From f5588f50b460708025448abc93a6e6cb00a795d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Artur=20Bory=C5=9B?= Date: Mon, 5 Feb 2024 20:56:52 +0100 Subject: [PATCH 1/8] Remova fedora flavor --- .github/workflows/build-and-release.yaml | 4 +- Containerfile.fedora | 73 ------------------------ README.md | 4 +- 3 files changed, 4 insertions(+), 77 deletions(-) delete mode 100644 Containerfile.fedora diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml index 76bb856..7f02186 100644 --- a/.github/workflows/build-and-release.yaml +++ b/.github/workflows/build-and-release.yaml @@ -7,6 +7,8 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: push: + branches: + - master env: REGISTRY_USER: aborys @@ -17,7 +19,7 @@ jobs: build: strategy: matrix: - flavor: [rocky, rocky-minimal, fedora] + flavor: [rocky, rocky-minimal] # The type of runner that the job will run on runs-on: ubuntu-latest diff --git a/Containerfile.fedora b/Containerfile.fedora deleted file mode 100644 index 5cc863d..0000000 --- a/Containerfile.fedora +++ /dev/null @@ -1,73 +0,0 @@ -# This is a mix of: -# * https://github.com/containers/buildah/blob/main/contrib/buildahimage/Containerfile -# * https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile - -FROM registry.fedoraproject.org/fedora:39 - -# label "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT" - -# Don't include container-selinux and remove -# directories used by dnf that are just taking -# up space. -# TODO: rpm --setcaps... needed due to Fedora (base) image builds -# being (maybe still?) affected by -# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 -RUN dnf -y update && \ - rpm --setcaps shadow-utils 2>/dev/null && \ - dnf -y install buildah fuse-overlayfs podman nodejs git --exclude container-selinux && \ - dnf -y clean all && \ - rm -rf /var/cache /var/log/dnf* /var/log/yum.* - -# Define uid/gid ranges for our user https://github.com/containers/buildah/issues/3053 -RUN useradd build && \ - echo -e "build:1:999\nbuild:1001:64535" > /etc/subuid && \ - echo -e "build:1:999\nbuild:1001:64535" > /etc/subgid && \ - mkdir -p /home/build/.local/share/containers && \ - mkdir -p /home/build/.config/containers && \ - chown -R build:build /home/build - -ARG _REPO_URL="https://raw.githubusercontent.com/containers/podman/main/contrib/podmanimage/stable" -ADD $_REPO_URL/containers.conf /etc/containers/containers.conf -ADD --chown=build:build $_REPO_URL/podman-containers.conf /home/build/.config/containers/containers.conf - -# Setup internal Buildah to pass secrets/subscriptions down from host to internal container -RUN printf '/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement\n/run/secrets/rhsm:/run/secrets/rhsm\n' > /etc/containers/mounts.conf - -# Copy & modify the defaults to provide reference if runtime changes needed. -# Changes here are required for running with fuse-overlay storage inside container. -RUN sed -e 's|^#mount_program|mount_program|g' \ - -e '/additionalimage.*/a "/var/lib/shared",' \ - -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ - /usr/share/containers/storage.conf \ - > /etc/containers/storage.conf && \ - chmod 644 /etc/containers/storage.conf && \ - chmod 644 /etc/containers/containers.conf - -RUN mkdir -p /var/lib/shared/overlay-images \ - /var/lib/shared/overlay-layers \ - /var/lib/shared/vfs-images \ - /var/lib/shared/vfs-layers && \ - touch /var/lib/shared/overlay-images/images.lock && \ - touch /var/lib/shared/overlay-layers/layers.lock && \ - touch /var/lib/shared/vfs-images/images.lock && \ - touch /var/lib/shared/vfs-layers/layers.lock - -# See: https://github.com/containers/buildah/issues/4669 -# Copy & modify the config for the `build` user and remove the global -# `runroot` and `graphroot` which current `build` user cannot access, -# in such case storage will choose a runroot in `/var/tmp`. -RUN sed -e 's|^#mount_program|mount_program|g' \ - -e 's|^graphroot|#graphroot|g' \ - -e 's|^runroot|#runroot|g' \ - /etc/containers/storage.conf \ - > /home/build/.config/containers/storage.conf && \ - chown build:build /home/build/.config/containers/storage.conf - -VOLUME /var/lib/containers -VOLUME /home/build/.local/share/containers - -# Set an environment variable to default to chroot isolation for RUN -# instructions and "buildah run". -ENV BUILDAH_ISOLATION=chroot - -USER build:build diff --git a/README.md b/README.md index 2636711..a3ec496 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,10 @@ The image is based on official podman and buildah images: - https://github.com/containers/buildah/blob/main/contrib/buildahimage/Containerfile - https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile -There are three flavors of the image, depending on the base image: +There are two flavors of the image, depending on the base image: - `rocky` - based on `rocky:9` image. I recommend using this as a base image if you want to add more tools to it - `rocky-minimal` - based on `rocky:9-minimal`. I recommend using this image for running the jobs requiring only nodejs, podman and buildah. Rocky minimal images contain `microdnf` instead of `dnf`, and you may encounter issues with that. -- `fedora` - based on `fedora:39`, same as the original podman and buildah images. Size of this image is a lot bigger than Rocky based images. It takes a long time to build it for `arm64` on QEMU, so I may decide to remove it or provide only `amd64` variant. There are three tag variants: @@ -45,7 +44,6 @@ runner: labels: - rocky-minimal:docker://aborys/podman-builder:latest-rocky-minimal - rocky:docker://aborys/podman-builder:latest-rocky - - fedora:docker://aborys/podman-builder:latest-fedora container: options: --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw From a99710e868354e8933d5d230b92ae9b2dff3db8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Artur=20Bory=C5=9B?= Date: Mon, 5 Feb 2024 21:03:43 +0100 Subject: [PATCH 2/8] Try scanning with syft+grype --- .github/workflows/build-and-scan.yaml | 56 +++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/build-and-scan.yaml diff --git a/.github/workflows/build-and-scan.yaml b/.github/workflows/build-and-scan.yaml new file mode 100644 index 0000000..b5dc914 --- /dev/null +++ b/.github/workflows/build-and-scan.yaml @@ -0,0 +1,56 @@ +name: build-and-scan + +on: + workflow_dispatch: + push: + +env: + REGISTRY_USER: aborys + IMAGE_REGISTRY: docker.io +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + build: + strategy: + matrix: + flavor: [rocky, rocky-minimal] + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Build ${{ matrix.flavor }} image + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: podman-builder + tags: latest-${{ matrix.flavor }} ${{ github.sha }}-${{ matrix.flavor }} ${{ startsWith(github.ref, 'refs/tags') && format('{0}-{1}', github.ref_name, matrix.flavor) || '' }} + containerfiles: | + ./Containerfile.${{ matrix.flavor }} + platforms: linux/amd64, linux/arm64 + + - name: Save image to file + run: podman save podman-builder:latest-${{ matrix.flavor }} -o ./image + + - name: Create SBOM + uses: anchore/sbom-action@v0 + with: + file: ./image + format: spdx-json + output-file: "${{ github.event.repository.name }}-sbom.spdx.json" + + - name: Scan SBOM + id: scan + uses: anchore/scan-action@v3 + with: + sbom: "${{ github.event.repository.name }}-sbom.spdx.json" + + - name: upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} From 6b3e0f1481d805f8529bf9e5c27ffa5da3273ab7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Artur=20Bory=C5=9B?= Date: Tue, 20 Feb 2024 21:10:42 +0100 Subject: [PATCH 3/8] Try jenkins --- jenkins/build-image/Jenkinsfile | 89 +++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 jenkins/build-image/Jenkinsfile diff --git a/jenkins/build-image/Jenkinsfile b/jenkins/build-image/Jenkinsfile new file mode 100644 index 0000000..f7270f3 --- /dev/null +++ b/jenkins/build-image/Jenkinsfile @@ -0,0 +1,89 @@ +pipeline{ + agent{ + kubernetes { + inheritFrom "docker-template" + yamlMergeStrategy merge() + yaml dockerBuilderAgent.getYaml() + defaultContainer "builder" + } + } + stages { + stage("Build docker images") { + parallel { + stage("Build rocky image") { + agent { + kubernetes { + inheritFrom "docker-template" + yamlMergeStrategy merge() + yaml dockerBuilderAgent.getYaml() + defaultContainer "builder" + } + } + + steps { + script { + checkout scmGit( + branches: [ + [ + name: '*/master' + ] + ], + userRemoteConfigs: [ + [ + credentialsId: 'gitea', + url: 'https://gitea.arturb.xyz/artur-borys/podman-builder.git' + ] + ] + ) + } + sh """ + docker build -t podman-builder:latest-rocky -f Containerfile.rocky . + """ + } + } + stage("Build rocky-minimal image") { + agent { + kubernetes { + inheritFrom "docker-template" + yamlMergeStrategy merge() + yaml dockerBuilderAgent.getYaml() + defaultContainer "builder" + } + } + + steps { + script { + checkout scmGit( + branches: [ + [ + name: '*/master' + ] + ], + userRemoteConfigs: [ + [ + credentialsId: 'gitea', + url: 'https://gitea.arturb.xyz/artur-borys/podman-builder.git' + ] + ] + ) + } + sh """ + docker build -t podman-builder:latest-rocky-minimal -f Containerfile.rocky-minimal . + """ + } + } + } + } + } + post{ + always{ + echo "========always========" + } + success{ + echo "========pipeline executed successfully ========" + } + failure{ + echo "========pipeline execution failed========" + } + } +} From 2870f435983b7563971344635a1f642ae416657c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Artur=20Bory=C5=9B?= Date: Fri, 2 Aug 2024 19:27:31 +0200 Subject: [PATCH 4/8] update --- .gitea/workflows/build.yaml | 6 ++-- Containerfile.rocky | 11 ++----- Containerfile.rocky-minimal | 10 ++---- example/config.yaml | 64 ++----------------------------------- 4 files changed, 11 insertions(+), 80 deletions(-) diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml index 5150f8c..e581c14 100644 --- a/.gitea/workflows/build.yaml +++ b/.gitea/workflows/build.yaml @@ -5,6 +5,8 @@ name: build # Controls when the workflow will run on: push: + branches: + - "**" tags: - "**" @@ -14,13 +16,13 @@ jobs: build: strategy: matrix: - flavor: [rocky, rocky-minimal, fedora] + flavor: [rocky, rocky-minimal] runs-on: rocky-minimal # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build ${{ matrix.flavor }} image id: build-image-rocky diff --git a/Containerfile.rocky b/Containerfile.rocky index 1a47562..03294f9 100644 --- a/Containerfile.rocky +++ b/Containerfile.rocky @@ -2,17 +2,10 @@ # * https://github.com/containers/buildah/blob/main/contrib/buildahimage/Containerfile # * https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile -# FROM registry.fedoraproject.org/fedora:latest FROM rockylinux:9 -# label "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT" +LABEL "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT" -# Don't include container-selinux and remove -# directories used by dnf that are just taking -# up space. -# TODO: rpm --setcaps... needed due to Fedora (base) image builds -# being (maybe still?) affected by -# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 RUN dnf -y update && \ rpm --setcaps shadow-utils 2>/dev/null && \ dnf -y install buildah fuse-overlayfs podman nodejs git --exclude container-selinux && \ @@ -27,7 +20,7 @@ RUN useradd build && \ mkdir -p /home/build/.config/containers && \ chown -R build:build /home/build -ARG _REPO_URL="https://raw.githubusercontent.com/containers/podman/main/contrib/podmanimage/stable" +ARG _REPO_URL="https://raw.githubusercontent.com/containers/image_build/main/podman" ADD $_REPO_URL/containers.conf /etc/containers/containers.conf ADD --chown=build:build $_REPO_URL/podman-containers.conf /home/build/.config/containers/containers.conf diff --git a/Containerfile.rocky-minimal b/Containerfile.rocky-minimal index b976876..f42318d 100644 --- a/Containerfile.rocky-minimal +++ b/Containerfile.rocky-minimal @@ -5,14 +5,8 @@ # FROM registry.fedoraproject.org/fedora:latest FROM rockylinux:9-minimal -# label "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT" +LABEL "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT" -# Don't include container-selinux and remove -# directories used by dnf that are just taking -# up space. -# TODO: rpm --setcaps... needed due to Fedora (base) image builds -# being (maybe still?) affected by -# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 RUN printf "[main]\nexcludepkgs=container-selinux" > /etc/dnf/dnf.conf && \ microdnf -y update && \ rpm --setcaps shadow-utils 2>/dev/null && \ @@ -28,7 +22,7 @@ RUN useradd build && \ mkdir -p /home/build/.config/containers && \ chown -R build:build /home/build -ARG _REPO_URL="https://raw.githubusercontent.com/containers/podman/main/contrib/podmanimage/stable" +ARG _REPO_URL="https://raw.githubusercontent.com/containers/image_build/main/podman" ADD $_REPO_URL/containers.conf /etc/containers/containers.conf ADD --chown=build:build $_REPO_URL/podman-containers.conf /home/build/.config/containers/containers.conf diff --git a/example/config.yaml b/example/config.yaml index d2ed1b4..e03e5e0 100644 --- a/example/config.yaml +++ b/example/config.yaml @@ -1,95 +1,37 @@ -# Example configuration file, it's safe to copy this as the default config file without any modification. - -# You don't have to copy this file to your instance, -# just run `./act_runner generate-config > config.yaml` to generate a config file. - log: - # The level of logging, can be trace, debug, info, warn, error, fatal level: info runner: - # Where to store the registration result. file: .runner - # Execute how many tasks concurrently at the same time. capacity: 2 - # Extra environment variables to run jobs. - # Extra environment variables to run jobs from a file. - # It will be ignored if it's empty or the file doesn't exist. env_file: .env - # The timeout for a job to be finished. - # Please note that the Gitea instance also has a timeout (3h by default) for the job. - # So the job could be stopped by the Gitea instance if it's timeout is shorter than this. timeout: 3h - # Whether skip verifying the TLS certificate of the Gitea instance. insecure: false - # The timeout for fetching the job from the Gitea instance. fetch_timeout: 5s - # The interval for fetching the job from the Gitea instance. fetch_interval: 2s - # The labels of a runner are used to determine which jobs the runner can run, and how to run them. - # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"] - # If it's empty when registering, it will ask for inputting labels. - # If it's empty when execute `deamon`, will use labels in `.runner` file. labels: - - ubuntu-latest:docker://node:16-bullseye - - ubuntu-22.04:docker://node:16-bullseye - - ubuntu-20.04:docker://node:16-bullseye - - ubuntu-18.04:docker://node:16-buster + - ubuntu-latest:docker://gitea/runner-images:ubuntu-latest + - ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04 + - ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04 - rocky-minimal:docker://aborys/podman-builder:latest-rocky-minimal - rocky:docker://aborys/podman-builder:latest-rocky - - fedora:docker://aborys/podman-builder:latest-fedora cache: - # Enable cache server to use actions/cache. enabled: true - # The directory to store the cache data. - # If it's empty, the cache data will be stored in $HOME/.cache/actcache. dir: "" - # The host of the cache server. - # It's not for the address to listen, but the address to connect from job containers. - # So 0.0.0.0 is a bad choice, leave it empty to detect automatically. host: "" - # The port of the cache server. - # 0 means to use a random available port. port: 0 - # The external cache server URL. Valid only when enable is true. - # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself. - # The URL should generally end with "/". external_server: "" container: - # Specifies the network to which the container will connect. - # Could be host, bridge or the name of a custom network. - # If it's empty, act_runner will create a network automatically. network: "" - # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker). privileged: false - # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway). options: --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw - # The parent directory of a job's working directory. - # If it's empty, /workspace will be used. workdir_parent: - # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob - # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted. - # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to: - # valid_volumes: - # - data - # - /src/*.json - # If you want to allow any volume, please use the following configuration: - # valid_volumes: - # - '**' valid_volumes: [] - # overrides the docker client host with the specified one. - # If it's empty, act_runner will find an available docker host automatically. - # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers. - # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work. docker_host: "" - # Pull docker image(s) even if already present force_pull: false - # Rebuild docker image(s) even if already present force_rebuild: false host: - # The parent directory of a job's working directory. - # If it's empty, $HOME/.cache/act/ will be used. workdir_parent: From 04f9b1145b8f3679a9f2fd80d279495ccfba20e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Artur=20Bory=C5=9B?= Date: Fri, 2 Aug 2024 19:39:21 +0200 Subject: [PATCH 5/8] GitHub actions test --- .github/workflows/build-and-release.yaml | 20 +++++++++++--------- .github/workflows/build-and-scan.yaml | 11 ++++++++--- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml index 7f02186..46fa203 100644 --- a/.github/workflows/build-and-release.yaml +++ b/.github/workflows/build-and-release.yaml @@ -9,6 +9,7 @@ on: push: branches: - master + - jenkins env: REGISTRY_USER: aborys @@ -26,7 +27,8 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -41,11 +43,11 @@ jobs: ./Containerfile.${{ matrix.flavor }} platforms: linux/amd64, linux/arm64 - - name: Push ${{ matrix.flavor }} image to docker.io - uses: redhat-actions/push-to-registry@v2 - with: - image: podman-builder - tags: latest-${{ matrix.flavor }} ${{ github.sha }}-${{ matrix.flavor }} ${{ startsWith(github.ref, 'refs/tags') && format('{0}-{1}', github.ref_name, matrix.flavor) || '' }} - registry: aborys - username: ${{ env.REGISTRY_USER }} - password: ${{ env.REGISTRY_PASSWORD }} + # - name: Push ${{ matrix.flavor }} image to docker.io + # uses: redhat-actions/push-to-registry@v2 + # with: + # image: podman-builder + # tags: latest-${{ matrix.flavor }} ${{ github.sha }}-${{ matrix.flavor }} ${{ startsWith(github.ref, 'refs/tags') && format('{0}-{1}', github.ref_name, matrix.flavor) || '' }} + # registry: aborys + # username: ${{ env.REGISTRY_USER }} + # password: ${{ env.REGISTRY_PASSWORD }} diff --git a/.github/workflows/build-and-scan.yaml b/.github/workflows/build-and-scan.yaml index b5dc914..3fd44a4 100644 --- a/.github/workflows/build-and-scan.yaml +++ b/.github/workflows/build-and-scan.yaml @@ -15,11 +15,15 @@ jobs: flavor: [rocky, rocky-minimal] # The type of runner that the job will run on runs-on: ubuntu-latest + permissions: + # required for all workflows + security-events: write # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -48,9 +52,10 @@ jobs: id: scan uses: anchore/scan-action@v3 with: - sbom: "${{ github.event.repository.name }}-sbom.spdx.json" + sbom: "${{ github.event.repository.name }}-${{ matrix.flavor }}-sbom.spdx.json" + fail-build: false - name: upload Anchore scan SARIF report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} From 9ed140cf526c6ca4750186d2e14d931718a2c260 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Artur=20Bory=C5=9B?= Date: Fri, 2 Aug 2024 20:17:01 +0200 Subject: [PATCH 6/8] update readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a3ec496..e384a01 100644 --- a/README.md +++ b/README.md @@ -5,8 +5,8 @@ I couldn't find any existing image from trusted entities, which has both podman The image is based on official podman and buildah images: -- https://github.com/containers/buildah/blob/main/contrib/buildahimage/Containerfile -- https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile +- https://github.com/containers/image_build/tree/main/podman +- https://github.com/containers/image_build/tree/main/buildah There are two flavors of the image, depending on the base image: From f1ceddbb58a4e6a340a0ee2e49a1166e28528a71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Artur=20Bory=C5=9B?= Date: Fri, 2 Aug 2024 20:17:41 +0200 Subject: [PATCH 7/8] remove jenkins branch trigger --- .github/workflows/build-and-release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml index 46fa203..24d22d9 100644 --- a/.github/workflows/build-and-release.yaml +++ b/.github/workflows/build-and-release.yaml @@ -9,7 +9,6 @@ on: push: branches: - master - - jenkins env: REGISTRY_USER: aborys From 1d0d05be307ede1766d16b5ad1ffbdd9a8f9dcfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Artur=20Bory=C5=9B?= Date: Fri, 2 Aug 2024 20:20:56 +0200 Subject: [PATCH 8/8] uncomment push stage --- .github/workflows/build-and-release.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml index 24d22d9..043faf6 100644 --- a/.github/workflows/build-and-release.yaml +++ b/.github/workflows/build-and-release.yaml @@ -42,11 +42,11 @@ jobs: ./Containerfile.${{ matrix.flavor }} platforms: linux/amd64, linux/arm64 - # - name: Push ${{ matrix.flavor }} image to docker.io - # uses: redhat-actions/push-to-registry@v2 - # with: - # image: podman-builder - # tags: latest-${{ matrix.flavor }} ${{ github.sha }}-${{ matrix.flavor }} ${{ startsWith(github.ref, 'refs/tags') && format('{0}-{1}', github.ref_name, matrix.flavor) || '' }} - # registry: aborys - # username: ${{ env.REGISTRY_USER }} - # password: ${{ env.REGISTRY_PASSWORD }} + - name: Push ${{ matrix.flavor }} image to docker.io + uses: redhat-actions/push-to-registry@v2 + with: + image: podman-builder + tags: latest-${{ matrix.flavor }} ${{ github.sha }}-${{ matrix.flavor }} ${{ startsWith(github.ref, 'refs/tags') && format('{0}-{1}', github.ref_name, matrix.flavor) || '' }} + registry: aborys + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }}