images/.github/workflows/release.yaml at main · Taffer/images · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
on:
  push:
    branches:
      - main
    paths-ignore:
      - README.md
      - withdrawn-images.txt
      - withdrawn-repos.txt
      - reinstated-images.txt
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
    inputs:
      only:
        description: "Specific image name to build"
        type: string
        required: false
        default: ""

concurrency:
  group: ${{ inputs.only || 'release' }}
  cancel-in-progress: false

env:
  TF_VAR_target_repository: cgr.dev/chainguard

permissions: {}

jobs:
  shard:
    runs-on: ubuntu-latest

    permissions:
      contents: read

    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - id: shard
        name: Shard
        shell: bash # bash math foo required
        run: |
          images=($(find ./images -maxdepth 1 -type d -not -path "./images/TEMPLATE" | awk -F'/' '{print $3}' | sort -u | shuf))

          total=${#images[@]}

          # put each image module into its own shard
          declare -a bins
          for ((i = 0; i < total; i++)); do
            bins[$i]="${images[$i]}"
          done

          matrix=$(printf "%s\n" "${bins[@]}" | jq -cRnjr '[inputs] | [ range(0; length) as $i | { "index": $i | tostring, "images": .[$i] } ]')
          echo "matrix=${matrix}" >> $GITHUB_OUTPUT

          # Overwrite the output above if workflow_dispatch'd with `only`
          if [ -n "${{ inputs.only }}" ]; then
            shard='[{"index": 0, "images": "${{ inputs.only }}"}]'
            echo "matrix=${shard}" >> $GITHUB_OUTPUT
          fi

      - name: Shard Results
        run: echo '${{ steps.shard.outputs.matrix }}'

    outputs:
      # This is of the format [{"index": 0, "images": "a b c"}, {"index": 1, "images": "d e f"}, ...]
      matrix: "${{steps.shard.outputs.matrix}}"

  build:
    runs-on: ubuntu-latest
    needs: shard

    strategy:
      fail-fast: false
      matrix:
        shard: ${{ fromJson(needs.shard.outputs.matrix) }}

    permissions:
      id-token: write
      packages: write
      contents: read
      actions: read

    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: "1.8.*"
          terraform_wrapper: false

      - uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
        with:
          # This allows chainguard-images/images-private to publish images to cgr.dev/chainguard-private
          # We maintain this identity here:
          # https://github.com/chainguard-dev/mono/blob/main/env/chainguard-images/iac/images-pusher.tf
          identity: 720909c9f5279097d847ad02a2f24ba8f59de36a/b6461e99e132298f

      # Make cosign/crane CLI available to the tests
      - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
      - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      # note this step takes a long time, thus only do it when we
      # really need lots of disk space, ie. for pytorch
      - name: Disk cleanup
        if: ${{ contains(matrix.shard.images, 'pytorch') }}
        run: |
          ## All disk reclaim actions look sus and are not actively
          ## maintained, doing it by hand as per https://dev.to/mathio/squeezing-disk-space-from-github-actions-runners-an-engineers-guide-3pjg#6-how-to-automate-cleanup-in-your-ci

          # Remove Java (JDKs)
          sudo rm -rf /usr/lib/jvm

          # Remove .NET SDKs
          sudo rm -rf /usr/share/dotnet

          # Remove Swift toolchain
          sudo rm -rf /usr/share/swift

          # Remove Haskell (GHC)
          sudo rm -rf /usr/local/.ghcup

          # Remove Julia
          sudo rm -rf /usr/local/julia*

          # Remove Android SDKs
          sudo rm -rf /usr/local/lib/android

          # Remove Chromium (optional if not using for browser tests)
          sudo rm -rf /usr/local/share/chromium

          # Remove Microsoft/Edge and Google Chrome builds
          sudo rm -rf /opt/microsoft /opt/google

          # Remove Azure CLI
          sudo rm -rf /opt/az

          # Remove PowerShell
          sudo rm -rf /usr/local/share/powershell

          # Remove CodeQL and other toolcaches
          sudo rm -rf /opt/hostedtoolcache

          docker system prune -af || true
          docker builder prune -af || true
          df -h

      - name: Terraform apply
        timeout-minutes: 60
        run: |
          set -exo pipefail
          env | grep '^TF_VAR_'

          make init-upgrade

          # Enable active tag updates
          make enable-active-tag-update

          targets=""
          for image in ${{ matrix.shard.images }}; do
            targets+=' -target='module."${image}"''
          done

          terraform plan ${targets} -out mega-module.tfplan
          terraform apply ${targets} -auto-approve --parallelism=$(nproc) -json mega-module.tfplan | tee /tmp/mega-module.tf.json | jq -r '.["@message"]'

      - name: Collect TF diagnostics
        if: ${{ always() }}
        id: tf-diag
        uses: chainguard-dev/actions/terraform-diag@f77a7c3431f961556be5a41e2602c450a590f3e5 # v1.5.12
        with:
          json-file: /tmp/mega-module.tf.json

      - name: Collect K8s diagnostics and upload
        if: ${{ failure() }}
        run: |
          echo 'This step is deprecated. Please use the imagetest provider and reference the imagetest logs'

      - name: Upload terraform logs
        if: always()
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: "mega-module-${{ matrix.shard.index }}.tf.json"
          path: /tmp/mega-module.tf.json

      - name: Upload imagetest logs
        if: always()
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: "mega-module-${{ matrix.shard.index }}-imagetest-logs"
          path: imagetest-logs

      - uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
        if: ${{ failure() && github.event_name == 'schedule' }}
        env:
          SLACK_ICON: http://github.com/chainguard-dev.png?size=48
          SLACK_USERNAME: guardian
          SLACK_WEBHOOK: ${{ secrets.DISTROLESS_SLACK_WEBHOOK }}
          SLACK_MSG_AUTHOR: chainguardian
          SLACK_CHANNEL: chainguard-images-alerts
          SLACK_COLOR: "#8E1600"
          MSG_MINIMAL: "true"
          SLACK_TITLE: "[images] release failed (shard ${{ matrix.shard.index }} of ${{ env.TOTAL_SHARDS }})"
          SLACK_MESSAGE: |
            https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

            ${{ steps.tf-diag.outputs.errors }}

  summary:
    name: "Build Summary"
    runs-on: ubuntu-latest
    if: ${{ always() }}
    needs: build

    permissions:
      contents: read

    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: "Download shard logs"
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          path: /tmp/shard-logs
          pattern: mega-module-*

      # Cat all the files into one, while maintaining their shard
      - run: |
          find '/tmp/shard-logs' -name 'mega-module.tf.json' | while read file; do
            shard_index=$(echo "$file" | sed -E 's/.*mega-module-([0-9]+)\.tf\.json.*/\1/')
            echo $shard_index
            jq -cr --arg shard_index "$shard_index" '. + {"shard_index":$shard_index}' $file >> logs.tf.json
          done

      # process the logs
      - run: |
          # Create a file just for errors
          jq -r 'select(.["@level"]=="error")' logs.tf.json > errors.tf.json

      # Build the markdown table
      - run: |
          echo "| Status | Shard | Image | Summary | Address |" >> $GITHUB_STEP_SUMMARY
          echo "| :-:    | ----- | ----- | ------- | ------- |" >> $GITHUB_STEP_SUMMARY

          # append the rows to the table
          export rows="$(jq -r '"| ❌ | " + .shard_index + " | " + (.diagnostic.address | split(".")[1]) + " | ```" + .diagnostic.summary + "``` | ```" + .diagnostic.address + "``` |"' errors.tf.json)"
          echo "${rows}"

          cat >> $GITHUB_STEP_SUMMARY <<EOR
          ${rows}
          EOR

      - name: Error Details
        run: |
          # Print the errors as expandable groups
          jq -r '"::group:: shard: " + .shard_index + " | " + (.diagnostic.address | split(".")[1]) + "\nresource: " + .diagnostic.address + "\n\nsummary: " + .diagnostic.summary + "\n\ndetails:\n\n" + .diagnostic.detail + "\n::endgroup::"' errors.tf.json || true