERTS="$(find ./${{ env.REPO_PATH }}/packages/noarch/ -name 'spel-dod-certs-*' | sort --field-separator=- --key=4.1Vr,4 --key=5Vr | head -1)"
SPEL_WCF_CERTS="$(find ./${{ env.REPO_PATH }}/packages/noarch/ -name 'spel-wcf-certs-*' | sort --field-separator=- --key=4.1Vr,4 --key=5Vr | head -1)"
aws s3 sync --delete ./${{ env.REPO_PATH }}/ s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }}/
aws s3 cp ./${{ env.REPO_PATH }}/packages/noarch/spel-release-${{ matrix.el_version}}-${{ env.SPEL_RELEASE_RELEASE }}.noarch.rpm s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-release-latest-${{ matrix.el_version }}.noarch.rpm
aws s3 cp "$SPEL_DOD_CERTS" s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-dod-certs-latest-${{ matrix.el_version }}.noarch.rpm
aws s3 cp "$SPEL_WCF_CERTS" s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-wcf-certs-latest-${{ matrix.el_version }}.noarch.rpm