chore: when using ubuntu, use hardened intermediate container#359
chore: when using ubuntu, use hardened intermediate container#359kristof-mattei wants to merge 6 commits intodrahnr:mainfrom
Conversation
kristof-mattei
force-pushed
the
hardened-image
branch
from
ab98a01 to
40af41a
Compare
kristof-mattei
force-pushed
the
hardened-image
branch
from
40af41a to
14ac170
Compare
|
@drahnr sorry to ping you. Anything else you'd like me to add here? |
|
One small ask: I'd like to see if the binary produced has runtime deps, specifically on Thank you! Otherwise, LGTM |
|
Will do. |
|
@drahnr used This actually made me realize we were linking it dynamically. Had to downgrade the C standard to make it work. Also removed the caching mechanism because that didn't work. Log output on that: |
CI will fail if dynamically linked
... Cleaning /__w/cargo-spellcheck/cargo-spellcheck/target ... ... Cleaning cargo registry (cache-all-crates: false) ... ... Cleaning cargo/bin ... ... Cleaning cargo git cache ... ... Saving cache ... /usr/bin/tar --posix -cf cache.tgz --exclude cache.tgz -P -C /__w/cargo-spellcheck/cargo-spellcheck --files-from manifest.txt -z /usr/bin/tar: unrecognized option '--posix'
kristof-mattei
force-pushed
the
hardened-image
branch
from
4e06891 to
3c920d2
Compare
|
Lastly, if we force a dynamic build, this is how it errors out: https://github.com/kristof-mattei/cargo-spellcheck/actions/runs/23567473268/job/68622372856 This is how I forced the error: kristof-mattei/cargo-spellcheck@hardened-image...kristof-mattei:cargo-spellcheck:hardened-image-force-fail |
2 participants
What does this PR accomplish?
Changes proposed by this PR:
Use a hardened image when testing & building.
Notes to reviewer:
Running as is Chainguard's sanctioned way to install packages: https://edu.chainguard.dev/chainguard/chainguard-images/about/differences-development-production/#:~:text=Chainguard%20Containers%20use,packages%20with%20apk.
📜 Checklist
./demosub directory