ghostscript/10.03.1 package update #39431
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI build action | |
| on: | |
| pull_request: | |
| branches: ["main"] | |
| push: | |
| branches: | |
| - gh-readonly-queue/main/** | |
| permissions: | |
| contents: read | |
| jobs: | |
| changes: | |
| permissions: | |
| contents: read | |
| name: Determine packages to test building | |
| runs-on: ubuntu-latest | |
| outputs: | |
| packages: ${{steps.package-list.outputs.packages}} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Look for changed files | |
| id: changes | |
| uses: tj-actions/changed-files@2d756ea4c53f7f6b397767d8723b3a10a9f35bf2 # v44.0.0 | |
| with: | |
| files_yaml: | | |
| melange: | |
| - ./*.yaml # Only top level files without structure | |
| - ./*/*/*.melange.yaml # Support recursive melange files with the new naming convention. | |
| # this need to point to main to always get the latest action | |
| - uses: wolfi-dev/actions/install-wolfictl@main # main | |
| # Assuming that we have a list of changed files such as `foo.yaml` and `bar.yaml`, this | |
| # strips the list down into `foo` and `bar`. | |
| - name: Build package list | |
| id: package-list | |
| run: | | |
| printf "packages=" >> $GITHUB_OUTPUT | |
| wolfictl text -t name --pipeline-dir=./pipelines/ \ | |
| -r https://packages.wolfi.dev/bootstrap/stage3 \ | |
| -k https://packages.wolfi.dev/bootstrap/stage3/wolfi-signing.rsa.pub > packages-list | |
| while read pkg; do | |
| for file in ${{ steps.changes.outputs.melange_all_changed_files }}; do | |
| # Since the file is a path, we need to strip out only the file | |
| # name from it. | |
| base_file=$(basename $file) | |
| base_file="${base_file%.melange.yaml}" | |
| base_file="${base_file%.yaml}" | |
| printf "base_file: $base_file" | |
| [ "${base_file}" = "$pkg" ] && printf "%s " ${base_file} >> $GITHUB_OUTPUT | |
| done | |
| done < packages-list | |
| printf "\n" >> $GITHUB_OUTPUT | |
| build: | |
| name: Test building of packages | |
| strategy: | |
| matrix: | |
| arch: ["x86_64", "aarch64"] | |
| include: | |
| - arch: x86_64 | |
| runner: ubuntu-latest-16-cores | |
| oci: amd64 | |
| - arch: aarch64 | |
| runner: ubuntu-arm-16-cores | |
| oci: arm64 | |
| fail-fast: false | |
| runs-on: ${{ matrix.runner }} | |
| needs: changes | |
| outputs: | |
| packages_were_built: ${{ steps.file_check.outputs.exists }} | |
| permissions: | |
| contents: read | |
| pull-requests: write # so we have permission to comment on pull requests | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| egress-policy: audit | |
| - name: Free up runner disk space | |
| run: | | |
| set -x | |
| printf "==> Available space before cleanup\n" | |
| df -h | |
| rm -rf /usr/share/dotnet | |
| rm -rf "$AGENT_TOOLSDIRECTORY" | |
| printf "==> Available space after cleanup\n" | |
| df -h | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Docker | |
| run: | | |
| # Add Docker's official GPG key: | |
| sudo apt-get update -y | |
| sudo apt-get install ca-certificates curl -y | |
| sudo install -m 0755 -d /etc/apt/keyrings | |
| sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc | |
| sudo chmod a+r /etc/apt/keyrings/docker.asc | |
| # Add the repository to Apt sources: | |
| echo \ | |
| "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ | |
| $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ | |
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
| sudo apt-get update -y | |
| sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin | |
| sudo usermod -aG docker $USER | |
| sudo apt-get install acl | |
| sudo setfacl --modify user:$USER:rw /var/run/docker.sock | |
| - name: "Generate local signing key" | |
| uses: ./.github/actions/docker-run | |
| with: | |
| run: | | |
| make MELANGE="melange" local-melange.rsa | |
| - name: "Build Wolfi" | |
| uses: ./.github/actions/docker-run | |
| with: | |
| opts: "-v /temp:/temp -v /var/run/docker.sock:/var/run/docker.sock" | |
| run: | | |
| # Use a different shared $TMPDIR accessible and non-conflicting to | |
| # both the host and container since we're running docker out of | |
| # docker | |
| export TMPDIR="/temp" | |
| # This is to avoid fatal errors about "dubious ownership" because we are | |
| # running inside of a container action with the workspace mounted in. | |
| git config --global --add safe.directory . | |
| mkdir -p .melangecache | |
| for package in ${{needs.changes.outputs.packages}}; do | |
| make MELANGE_EXTRA_OPTS="--create-build-log --cache-dir=.melangecache" REPO="./packages" package/$package -j1 | |
| make MELANGE_EXTRA_OPTS="--runner docker" REPO="./packages" "test/$package" -j1 | |
| done | |
| - name: "Check that packages can be installed with apk add" | |
| uses: ./.github/actions/docker-run | |
| with: | |
| run: | | |
| # Create a fake linux fs under /tmp/emptyroot to pass to `apk --root`. | |
| mkdir -p /tmp/emptyroot/etc/apk | |
| cp -r /etc/apk/* /tmp/emptyroot/etc/apk/ | |
| cat /dev/null > /tmp/emptyroot/etc/apk/world | |
| mkdir -p /tmp/emptyroot/lib/apk/db | |
| touch /tmp/emptyroot/lib/apk/db/{installed,lock,scripts.tar,triggers} | |
| mkdir -p /tmp/emptyroot/var/cache/apk | |
| apk update --root /tmp/emptyroot | |
| # Find .apk files and add them to the string | |
| for f in $(find packages -name '*.apk'); do | |
| tar -Oxf "$f" .PKGINFO | |
| apk add --root /tmp/emptyroot --repository "./packages" --allow-untrusted --simulate "$f" | |
| done | |
| - name: Reset file permissions | |
| run: | | |
| sudo chown -R $(id -u):$(id -g) . | |
| - name: Check SBOMs | |
| uses: ./.github/actions/docker-run | |
| with: | |
| run: | | |
| apk add py3-ntia-conformance-checker spdx-tools-java | |
| for f in $(find packages -name '*.apk'); do | |
| echo "==== Checking SBOM for $f ====" | |
| tar -Oxf "$f" var/lib/db/sbom/ > sbom.json | |
| echo ::group::sbom.json | |
| cat sbom.json | |
| echo ::endgroup:: | |
| ntia-checker -v --file sbom.json | |
| tools-java Verify sbom.json | |
| done | |
| - name: Check for file | |
| id: file_check | |
| run: | | |
| if test -f "packages.log"; then | |
| cat packages.log | |
| echo "exists=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "exists=false" >> $GITHUB_OUTPUT | |
| fi | |
| touch packages.log | |
| - name: Check diff | |
| if: steps.file_check.outputs.exists == 'true' | |
| # Let's not fail the whole job if this step fails as it is for improved UX rather than an enforced check | |
| continue-on-error: true | |
| uses: ./.github/actions/docker-run | |
| with: | |
| run: | | |
| wolfictl check diff | |
| - name: Check for diff file | |
| id: diff_file_check | |
| run: | | |
| if test -f "diff.log"; then | |
| cat diff.log | |
| echo "exists=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "exists=false" >> $GITHUB_OUTPUT | |
| fi | |
| # Use the x86_64 build results for the comment for now so we don't have duplicates. | |
| - name: PR comment diff | |
| if: steps.diff_file_check.outputs.exists == 'true' && matrix.arch == 'x86_64' | |
| uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 | |
| # We're seeing jobs using merge queues fail | |
| continue-on-error: true | |
| with: | |
| filePath: diff.log | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: "Upload built packages to GitHub artifacts" | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| path: | | |
| ./packages/${{ matrix.arch }} | |
| ./packages.log | |
| name: packages-${{ matrix.arch }} | |
| retention-days: 1 | |
| if-no-files-found: warn | |
| so_check: | |
| permissions: | |
| contents: read | |
| name: "ABI Compatibility check" | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: needs.build.outputs.packages_were_built == 'true' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| egress-policy: audit | |
| - name: "Retrieve x86_64 packages" | |
| uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 | |
| with: | |
| name: packages-x86_64 | |
| path: /tmp/artifacts-1/ | |
| - name: "Retrieve aarch64 packages" | |
| uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 | |
| with: | |
| name: packages-aarch64 | |
| path: /tmp/artifacts-2/ | |
| - name: "Collect packages from all architectures into one place" | |
| run: | | |
| cd /tmp/artifacts-1 | |
| # Put the packages into one place (if aarch64 logs exist) | |
| if test -f "/tmp/artifacts-2/packages"; then | |
| mv /tmp/artifacts-2/packages/* ./packages/ | |
| # Merge the build log ("packages.log") files | |
| cat /tmp/artifacts-2/packages.log >> ./packages.log | |
| fi | |
| # this need to point to main to always get the latest action | |
| - uses: wolfi-dev/actions/install-wolfictl@main # main | |
| - name: Soname check | |
| run: | | |
| wolfictl check so-name --packages-dir /tmp/artifacts-1/packages --package-list-file /tmp/artifacts-1/packages.log | |
| scan: | |
| permissions: | |
| contents: read | |
| name: "Scan packages for CVEs" | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: needs.build.outputs.packages_were_built == 'true' | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| egress-policy: audit | |
| - name: "Retrieve x86_64 packages" | |
| uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 | |
| with: | |
| name: packages-x86_64 | |
| path: /tmp/artifacts-1/ | |
| - name: "Retrieve aarch64 packages" | |
| uses: actions/download-artifact@21e5c25de9cf2ee24742cd3e822327f3be6dd2a3 # v4.1.1 | |
| with: | |
| name: packages-aarch64 | |
| path: /tmp/artifacts-2/ | |
| - name: "Collect packages from all architectures into one place" | |
| run: | | |
| cd /tmp/artifacts-1 | |
| # Put the packages into one place (if aarch64 logs exist) | |
| if test -f "/tmp/artifacts-2/packages"; then | |
| mv /tmp/artifacts-2/packages/* ./packages/ | |
| # Merge the build log ("packages.log") files | |
| cat /tmp/artifacts-2/packages.log >> ./packages.log | |
| fi | |
| - name: "Retrieve Wolfi advisory data" | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| repository: "wolfi-dev/advisories" | |
| path: "data/wolfi-advisories" | |
| # this need to point to main to always get the latest action | |
| - uses: wolfi-dev/actions/install-wolfictl@main # main | |
| - name: Scan for CVEs | |
| run: | | |
| wolfictl scan \ | |
| --build-log \ | |
| --advisories-repo-dir 'data/wolfi-advisories' \ | |
| --advisory-filter 'resolved' \ | |
| --require-zero \ | |
| /tmp/artifacts-1 \ | |
| 2> /dev/null # The error message renders strangely on GitHub Actions, and the important information is already being sent to stdout. |