Skip to content

Commit

Permalink
feat: workflow docs
Browse files Browse the repository at this point in the history
  • Loading branch information
clay-lake committed Dec 2, 2024
1 parent 78db3b8 commit 9c227b1
Show file tree
Hide file tree
Showing 10 changed files with 233 additions and 0 deletions.
27 changes: 27 additions & 0 deletions .github/workflows/build_and_test_eicar_rock.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Build and Test EICAR Rock

on:
push:
paths:
- .github/workflows/build_and_test_eicar_rock.yaml
- oci_factory_workflows/**
workflow_dispatch:

jobs:
build:
uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main
with:
oci-archive-name: "eicar-rock"
rock-repo: canonical/rocks-toolbox
rock-repo-commit: rework_oci-factory_workflow_docs
rockfile-directory: eicar_rock/1.0/

test:
uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main
needs: [build-rock]
with:
oci-archive-name: "eicar-rock"
test-vulnerabilities: true
test-oci-compliance: true
test-efficiency: true
test_malware: true
17 changes: 17 additions & 0 deletions .github/workflows/build_external_rock.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Build External Rock

on:
push:
paths:
- .github/workflows/build_external_rock.yaml
- oci_factory_workflows/**
workflow_dispatch:

jobs:
build:
uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main
with:
oci-archive-name: "chiselled-python"
rock-repo: canonical/chiselled-python
rock-repo-commit: e0943bf2923ef50c9117ac58cd02a86146ece1fb
rockfile-directory: python3.12/
17 changes: 17 additions & 0 deletions .github/workflows/build_mock_rock.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Build Mock Rock

on:
push:
paths:
- .github/workflows/build_mock_rock.yaml
- oci_factory_workflows/**
workflow_dispatch:

jobs:
build:
uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main
with:
oci-archive-name: "mock-rock"
# rock-repo: canonical/rocks-toolbox
# rock-repo-commit: main
rockfile-directory: mock_rock/1.0
42 changes: 42 additions & 0 deletions .github/workflows/test_external_rock.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Test External Rock

on:
push:
paths:
- .github/workflows/test_external_rock.yaml
- oci_factory_workflows/**
workflow_dispatch:

env:
VULNERABILITY_REPORT_SUFFIX: '.vulnerability-report.json'
SKOPEO_IMAGE: 'quay.io/skopeo/stable:v1.15.1'
TEST_IMAGE: 'bkimminich/juice-shop'
TEST_IMAGE_FILENAME: 'juice-shop'

jobs:
setup:
runs-on: ubuntu-22.04
steps:
- run: |
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD:/workdir -w /workdir \
${{ env.SKOPEO_IMAGE }} \
copy docker://${{ env.TEST_IMAGE }} \
oci-archive:${{ env.TEST_IMAGE_FILENAME }}
- uses: actions/upload-artifact@v4
if: ${{ !cancelled() }}
with:
name: ${{ env.TEST_IMAGE_FILENAME }}
path: ${{ env.TEST_IMAGE_FILENAME }}
retention-days: 1

test:
uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main
needs: [build-rock]
with:
oci-archive-name: ${{ env.TEST_IMAGE_FILENAME }}
test-vulnerabilities: true
test-oci-compliance: true
test-efficiency: true
test_malware: true
1 change: 1 addition & 0 deletions eicar_rock/1.0/eicar
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
19 changes: 19 additions & 0 deletions eicar_rock/1.0/rockcraft.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: eicar-rock
summary: A test rock to check malware scanners
description: An extension of the "Hello World" rock. This rock contains the EICAR test file to test if malware scanners are working as expected
version: "latest"
license: Apache-2.0

base: [email protected]
platforms:
amd64:

parts:
hello:
plugin: nil
stage-packages:
- hello
eicar:
plugin: dump
source-type: file
source: eicar
107 changes: 107 additions & 0 deletions oci_factory_workflows/REAME.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# oci-factory workflows

The [oci-factory](https://github.com/canonical/oci-factory) provides reusable
GitHub workflows designed to support Rock-oriented CI tasks. This directory
includes documentation and examples to help integrate these workflows into your
projects.


## Build-Rock Workflow

The [Build-Rock workflow](https://github.com/canonical/oci-factory/blob/main/.github/workflows/Build-Rock.yaml)
can create multi-architecture Rocks (OCI images) from a specified Rockcraft
project file (rockcraft.yaml). This project file can be located in the
repository initiating the workflow, an external repository hosted on GitHub, or
a Git repository hosted elsewhere. The resulting image is uploaded as a build
artifact in the GitHub workflow. Currently, multi-architecture builds support
AMD64 and ARM64, depending on the availability of GitHub runners for these
architectures. Additional architectures, such as PPC64EL and S390X, are
supported through Launchpad build services.

**Samples:**
- [Building an Simple Rock](oci_factory_workflows/samples/build_mock_rock.yaml)
- Build the "Mock Rock" located in `mock_rock/1.0`
- [Build and Test EICAR Rock](oci_factory_workflows/samples/build_and_test_eicar_rock.yaml)
- Build a Rock that includes the
[EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) and run the
Test-Rock workflow on it. The workflow is expected to fail during the
malware scan for demonstration purposes.
- [Building an external Rock](oci_factory_workflows/samples/build_external_rock.yaml)
- Build a Chiseled-Python Rock from an external repository using a specified Git commit hash.

**Workflow Inputs:**
- `oci-archive-name`
- Final filename of the rock OCI archive.
- Type: string
- Required
- `build-id`
- Optional string for identifying workflow jobs in GitHub UI
- Type: string
- Optional, default: `""`
- `rock-repo`
- Public Git repo where to build the rock from.
- Type: string
- Required
- `rock-repo-commit`
- Git ref from where to build the rock from.
- Type: string
- Required
- `rockfile-directory`
- Directory in repository where to find the rockcraft.yaml file.
- Type: string
- Required
- `arch-map`
- JSON string mapping target architecture to runners.
- Type: string
- Optional, default: `'{"amd64": ["linux", "X64"], "arm64": ["linux", "ARM64"]}'`
- `lpci-fallback`
- Enable fallback to Launchpad build when runners for target arch are not available.
- Type: boolean
- Optional, default: `false`


## Test-Rock Workflow

The [Test-Rock workflow](https://github.com/canonical/oci-factory/blob/main/.github/workflows/Test-Rock.yaml)
runs a series of tests on a Rock or OCI image. The image can be sourced either
from a local artifact or from an external location uploaded as an artifact. The
workflow includes the following tests, which can be enabled or disabled as
needed.

- Testing OCI Compliance of Rock images using [Umoci](https://umo.ci/)
- Testing image storage efficiency using [Dive](https://github.com/wagoodman/dive)
- Scanning for vulnerabilities using [trivy](https://trivy.dev/)
- Scanning for malware using [ClamAV](https://www.clamav.net/)

**Samples:**
- [Build and Test EICAR Rock](oci_factory_workflows/samples/build_and_test_eicar_rock.yaml)
- Build a Rock that includes the
[EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) and run the
Test-Rock workflow on it. The workflow is expected to fail during the
malware scan for demonstration purposes.

**Workflow Inputs:**
- `oci-archive-name`
- Artifact name to download for testing.
- required
- type: string
- `test-oci-compliance`
- Enable Umoci OCI Image compliance test.
- optional, default: `true`
- type: boolean
- `test-efficiency`
- Enable Dive image efficiency test.
- optional, default: `true`
- type: boolean
- `test-vulnerabilities`
- Enable Trivy vulnerability test.
- optional, default: `true`
- type: boolean
- `trivyignore-path`
- Optional path to `.trivyignore` file used in vulnerability scan.
- optional, default: `""`
- type: string
- `test_malware`
- Enable ClamAV malware test.
- optional, default: `true`
- type: boolean
1 change: 1 addition & 0 deletions oci_factory_workflows/samples/build_external_rock.yaml
1 change: 1 addition & 0 deletions oci_factory_workflows/samples/build_mock_rock.yaml

0 comments on commit 9c227b1

Please sign in to comment.