From dbe2b852c557b8202ff69b00958dda28b61ecd08 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sun, 21 Apr 2024 19:22:04 +0100 Subject: [PATCH] Support sharing matrix outputs --- .github/actions/set-matrix-output/action.yml | 0 .github/workflows/build-images.yml | 0 .github/workflows/build.yml | 61 ++++++++++------- .github/workflows/scan-images.yml | 70 ++++++++++++++++++++ 4 files changed, 106 insertions(+), 25 deletions(-) create mode 100644 .github/actions/set-matrix-output/action.yml create mode 100644 .github/workflows/build-images.yml create mode 100644 .github/workflows/scan-images.yml diff --git a/.github/actions/set-matrix-output/action.yml b/.github/actions/set-matrix-output/action.yml new file mode 100644 index 00000000..e69de29b diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml new file mode 100644 index 00000000..e69de29b diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8efc9746..86944e5f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -101,20 +101,18 @@ jobs: private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} - - name: Generate SBOM - id: generate-sbom - if: github.event_name != 'pull_request' - uses: ./.github/actions/generate-sbom + - name: Create Outputs File + run: | + echo "DIGEST=${{ steps.push.outputs.digest }}" >> $OUTPUTS_FILE + echo "IMAGE_NAME=${{ env.IMAGE_NAME }}" >> $OUTPUTS_FILE + + - name: Upload Outputs File + uses: actions/upload-artifact@v4 with: - image-ref: ${{ steps.push.outputs.registry-path }} - artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-sbom + name: outputs-${{ env.IMAGE_NAME }}-${{ matrix.image-flavour }}-${{ matrix.fedora-version }} + if-no-files-found: error + path: ${{ env.OUTPUTS_FILE }} - - name: Scan SBOM - uses: ./.github/actions/scan-sbom - if: github.event_name != 'pull_request' - with: - sbom-file: ${{ steps.generate-sbom.outputs.output-file }} - artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-scan build-nvidia: runs-on: ubuntu-latest @@ -137,6 +135,7 @@ jobs: IMAGE_NAME: eternal-linux/main/${{ matrix.fedora-edition }} FEDORA_VERSION: ${{ matrix.fedora-version }} COREOS_KERNEL: "N/A" + OUTPUTS_FILE: /tmp/matrix-outputs.txt steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 @@ -225,22 +224,20 @@ jobs: private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} - - name: Generate SBOM - id: generate-sbom - uses: ./.github/actions/generate-sbom - if: github.event_name != 'pull_request' + - name: Create Outputs File + run: | + echo "DIGEST=${{ steps.push.outputs.digest }}" >> $OUTPUTS_FILE + echo "IMAGE_NAME=${{ env.IMAGE_NAME }}" >> $OUTPUTS_FILE + + - name: Upload Outputs File + uses: actions/upload-artifact@v4 with: - image-ref: ${{ steps.push.outputs.registry-path }} - artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-sbom + name: outputs-${{ env.IMAGE_NAME }}-${{ matrix.image-flavour }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }} + if-no-files-found: error + path: ${{ env.OUTPUTS_FILE }} - - name: Scan SBOM - uses: ./.github/actions/scan-sbom - if: github.event_name != 'pull_request' - with: - sbom-file: ${{ steps.generate-sbom.outputs.output-file }} - artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-scan - check: + fan-in: needs: [build-base, build-nvidia] if: always() runs-on: ubuntu-latest @@ -252,3 +249,17 @@ jobs: uses: ./.github/actions/check-jobs-success with: jobs: ${{ toJSON(needs) }} + + - name: Download Outputs Files + uses: actions/download-artifact@v4 + id: download-outputs + with: + pattern: outputs-* + merge-multiple: true + + - name: Upload Outputs Files to Job Artifact + uses: actions/upload-artifact@v4 + with: + name: merged-outputs + if-no-file-found: error + path: ${{ steps.download-outputs.outputs.download-path }} diff --git a/.github/workflows/scan-images.yml b/.github/workflows/scan-images.yml new file mode 100644 index 00000000..070b726e --- /dev/null +++ b/.github/workflows/scan-images.yml @@ -0,0 +1,70 @@ +name: Scan Images + +on: + workflow_call: + inputs: + images: + description: "A comma-separated list of images to scan. E.G. '[\"docker.io/library/alpine:3.14.0\", \"docker.io/library/alpine:3.13.6\"]'" + required: true + type: string + +jobs: + generate-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Set matrix + id: set-matrix + env: + IMAGES: ${{ inputs.images }} + run: | + echo "matrix=$IMAGES" >> $GITHUB_OUTPUT + scan-image: + needs: generate-matrix + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + image: ${{fromJson(needs.generate-matrix.outputs.matrix)}} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Maximize build space + uses: ublue-os/remove-unwanted-software@v6 + + - name: Install Syft + shell: bash + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + syft version + - name: Generate SBOM + env: + IMAGE: ${{ matrix.image }} + run: | + syft ${IMAGE} \ + --output cyclonedx-json=sbom.json \ + --config ./.github/syft.yml + - name: Scan SBOM + id: scan + uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3 + with: + sbom: sbom.json + output-format: json + fail-build: false + + - name: Generate artifact name + id: artifact-name + env: + IMAGE: ${{ matrix.image }} + run: | + echo "name=$(echo ${IMAGE} | awk -F'/' '{print $NF}' | sed 's/:/-/g')" >> $GITHUB_OUTPUT + - name: Upload scan results + uses: actions/upload-artifact@v4 + with: + name: security-${{ steps.artifact-name.outputs.name }} + if-no-files-found: error + path: | + sbom.json + ${{ steps.scan.outputs.json }}