Bump the docker group with 3 updates #481
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: spel repo builder | |
on: | |
# Run on demand | |
workflow_dispatch: | |
# Run pull requests against the main branch | |
pull_request: | |
branches: [main] | |
paths: | |
- 'Dockerfile.*' | |
- '.github/workflows/build.yml' | |
- 'package-templates/**' | |
# Run when a release is created | |
release: | |
types: [released] | |
permissions: | |
id-token: write | |
concurrency: | |
group: ${{ github.head_ref || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
BuildRepo: | |
name: build-repo-el${{ matrix.el_version }} | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
el_version: [8, 9] | |
env: | |
SPEL_RELEASE_RELEASE: 4 | |
AWS_DEFAULT_REGION: us-east-1 | |
REPO_ENDPOINT: https://spel-packages.cloudarmor.io | |
REPO_BUCKET: spel-packages | |
REPO_PREFIX: repo | |
GPG_NAME: SPEL Packages <[email protected]> | |
DOCKER_NAME: spel-packages-el${{ matrix.el_version }} | |
REPO_PATH: .repo/el${{ matrix.el_version }} | |
steps: | |
- name: Maximize build space | |
run: | | |
set -xeuo pipefail | |
echo "Available storage:" | |
sudo df -h | |
echo | |
sudo rm -rf /usr/share/dotnet | |
sudo rm -rf /usr/local/lib/android | |
sudo rm -rf /opt/ghc | |
sudo rm -rf /usr/local/.ghcup | |
sudo rm -rf /opt/hostedtoolcache/CodeQL | |
sudo rm -rf /usr/local/share/boost | |
sudo rm -rf "$AGENT_TOOLSDIRECTORY" | |
sudo apt-get remove -y '^aspnetcore-.*' > /dev/null | |
sudo apt-get remove -y '^dotnet-.*' > /dev/null | |
sudo apt-get remove -y '^llvm-.*' > /dev/null | |
sudo apt-get remove -y 'php.*' > /dev/null | |
sudo apt-get remove -y '^mongodb-.*' > /dev/null | |
sudo apt-get remove -y '^mysql-.*' > /dev/null | |
sudo apt-get remove -y azure-cli google-chrome-stable firefox mono-devel libgl1-mesa-dri --fix-missing > /dev/null | |
sudo apt-get autoremove -y > /dev/null | |
sudo apt-get clean > /dev/null | |
sudo docker image prune --all --force > /dev/null | |
echo "Available storage:" | |
sudo df -h | |
echo | |
- name: Clone this git repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
- name: Install aws-cli | |
uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367 | |
- name: Retrieve existing spel-packages yum repo | |
run: | | |
mkdir -p ./${{ env.REPO_PATH }} | |
aws s3 sync --no-sign-request --exact-timestamps --endpoint-url ${{ env.REPO_ENDPOINT }} s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }} ./${{ env.REPO_PATH }} | |
- name: Get pinned versions | |
run: | | |
echo "AMAZONLINUX_VERSION=$(make amazonlinux/version)" | tee -a "$GITHUB_ENV" | |
echo "EL_VERSION=$(make el${{ matrix.el_version }}/version)" | tee -a "$GITHUB_ENV" | |
echo "GOLANG_VERSION=$(make golang/version)" | tee -a "$GITHUB_ENV" | |
echo "GOMPLATE_VERSION=$(make gomplate/version)" | tee -a "$GITHUB_ENV" | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db | |
- name: Build el${{ matrix.el_version }} repo | |
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 | |
with: | |
file: Dockerfile.el${{ matrix.el_version }} | |
context: . | |
load: true | |
tags: spel-packages-el${{ matrix.el_version }} | |
build-args: | | |
AMZN_VERSION=${{ env.AMAZONLINUX_VERSION }} | |
EL_VERSION=${{ env.EL_VERSION }} | |
GOLANG_VERSION=${{ env.GOLANG_VERSION }} | |
GOMPLATE_VERSION=${{ env.GOMPLATE_VERSION }} | |
EPEL_RELEASE_URL=https://dl.fedoraproject.org/pub/epel/epel-release-latest-${{ matrix.el_version }}.noarch.rpm | |
SPEL_RELEASE_BASEURL=${{ env.REPO_ENDPOINT }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }} | |
SPEL_RELEASE_RELEASE=${{ env.SPEL_RELEASE_RELEASE }} | |
- name: Copy built packages to host | |
run: | | |
docker run -dit --rm \ | |
--name ${{ env.DOCKER_NAME }} \ | |
${{ env.DOCKER_NAME }} | |
docker cp ${{ env.DOCKER_NAME }}:/spel-packages/builder/repo/. ./${{ env.REPO_PATH }}/ | |
- name: Import GPG key | |
if: github.event_name != 'pull_request' | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
- name: Sign packages | |
if: github.event_name != 'pull_request' | |
run: | | |
mapfile -t PACKAGES < <(find ./${{ env.REPO_PATH }}/packages -name '*.rpm' -type f) | |
rpmsign --addsign \ | |
--define='%_gpg_name ${{ env.GPG_NAME }}' \ | |
--define='%_signature gpg' \ | |
"${PACKAGES[@]}" | |
- name: Create yum repo and copy repodata to host | |
run: | | |
rm -rf ./${{ env.REPO_PATH }}/repodata | |
docker cp ./${{ env.REPO_PATH }} ${{ env.DOCKER_NAME }}:/spel-packages/repo | |
docker exec ${{ env.DOCKER_NAME }} createrepo /spel-packages/repo | |
docker cp ${{ env.DOCKER_NAME }}:/spel-packages/repo/repodata ./${{ env.REPO_PATH }}/ | |
- name: Sign yum repodata | |
if: github.event_name != 'pull_request' | |
run: | | |
gpg --batch --yes \ | |
--detach-sign --armor \ | |
-u '${{ env.GPG_NAME }}' \ | |
./${{ env.REPO_PATH }}/repodata/repomd.xml | |
docker cp ./${{ env.REPO_PATH }}/repodata/repomd.xml.asc ${{ env.DOCKER_NAME }}:/spel-packages/repo/repodata | |
# upload repo artifact before testing them to troubleshoot failures | |
- name: Store repo as artifact | |
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 | |
with: | |
name: spel-repo-el${{ matrix.el_version }} | |
path: .repo/el${{ matrix.el_version }} | |
retention-days: 3 | |
- name: Test signed packages and yum repo | |
if: github.event_name != 'pull_request' | |
run: | | |
docker exec \ | |
${{ env.DOCKER_NAME }} \ | |
bash -c 'yum install -y --setopt=skip_missing_names_on_install=False $(<packages-built)' | |
docker stop ${{ env.DOCKER_NAME }} | |
- name: Test unsigned packages and yum repo | |
if: github.event_name == 'pull_request' | |
run: | | |
docker exec \ | |
${{ env.DOCKER_NAME }} \ | |
bash -c 'yum install -y --nogpgcheck --setopt=skip_missing_names_on_install=False $(<packages-built)' | |
docker stop ${{ env.DOCKER_NAME }} | |
- name: configure aws credentials | |
if: github.event_name != 'pull_request' | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 | |
with: | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }} | |
aws-region: us-east-1 | |
- name: Validate credential | |
if: github.event_name != 'pull_request' | |
run: aws sts get-caller-identity | |
- name: Push repo to s3 bucket | |
if: github.event_name != 'pull_request' | |
run: | | |
SPEL_DOD_CERTS="$(find ./${{ env.REPO_PATH }}/packages/noarch/ -name 'spel-dod-certs-*' | sort --field-separator=- --key=4.1Vr,4 --key=5Vr | head -1)" | |
SPEL_WCF_CERTS="$(find ./${{ env.REPO_PATH }}/packages/noarch/ -name 'spel-wcf-certs-*' | sort --field-separator=- --key=4.1Vr,4 --key=5Vr | head -1)" | |
aws s3 sync --delete ./${{ env.REPO_PATH }}/ s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }}/ | |
aws s3 cp ./${{ env.REPO_PATH }}/packages/noarch/spel-release-${{ matrix.el_version}}-${{ env.SPEL_RELEASE_RELEASE }}.noarch.rpm s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-release-latest-${{ matrix.el_version }}.noarch.rpm | |
aws s3 cp "$SPEL_DOD_CERTS" s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-dod-certs-latest-${{ matrix.el_version }}.noarch.rpm | |
aws s3 cp "$SPEL_WCF_CERTS" s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-wcf-certs-latest-${{ matrix.el_version }}.noarch.rpm |