automated commit #5617
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'images/**/locked_config.json' | |
| schedule: | |
| - cron: "0 0 * * *" | |
| workflow_dispatch: | |
| inputs: | |
| only: | |
| description: "Specific image name to build" | |
| type: string | |
| required: false | |
| default: "" | |
| concurrency: | |
| group: ${{ inputs.only || 'release' }} | |
| cancel-in-progress: false | |
| env: | |
| TF_VAR_target_repository: cgr.dev/chainguard | |
| permissions: {} | |
| jobs: | |
| shard: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - id: shard | |
| name: Shard | |
| shell: bash | |
| run: | | |
| mapfile -t images < <(find ./images -maxdepth 2 -name "locked_config.json" | awk -F'/' '{print $3}' | sort -u | shuf) | |
| total=${#images[@]} | |
| declare -a bins | |
| for ((i = 0; i < total; i++)); do | |
| bins[i]="${images[i]}" | |
| done | |
| matrix=$(printf "%s\n" "${bins[@]}" | jq -cRnjr '[inputs] | [ range(0; length) as $i | { "index": $i | tostring, "image": .[$i] } ]') | |
| echo "matrix=${matrix}" >> "$GITHUB_OUTPUT" | |
| # Overwrite the output above if workflow_dispatch'd with `only` | |
| if [ -n "${{ inputs.only }}" ]; then | |
| shard='[{"index": 0, "image": "${{ inputs.only }}"}]' | |
| echo "matrix=${shard}" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Shard Results | |
| run: echo '${{ steps.shard.outputs.matrix }}' | |
| outputs: | |
| matrix: "${{steps.shard.outputs.matrix}}" | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: shard | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| shard: ${{ fromJson(needs.shard.outputs.matrix) }} | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 | |
| with: | |
| egress-policy: audit | |
| - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0 | |
| with: | |
| terraform_version: "1.8.*" | |
| terraform_wrapper: false | |
| - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 | |
| - uses: imjasonh/setup-crane@6da1ae018866400525525ce74ff892880c099987 # v0.5 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 # v0.5.1 | |
| with: | |
| identity: 720909c9f5279097d847ad02a2f24ba8f59de36a/b6461e99e132298f | |
| - name: Disk cleanup | |
| if: ${{ contains(matrix.shard.image, 'pytorch') }} | |
| run: | | |
| ## All disk reclaim actions look sus and are not actively | |
| ## maintained, doing it by hand as per https://dev.to/mathio/squeezing-disk-space-from-github-actions-runners-an-engineers-guide-3pjg#6-how-to-automate-cleanup-in-your-ci | |
| # Remove Java (JDKs) | |
| sudo rm -rf /usr/lib/jvm | |
| # Remove .NET SDKs | |
| sudo rm -rf /usr/share/dotnet | |
| # Remove Swift toolchain | |
| sudo rm -rf /usr/share/swift | |
| # Remove Haskell (GHC) | |
| sudo rm -rf /usr/local/.ghcup | |
| # Remove Julia | |
| sudo rm -rf /usr/local/julia* | |
| # Remove Android SDKs | |
| sudo rm -rf /usr/local/lib/android | |
| # Remove Chromium (optional if not using for browser tests) | |
| sudo rm -rf /usr/local/share/chromium | |
| # Remove Microsoft/Edge and Google Chrome builds | |
| sudo rm -rf /opt/microsoft /opt/google | |
| # Remove Azure CLI | |
| sudo rm -rf /opt/az | |
| # Remove PowerShell | |
| sudo rm -rf /usr/local/share/powershell | |
| # Remove CodeQL and other toolcaches | |
| sudo rm -rf /opt/hostedtoolcache | |
| docker system prune -af || true | |
| docker builder prune -af || true | |
| df -h | |
| - name: Terraform apply | |
| timeout-minutes: 60 | |
| env: | |
| TF_VAR_image_name: ${{ matrix.shard.image }} | |
| run: | | |
| set -exo pipefail | |
| env | grep '^TF_VAR_' | |
| make enable-active-tag-update | |
| terraform init -upgrade | |
| terraform plan -out lock-release.tfplan | |
| terraform apply -auto-approve --parallelism="$(nproc)" -json lock-release.tfplan | tee /tmp/mega-module.tf.json | jq -r '.["@message"]' | |
| - name: Collect TF diagnostics | |
| if: ${{ always() }} | |
| id: tf-diag | |
| uses: chainguard-dev/actions/terraform-diag@916fec00fb80f3cd124a0b41eef79ee63f607c5d # v1.6.17 | |
| with: | |
| json-file: /tmp/mega-module.tf.json | |
| - name: Upload terraform logs | |
| if: always() | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: "mega-module-${{ matrix.shard.index }}.tf.json" | |
| path: /tmp/mega-module.tf.json | |
| - uses: step-security/action-slack-notify@e04c77a65bae8b6c0373478a1cb8fd7e012637e6 # v2.3.5 | |
| if: ${{ failure() && github.event_name == 'schedule' }} | |
| env: | |
| SLACK_ICON: http://github.com/chainguard-dev.png?size=48 | |
| SLACK_USERNAME: guardian | |
| SLACK_WEBHOOK: ${{ secrets.DISTROLESS_SLACK_WEBHOOK }} | |
| SLACK_MSG_AUTHOR: chainguardian | |
| SLACK_CHANNEL: chainguard-images-alerts | |
| SLACK_COLOR: "#8E1600" | |
| MSG_MINIMAL: "true" | |
| SLACK_TITLE: "[images] release failed (shard ${{ matrix.shard.index }})" | |
| SLACK_MESSAGE: | | |
| https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| ${{ steps.tf-diag.outputs.errors }} | |
| summary: | |
| name: "Lock Release Summary" | |
| runs-on: ubuntu-latest | |
| if: ${{ always() }} | |
| needs: build | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 | |
| with: | |
| egress-policy: audit | |
| - name: "Download shard logs" | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| path: /tmp/shard-logs | |
| pattern: mega-module-* | |
| - run: | | |
| find '/tmp/shard-logs' -name 'mega-module.tf.json' | while IFS= read -r file; do | |
| shard_index=$(echo "$file" | sed -E 's/.*mega-module-([0-9]+)\.tf\.json.*/\1/') | |
| echo "$shard_index" | |
| jq -cr --arg shard_index "$shard_index" '. + {"shard_index":$shard_index}' "$file" >> logs.tf.json | |
| done | |
| - run: | | |
| jq -r 'select(.["@level"]=="error")' logs.tf.json > errors.tf.json | |
| - run: | | |
| echo "| Status | Shard | Image | Summary | Address |" >> "$GITHUB_STEP_SUMMARY" | |
| echo "| :-: | ----- | ----- | ------- | ------- |" >> "$GITHUB_STEP_SUMMARY" | |
| rows="$(jq -r '"| ❌ | " + .shard_index + " | " + (.diagnostic.address | split(".")[1]) + " | ```" + .diagnostic.summary + "``` | ```" + .diagnostic.address + "``` |"' errors.tf.json)" | |
| export rows | |
| echo "${rows}" | |
| cat >> "$GITHUB_STEP_SUMMARY" <<EOR | |
| ${rows} | |
| EOR | |
| - name: Error Details | |
| run: | | |
| jq -r '"::group:: shard: " + .shard_index + " | " + (.diagnostic.address | split(".")[1]) + "\nresource: " + .diagnostic.address + "\n\nsummary: " + .diagnostic.summary + "\n\ndetails:\n\n" + .diagnostic.detail + "\n::endgroup::"' errors.tf.json || true |