-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
233 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
name: Build and Test EICAR Rock | ||
|
||
on: | ||
push: | ||
paths: | ||
- .github/workflows/build_and_test_eicar_rock.yaml | ||
- oci_factory_workflows/** | ||
workflow_dispatch: | ||
|
||
jobs: | ||
build: | ||
uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main | ||
with: | ||
oci-archive-name: "eicar-rock" | ||
rock-repo: canonical/rocks-toolbox | ||
rock-repo-commit: rework_oci-factory_workflow_docs | ||
rockfile-directory: eicar_rock/1.0/ | ||
|
||
test: | ||
uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main | ||
needs: [build-rock] | ||
with: | ||
oci-archive-name: "eicar-rock" | ||
test-vulnerabilities: true | ||
test-oci-compliance: true | ||
test-efficiency: true | ||
test_malware: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
name: Build External Rock | ||
|
||
on: | ||
push: | ||
paths: | ||
- .github/workflows/build_external_rock.yaml | ||
- oci_factory_workflows/** | ||
workflow_dispatch: | ||
|
||
jobs: | ||
build: | ||
uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main | ||
with: | ||
oci-archive-name: "chiselled-python" | ||
rock-repo: canonical/chiselled-python | ||
rock-repo-commit: e0943bf2923ef50c9117ac58cd02a86146ece1fb | ||
rockfile-directory: python3.12/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
name: Build Mock Rock | ||
|
||
on: | ||
push: | ||
paths: | ||
- .github/workflows/build_mock_rock.yaml | ||
- oci_factory_workflows/** | ||
workflow_dispatch: | ||
|
||
jobs: | ||
build: | ||
uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main | ||
with: | ||
oci-archive-name: "mock-rock" | ||
# rock-repo: canonical/rocks-toolbox | ||
# rock-repo-commit: main | ||
rockfile-directory: mock_rock/1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
name: Test External Rock | ||
|
||
on: | ||
push: | ||
paths: | ||
- .github/workflows/test_external_rock.yaml | ||
- oci_factory_workflows/** | ||
workflow_dispatch: | ||
|
||
env: | ||
VULNERABILITY_REPORT_SUFFIX: '.vulnerability-report.json' | ||
SKOPEO_IMAGE: 'quay.io/skopeo/stable:v1.15.1' | ||
TEST_IMAGE: 'bkimminich/juice-shop' | ||
TEST_IMAGE_FILENAME: 'juice-shop' | ||
|
||
jobs: | ||
setup: | ||
runs-on: ubuntu-22.04 | ||
steps: | ||
- run: | | ||
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ | ||
-v $PWD:/workdir -w /workdir \ | ||
${{ env.SKOPEO_IMAGE }} \ | ||
copy docker://${{ env.TEST_IMAGE }} \ | ||
oci-archive:${{ env.TEST_IMAGE_FILENAME }} | ||
- uses: actions/upload-artifact@v4 | ||
if: ${{ !cancelled() }} | ||
with: | ||
name: ${{ env.TEST_IMAGE_FILENAME }} | ||
path: ${{ env.TEST_IMAGE_FILENAME }} | ||
retention-days: 1 | ||
|
||
test: | ||
uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main | ||
needs: [build-rock] | ||
with: | ||
oci-archive-name: ${{ env.TEST_IMAGE_FILENAME }} | ||
test-vulnerabilities: true | ||
test-oci-compliance: true | ||
test-efficiency: true | ||
test_malware: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
name: eicar-rock | ||
summary: A test rock to check malware scanners | ||
description: An extension of the "Hello World" rock. This rock contains the EICAR test file to test if malware scanners are working as expected | ||
version: "latest" | ||
license: Apache-2.0 | ||
|
||
base: [email protected] | ||
platforms: | ||
amd64: | ||
|
||
parts: | ||
hello: | ||
plugin: nil | ||
stage-packages: | ||
- hello | ||
eicar: | ||
plugin: dump | ||
source-type: file | ||
source: eicar |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
# oci-factory workflows | ||
|
||
The [oci-factory](https://github.com/canonical/oci-factory) provides reusable | ||
GitHub workflows designed to support Rock-oriented CI tasks. This directory | ||
includes documentation and examples to help integrate these workflows into your | ||
projects. | ||
|
||
|
||
## Build-Rock Workflow | ||
|
||
The [Build-Rock workflow](https://github.com/canonical/oci-factory/blob/main/.github/workflows/Build-Rock.yaml) | ||
can create multi-architecture Rocks (OCI images) from a specified Rockcraft | ||
project file (rockcraft.yaml). This project file can be located in the | ||
repository initiating the workflow, an external repository hosted on GitHub, or | ||
a Git repository hosted elsewhere. The resulting image is uploaded as a build | ||
artifact in the GitHub workflow. Currently, multi-architecture builds support | ||
AMD64 and ARM64, depending on the availability of GitHub runners for these | ||
architectures. Additional architectures, such as PPC64EL and S390X, are | ||
supported through Launchpad build services. | ||
|
||
**Samples:** | ||
- [Building an Simple Rock](oci_factory_workflows/samples/build_mock_rock.yaml) | ||
- Build the "Mock Rock" located in `mock_rock/1.0` | ||
- [Build and Test EICAR Rock](oci_factory_workflows/samples/build_and_test_eicar_rock.yaml) | ||
- Build a Rock that includes the | ||
[EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) and run the | ||
Test-Rock workflow on it. The workflow is expected to fail during the | ||
malware scan for demonstration purposes. | ||
- [Building an external Rock](oci_factory_workflows/samples/build_external_rock.yaml) | ||
- Build a Chiseled-Python Rock from an external repository using a specified Git commit hash. | ||
|
||
**Workflow Inputs:** | ||
- `oci-archive-name` | ||
- Final filename of the rock OCI archive. | ||
- Type: string | ||
- Required | ||
- `build-id` | ||
- Optional string for identifying workflow jobs in GitHub UI | ||
- Type: string | ||
- Optional, default: `""` | ||
- `rock-repo` | ||
- Public Git repo where to build the rock from. | ||
- Type: string | ||
- Required | ||
- `rock-repo-commit` | ||
- Git ref from where to build the rock from. | ||
- Type: string | ||
- Required | ||
- `rockfile-directory` | ||
- Directory in repository where to find the rockcraft.yaml file. | ||
- Type: string | ||
- Required | ||
- `arch-map` | ||
- JSON string mapping target architecture to runners. | ||
- Type: string | ||
- Optional, default: `'{"amd64": ["linux", "X64"], "arm64": ["linux", "ARM64"]}'` | ||
- `lpci-fallback` | ||
- Enable fallback to Launchpad build when runners for target arch are not available. | ||
- Type: boolean | ||
- Optional, default: `false` | ||
|
||
|
||
## Test-Rock Workflow | ||
|
||
The [Test-Rock workflow](https://github.com/canonical/oci-factory/blob/main/.github/workflows/Test-Rock.yaml) | ||
runs a series of tests on a Rock or OCI image. The image can be sourced either | ||
from a local artifact or from an external location uploaded as an artifact. The | ||
workflow includes the following tests, which can be enabled or disabled as | ||
needed. | ||
|
||
- Testing OCI Compliance of Rock images using [Umoci](https://umo.ci/) | ||
- Testing image storage efficiency using [Dive](https://github.com/wagoodman/dive) | ||
- Scanning for vulnerabilities using [trivy](https://trivy.dev/) | ||
- Scanning for malware using [ClamAV](https://www.clamav.net/) | ||
|
||
**Samples:** | ||
- [Build and Test EICAR Rock](oci_factory_workflows/samples/build_and_test_eicar_rock.yaml) | ||
- Build a Rock that includes the | ||
[EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) and run the | ||
Test-Rock workflow on it. The workflow is expected to fail during the | ||
malware scan for demonstration purposes. | ||
|
||
**Workflow Inputs:** | ||
- `oci-archive-name` | ||
- Artifact name to download for testing. | ||
- required | ||
- type: string | ||
- `test-oci-compliance` | ||
- Enable Umoci OCI Image compliance test. | ||
- optional, default: `true` | ||
- type: boolean | ||
- `test-efficiency` | ||
- Enable Dive image efficiency test. | ||
- optional, default: `true` | ||
- type: boolean | ||
- `test-vulnerabilities` | ||
- Enable Trivy vulnerability test. | ||
- optional, default: `true` | ||
- type: boolean | ||
- `trivyignore-path` | ||
- Optional path to `.trivyignore` file used in vulnerability scan. | ||
- optional, default: `""` | ||
- type: string | ||
- `test_malware` | ||
- Enable ClamAV malware test. | ||
- optional, default: `true` | ||
- type: boolean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../.github/workflows/build_and_test_eicar_rock.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../.github/workflows/build_external_rock.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../../.github/workflows/build_mock_rock.yaml |