chainguard-images / actions Goto Github PK
View Code? Open in Web Editor NEWGitHub actions for the chainguard-images
License: Apache License 2.0
GitHub actions for the chainguard-images
License: Apache License 2.0
Hi,
not sure if this is intentional or just a leftover, but the action READMEs still contain references to the distroless/actions
repository.
E.g. here:
uses: distroless/actions/apko-publish@main
Kind Regards,
Johannes
Description
See chainguard-dev/apko@a1d2154
Several options are removed from apko publish
cmd.Flags().StringVar(&packageVersionTag, "package-version-tag", "", "Tag the final image with the version of the package passed in")
cmd.Flags().BoolVar(&packageVersionTagStem, "package-version-tag-stem", false, "add additional tags by stemming the package version")
cmd.Flags().StringVar(&packageVersionTagPrefix, "package-version-tag-prefix", "", "prefix for package version tag(s)")
cmd.Flags().StringVar(&tagSuffix, "tag-suffix", "", "suffix to use for automatically generated tags")
cmd.Flags().StringVar(&stageTags, "stage-tags", "", "path to file to write list of tags to instead of publishing them")
This means all the examples in https://github.com/chainguard-dev/hello-melange-apko/tree/main are failing the CICD.
I am building a APK package, that is not (yet) included in Wolfi, in a Github Action.
After the package build, I would like to use that package in the apko-publish action to create an image using the local repository created by the previous step.
I have not found documentation on how to do that, unfortunately.
I got it working, so if someone wants to do something similar:
https://github.com/kastl-ars/wolfi-apkrane
Would you accept a PR adding an example to the README in the action's folder?
Kind Regards,
Johannes
P.S.: Thanks for creating all of the actions, especially apko-publish is really easy to use...
Add exclude_tags input to tags workflow, which takes a comma-separated list of tags to explicitly not check in order to save time for images which have many (1000+) tags.
cc @priyawadhwa
I know it might be hard to move things now they might be used, but I got really confused by chainguard-images AND chainguard-dev both having a actions
repository:
Maybe those could be merged? Or is there a specific reason for some of them being in chainguard-images (and others being duplicated, like apko-build)?
Kind Regards,
Johannes
Since #47 , the file apko.images
goes missing:
Run cat apko.images | sed 's/$/\n/g' | grep -v '^$' | jq -R -s -c 'split("\n")[:-1]' | jq .
cat: apko.images: No such file or directory
[]
cat: apko.images: No such file or directory
maybe something related to git checkout
cc @priyawadhwa
Is it possible to use the version of one of the packages installed in the image as a tag for the image? If the main "component" of an image is e.g. argocd-cli, then this could have the corresponding argocd-cli version as tag.
If not, this would be a nice feature to have.
Hello!
I am trying to remove the SBOM generation happening within our CICD build action, but regardless of where I pass the sbom=false we seem to still get sbom generated.
I've tried passing this in in build-options: in both the action itself, and in the workflow.
In the action I recieve an error " 2023/11/20 13:19:15 error during command execution: unknown flag: --build-option "
In the build workflow the message "โ x86_64 | Not generating SBOMs (WantSBOM = false)" yet the sbom stil gets generated and pushed to our registry.
I may be doing something wrong here, but if not can this be considered as a feature later on?
Thank you!
Hey ๐๐ป
Description
The existing apko-snapshot
action allows the signing of images with "keyless" signing, which is based on identities (see). Even though this is the recommended approach, there are cases where it may be interesting to let users be responsible for the key management.
If this makes sense for the project, I can open a pull request adding this feature.
Let me know your thoughts. Thanks!
Description
The --debug
flag was removed as part of chainguard-dev/apko#1011, which causes GH workflows using the apko-publish
GH action to fail with:
Error: unknown flag: --debug
2024/01/16 21:50:48 error during command execution: unknown flag: --debug
I've opened #129 to leverage the newly added --log-level
flag instead.
Description
I just built this image using the apko-publish action (which was painless and pleasant, so a big THANK YOU):
https://github.com/kastl-ars/wolfi-node-with-bash/pkgs/container/wolfi-node-with-bash
It seems to work properly, but I am not sure if the tags are what they should be:
sha256-98e61a83fe048008e8f3dd4e0fefd3368531f8175101b94294a29b3a77587ae9.sbom
I never saw tags including a sbom
suffix, so I am a little puzzled. The image has a latest
tag, which I defined in the configuration file I gave to apko.
(Not sure how GitHub picks the one it shows on top, i.e. the most prominent one that can by copy&pasted. I would prefer to have the simple latest
up there, but that might not be in the action's power?)
Kind Regards,
Johannes
Description
Just FYI, I saw the following warning at the end of a run of the apko-publish action. The action apparently worked fine, but this should be fixed before it is being deprecated...
Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
This issue was automatically created by Allstar.
Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.
To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/chainguard-images/actions/security/policy to enable.
For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
This issue was automatically created by Allstar.
Security Policy Violation
Dismiss stale reviews not configured for branch main
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
Description
I'm trying to use the apko-publish
action, with almost all fields using default values, like:
- uses: distroless/actions/apko-publish@main
with:
# Config is the configuration file to use for the image build.
# Optional, will use .apko.yaml without a defined one.
# config: .apko.yaml
# Tag is the tag that will be published.
# Required.
tag: ${{ env.IMAGE_TAG }}
# Image Refs is the path to a file where apko should emit a newline
# delimited list of published image digests.
# Optional, will use a temporary file when unspecified.
# image_refs: foo.images
# Enable debug while testing
debug: true
generic-user: ${{ env.ACR_USERNAME }}
generic-pass: ${{ secrets.ACR_PASSWORD }}
From what I can see in the apko-publish/action.yaml
file the only required parameter is tag
, but when running it, I get the following error:
Error: requires at least 2 arg(s), only received 1
2023/04/26 09:45:07 error during command execution: requires at least 2 arg(s), only received 1
The complete run log shows like this:
Run distroless/actions/apko-publish@main
with:
debug: true
generic-user: <redacted>
generic-pass: <redacted>
config: .apko.yaml
repository_owner: <redacted>
repository: <redacted>
token: ***
image_refs: /tmp/apko.images
automount-src: /home/runner/work/docker/docker/.apko-automount
automount-dest: /work
package-version-tag-stem: false
env:
ACR_REGISTRY: <redacted>
ACR_USERNAME: <redacted>
DOCKER_DIR: core-openjdk/6.0.0-17-new-relic-8.1.0
VERSION_NUMBER: 6
IMAGE_TAGS: <redacted>/core-openjdk:6.0.0-17-new-relic-8.1.0,<redacted>/core-openjdk:6
/usr/bin/docker run --name ghcriowolfidevapkolatest_e54c1c --label 6c044[2](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:2) --workdir /github/workspace --rm -e "ACR_REGISTRY" -e "ACR_USERNAME" -e "DOCKER_DIR" -e "VERSION_NUMBER" -e "IMAGE_TAGS" -e "INPUT_TAG" -e "INPUT_DEBUG" -e "INPUT_GENERIC-USER" -e "INPUT_GENERIC-PASS" -e "INPUT_CONFIG" -e "INPUT_REPOSITORY_OWNER" -e "INPUT_REPOSITORY" -e "INPUT_TOKEN" -e "INPUT_IMAGE_REFS" -e "INPUT_STAGE_TAGS" -e "INPUT_KEYRING-APPEND" -e "INPUT_REPOSITORY-APPEND" -e "INPUT_ARCHS" -e "INPUT_BUILD-OPTIONS" -e "INPUT_SOURCE-DATE-EPOCH" -e "INPUT_USE-DOCKER-MEDIATYPES" -e "INPUT_AUTOMOUNT-SRC" -e "INPUT_AUTOMOUNT-DEST" -e "INPUT_PACKAGE-VERSION-TAG" -e "INPUT_PACKAGE-VERSION-TAG-STEM" -e "INPUT_PACKAGE-VERSION-TAG-PREFIX" -e "INPUT_TAG-SUFFIX" -e "INPUT_SBOM-PATH" -e "GITHUB_ACTOR" -e "GITHUB_TOKEN" -e "REPOSITORY" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true --entrypoint "/bin/sh" -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/docker/docker":"/github/workspace" ghcr.io/wolfi-dev/apko:latest "-c" "set -o errexit
set -o pipefail
if [[ \"midocker\" != \"\" && \"***\" != \"\" ]]; then
echo \"***\" | \
/usr/bin/apko login -u \"midocker\" \
--password-stdin \"$(echo \"\" | cut -d'/' -f1)\"
fi
if [ -d \"/home/runner/work/docker/docker/.apko-automount\" ]; then
echo \"Creating copy of /home/runner/work/docker/docker/.apko-automount at /work\"
cp -r \"/home/runner/work/docker/docker/.apko-automount\" \"/work\"
fi
[ -n \"\" ] && export SOURCE_DATE_EPOCH=''
[ -n \"\" ] && keys=\"-k \"
[ -n \"\" ] && repos=\"-r \"
[ -n \"\" ] && archs=\"--arch \"
build_options=\"\"
if [ -n \"\" ]; then
opts=\"\"
for opt in ${opts//,/ }; do
build_options=\"${build_options} --build-option ${opt}\"
done
fi
packageVersionTag=\"--package-version-tag=\"
if [ \"\" == \"\" ]; then
repo=$(echo $REPOSITORY | cut -d'/' -f2)
packageVersionTag=\"--package-version-tag=$repo\"
fi
packageVersionTagPrefix=\"--package-version-tag-prefix=\"
tagSuffix=\"--tag-suffix=\"
sbomPath=\"--sbom-path=\"
export DIGEST_FILE=$(mktemp)
/usr/bin/apko publish \
\
--package-version-tag-stem \
'--debug' \
--image-refs=\"/tmp/apko.images\" --stage-tags=\"\" .apko.yaml $keys $repos $archs $build_options $packageVersionTag $packageVersionTagPrefix $tagSuffix $sbomPath | tee ${DIGEST_FILE}
echo EXIT CODE: $?
echo ::set-output name=digest::$(cat ${DIGEST_FILE})
"
202[3](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:3)/0[4](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:4)/26 09:4[5](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:5):07 logged in via /github/home/.docker/config.json
Error: requires at least 2 arg(s), only received 1
2023/04/2[6](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:6) 09:45:0[7](https://github.com/<redacted>/docker/actions/runs/4807250722/jobs/8555772578#step:5:7) error during command execution: requires at least 2 arg(s), only received 1
Any advice for how I can (try to) debug it further, or any tips of how to use it properly ?
Opening this to track integrating @vaikas work to use Cue + verify-attestation in cosign 1.8 to check scan results for vulnerabilities.
I think we should support taking a Cue policy input, and default it to roughly match today's semantics as an example.
Description
Description
When using the apko-publish
action, the following error is returned:
/bin/sh: /usr/bin/apko: not found
When debugging the issue, it appears that the image wolfi-dev/sdk
should be used instead of wolfi-dev/apko
:
echo PLEASE USE ghcr.io/wolfi-dev/sdk INSTEAD; exit 1
โฏ crane config ghcr.io/wolfi-dev/apko:latest | jq .
{
"architecture": "amd64",
"author": "github.com/chainguard-dev/apko",
"created": "2024-05-13T17:38:35Z",
"history": [
{
"author": "apko",
"created": "2024-05-13T17:38:35Z",
"created_by": "apko",
"comment": "This is an apko single-layer image"
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:b1e08228bcaad8a845ac36d9c2cfdb7da7d040e1311ed42fd79b1fbcb2851763"
]
},
"config": {
"Cmd": [
"-c",
"echo PLEASE USE ghcr.io/wolfi-dev/sdk INSTEAD; exit 1"
],
"Entrypoint": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
]
}
}
Hi again,
is it possible to use multiple tags with the apko-publish action? Using two instances of the action would build the image twice, I guess.
Something like this:
tag:
- ghcr.io/chainguard-dev/apko-example:latest
- ghcr.io/chainguard-dev/apko-example:1.2.3
Thanks in advance,
Johannes
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.