Skip to content

Commit

Permalink
Support sharing matrix outputs
Browse files Browse the repository at this point in the history
  • Loading branch information
p5 authored Apr 21, 2024
1 parent 6f4e3d1 commit dbe2b85
Show file tree
Hide file tree
Showing 4 changed files with 106 additions and 25 deletions.
Empty file.
Empty file.
61 changes: 36 additions & 25 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -101,20 +101,18 @@ jobs:
private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }}
private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }}

- name: Generate SBOM
id: generate-sbom
if: github.event_name != 'pull_request'
uses: ./.github/actions/generate-sbom
- name: Create Outputs File
run: |
echo "DIGEST=${{ steps.push.outputs.digest }}" >> $OUTPUTS_FILE
echo "IMAGE_NAME=${{ env.IMAGE_NAME }}" >> $OUTPUTS_FILE
- name: Upload Outputs File
uses: actions/upload-artifact@v4
with:
image-ref: ${{ steps.push.outputs.registry-path }}
artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-sbom
name: outputs-${{ env.IMAGE_NAME }}-${{ matrix.image-flavour }}-${{ matrix.fedora-version }}
if-no-files-found: error
path: ${{ env.OUTPUTS_FILE }}

- name: Scan SBOM
uses: ./.github/actions/scan-sbom
if: github.event_name != 'pull_request'
with:
sbom-file: ${{ steps.generate-sbom.outputs.output-file }}
artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-scan

build-nvidia:
runs-on: ubuntu-latest
Expand All @@ -137,6 +135,7 @@ jobs:
IMAGE_NAME: eternal-linux/main/${{ matrix.fedora-edition }}
FEDORA_VERSION: ${{ matrix.fedora-version }}
COREOS_KERNEL: "N/A"
OUTPUTS_FILE: /tmp/matrix-outputs.txt
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
Expand Down Expand Up @@ -225,22 +224,20 @@ jobs:
private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }}
private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }}

- name: Generate SBOM
id: generate-sbom
uses: ./.github/actions/generate-sbom
if: github.event_name != 'pull_request'
- name: Create Outputs File
run: |
echo "DIGEST=${{ steps.push.outputs.digest }}" >> $OUTPUTS_FILE
echo "IMAGE_NAME=${{ env.IMAGE_NAME }}" >> $OUTPUTS_FILE
- name: Upload Outputs File
uses: actions/upload-artifact@v4
with:
image-ref: ${{ steps.push.outputs.registry-path }}
artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-sbom
name: outputs-${{ env.IMAGE_NAME }}-${{ matrix.image-flavour }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}
if-no-files-found: error
path: ${{ env.OUTPUTS_FILE }}

- name: Scan SBOM
uses: ./.github/actions/scan-sbom
if: github.event_name != 'pull_request'
with:
sbom-file: ${{ steps.generate-sbom.outputs.output-file }}
artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-scan

check:
fan-in:
needs: [build-base, build-nvidia]
if: always()
runs-on: ubuntu-latest
Expand All @@ -252,3 +249,17 @@ jobs:
uses: ./.github/actions/check-jobs-success
with:
jobs: ${{ toJSON(needs) }}

- name: Download Outputs Files
uses: actions/download-artifact@v4
id: download-outputs
with:
pattern: outputs-*
merge-multiple: true

- name: Upload Outputs Files to Job Artifact
uses: actions/upload-artifact@v4
with:
name: merged-outputs
if-no-file-found: error
path: ${{ steps.download-outputs.outputs.download-path }}
70 changes: 70 additions & 0 deletions .github/workflows/scan-images.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: Scan Images

on:
workflow_call:
inputs:
images:
description: "A comma-separated list of images to scan. E.G. '[\"docker.io/library/alpine:3.14.0\", \"docker.io/library/alpine:3.13.6\"]'"
required: true
type: string

jobs:
generate-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Set matrix
id: set-matrix
env:
IMAGES: ${{ inputs.images }}
run: |
echo "matrix=$IMAGES" >> $GITHUB_OUTPUT
scan-image:
needs: generate-matrix
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image: ${{fromJson(needs.generate-matrix.outputs.matrix)}}
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Maximize build space
uses: ublue-os/remove-unwanted-software@v6

- name: Install Syft
shell: bash
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
syft version
- name: Generate SBOM
env:
IMAGE: ${{ matrix.image }}
run: |
syft ${IMAGE} \
--output cyclonedx-json=sbom.json \
--config ./.github/syft.yml
- name: Scan SBOM
id: scan
uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3
with:
sbom: sbom.json
output-format: json
fail-build: false

- name: Generate artifact name
id: artifact-name
env:
IMAGE: ${{ matrix.image }}
run: |
echo "name=$(echo ${IMAGE} | awk -F'/' '{print $NF}' | sed 's/:/-/g')" >> $GITHUB_OUTPUT
- name: Upload scan results
uses: actions/upload-artifact@v4
with:
name: security-${{ steps.artifact-name.outputs.name }}
if-no-files-found: error
path: |
sbom.json
${{ steps.scan.outputs.json }}

0 comments on commit dbe2b85

Please sign in to comment.