-
Notifications
You must be signed in to change notification settings - Fork 17
151 lines (124 loc) · 5.4 KB
/
rootfs.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Build and Push Rootfs Docker Image
on:
push:
branches:
- main
paths:
- 'rootfs/Dockerfile'
- 'rootfs/cosign/go.mod'
pull_request:
branches:
- main
paths:
- 'rootfs/Dockerfile'
- 'rootfs/cosign/go.mod'
workflow_dispatch:
permissions:
contents: read
jobs:
build-rootfs-image:
runs-on: ubuntu-latest
strategy:
matrix:
# finch only supports amd64 for windows
arch: ['amd64']
platform: ['common']
outputs:
timestamp: ${{ steps.vars.outputs.timestamp }}
steps:
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
- name: Set build variables
id: vars
run: |
echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
cosign_tag=$(cd rootfs/cosign && go list -m github.com/sigstore/cosign/v2 | cut -d " " -f 2)
echo "cosign_version=${cosign_tag#v}" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
- name: Build Image
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: rootfs/
file: rootfs/Dockerfile
platforms: linux/${{ matrix.arch }}
push: false
load: true # load the image into Docker so we can create a container from it
tags: finch-rootfs-image-production:intermediate
build-args: |
COSIGN_VERSION=${{ steps.vars.outputs.cosign_version }}
push-rootfs-image:
if: github.repository == 'runfinch/finch-core' && github.event_name != 'pull_request'
runs-on: ubuntu-latest
needs: build-rootfs-image
permissions:
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
id-token: write
contents: write
pull-requests: write
strategy:
matrix:
# finch only supports amd64 for windows
arch: ['amd64']
platform: ['common']
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: ${{ secrets.REGION }}
role-to-assume: ${{ secrets.ROLE }}
role-session-name: rootfs-ecr-image-upload-session
- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false
- name: Tag and Push Container Image
run: |
TIMESTAMP=${{ needs.build-rootfs-image.outputs.timestamp }}
docker tag finch-rootfs-image-production:intermediate ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"$TIMESTAMP"
docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:${{ matrix.arch }}-"$TIMESTAMP"
- name: Create, Compress, and Upload Rootfs
run: |
TIMESTAMP=${{ needs.build-rootfs-image.outputs.timestamp }}
docker container create --platform linux/${{ matrix.arch }} --name ${{ matrix.arch }}-rootfs finch-rootfs-image-production:intermediate
docker container export -o finch-rootfs-production-${{ matrix.arch }}.tar ${{ matrix.arch }}-rootfs
compressed_archive=finch-rootfs-production-${{ matrix.arch }}-"$TIMESTAMP".tar.gz
gzip -9 -c finch-rootfs-production-${{ matrix.arch }}.tar > $compressed_archive
sha512_digest=$(sha512sum $compressed_archive | cut -d " " -f 1)
echo $sha512_digest > $compressed_archive.sha512sum
ARCHPATH="x86-64"
ARTIFACT_KEY="X86_64"
if [ ${{ matrix.arch }} == "arm64" ]; then
ARCHPATH="aarch64"
ARTIFACT_KEY="ARM64"
fi
# Upload tarball and shasum to S3
aws s3 cp . s3://${{ secrets.DEPENDENCY_BUCKET_NAME }}/${{ matrix.platform }}/$ARCHPATH/ --recursive --exclude "*" --include "finch-rootfs-production-${{ matrix.arch }}-"$TIMESTAMP".tar.gz*"
cat <<EOL > deps/rootfs.conf
ARTIFACT_BASE_URL=https://deps.runfinch.com
${ARTIFACT_KEY}_ARTIFACT_PATHING=common/$ARCHPATH
${ARTIFACT_KEY}_ARTIFACT=$compressed_archive
${ARTIFACT_KEY}_512_DIGEST=$sha512_digest
EOL
- name: Create PR
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
token: ${{ secrets.GITHUB_TOKEN }}
signoff: true
branch: create-rootfs-${{ matrix.arch }}-${{ needs.build-rootfs-image.outputs.timestamp }}
delete-branch: true
title: 'build(deps): Update windows rootfs'
add-paths: deps/rootfs.conf
body: |
Update the rootfs for the windows platform.