diff --git a/.github/workflows/build_and_test_eicar_rock.yaml b/.github/workflows/build_and_test_eicar_rock.yaml new file mode 100644 index 0000000..e31b414 --- /dev/null +++ b/.github/workflows/build_and_test_eicar_rock.yaml @@ -0,0 +1,27 @@ +name: Build and Test EICAR Rock + +on: + push: + paths: + - .github/workflows/build_and_test_eicar_rock.yaml + - oci_factory_workflows/** + workflow_dispatch: + +jobs: + build: + uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main + with: + oci-archive-name: "eicar-rock" + rock-repo: canonical/rocks-toolbox + rock-repo-commit: rework_oci-factory_workflow_docs + rockfile-directory: eicar_rock/1.0/ + + test: + uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main + needs: [build-rock] + with: + oci-archive-name: "eicar-rock" + test-vulnerabilities: true + test-oci-compliance: true + test-efficiency: true + test_malware: true diff --git a/.github/workflows/build_external_rock.yaml b/.github/workflows/build_external_rock.yaml new file mode 100644 index 0000000..7be1639 --- /dev/null +++ b/.github/workflows/build_external_rock.yaml @@ -0,0 +1,17 @@ +name: Build External Rock + +on: + push: + paths: + - .github/workflows/build_external_rock.yaml + - oci_factory_workflows/** + workflow_dispatch: + +jobs: + build: + uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main + with: + oci-archive-name: "chiselled-python" + rock-repo: canonical/chiselled-python + rock-repo-commit: e0943bf2923ef50c9117ac58cd02a86146ece1fb + rockfile-directory: python3.12/ \ No newline at end of file diff --git a/.github/workflows/build_mock_rock.yaml b/.github/workflows/build_mock_rock.yaml new file mode 100644 index 0000000..d636fcb --- /dev/null +++ b/.github/workflows/build_mock_rock.yaml @@ -0,0 +1,17 @@ +name: Build Mock Rock + +on: + push: + paths: + - .github/workflows/build_mock_rock.yaml + - oci_factory_workflows/** + workflow_dispatch: + +jobs: + build: + uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main + with: + oci-archive-name: "mock-rock" + # rock-repo: canonical/rocks-toolbox + # rock-repo-commit: main + rockfile-directory: mock_rock/1.0 \ No newline at end of file diff --git a/.github/workflows/test_external_rock.yaml b/.github/workflows/test_external_rock.yaml new file mode 100644 index 0000000..1a88ec3 --- /dev/null +++ b/.github/workflows/test_external_rock.yaml @@ -0,0 +1,42 @@ +name: Test External Rock + +on: + push: + paths: + - .github/workflows/test_external_rock.yaml + - oci_factory_workflows/** + workflow_dispatch: + +env: + VULNERABILITY_REPORT_SUFFIX: '.vulnerability-report.json' + SKOPEO_IMAGE: 'quay.io/skopeo/stable:v1.15.1' + TEST_IMAGE: 'bkimminich/juice-shop' + TEST_IMAGE_FILENAME: 'juice-shop' + +jobs: + setup: + runs-on: ubuntu-22.04 + steps: + - run: | + docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ + -v $PWD:/workdir -w /workdir \ + ${{ env.SKOPEO_IMAGE }} \ + copy docker://${{ env.TEST_IMAGE }} \ + oci-archive:${{ env.TEST_IMAGE_FILENAME }} + + - uses: actions/upload-artifact@v4 + if: ${{ !cancelled() }} + with: + name: ${{ env.TEST_IMAGE_FILENAME }} + path: ${{ env.TEST_IMAGE_FILENAME }} + retention-days: 1 + + test: + uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main + needs: [build-rock] + with: + oci-archive-name: ${{ env.TEST_IMAGE_FILENAME }} + test-vulnerabilities: true + test-oci-compliance: true + test-efficiency: true + test_malware: true \ No newline at end of file diff --git a/eicar_rock/1.0/eicar b/eicar_rock/1.0/eicar new file mode 100644 index 0000000..a2463df --- /dev/null +++ b/eicar_rock/1.0/eicar @@ -0,0 +1 @@ +X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* \ No newline at end of file diff --git a/eicar_rock/1.0/rockcraft.yaml b/eicar_rock/1.0/rockcraft.yaml new file mode 100644 index 0000000..300b35e --- /dev/null +++ b/eicar_rock/1.0/rockcraft.yaml @@ -0,0 +1,19 @@ +name: eicar-rock +summary: A test rock to check malware scanners +description: An extension of the "Hello World" rock. This rock contains the EICAR test file to test if malware scanners are working as expected +version: "latest" +license: Apache-2.0 + +base: ubuntu@22.04 +platforms: + amd64: + +parts: + hello: + plugin: nil + stage-packages: + - hello + eicar: + plugin: dump + source-type: file + source: eicar \ No newline at end of file diff --git a/oci_factory_workflows/REAME.md b/oci_factory_workflows/REAME.md new file mode 100644 index 0000000..752f162 --- /dev/null +++ b/oci_factory_workflows/REAME.md @@ -0,0 +1,107 @@ +# oci-factory workflows + +The [oci-factory](https://github.com/canonical/oci-factory) provides reusable +GitHub workflows designed to support Rock-oriented CI tasks. This directory +includes documentation and examples to help integrate these workflows into your +projects. + + +## Build-Rock Workflow + +The [Build-Rock workflow](https://github.com/canonical/oci-factory/blob/main/.github/workflows/Build-Rock.yaml) +can create multi-architecture Rocks (OCI images) from a specified Rockcraft +project file (rockcraft.yaml). This project file can be located in the +repository initiating the workflow, an external repository hosted on GitHub, or +a Git repository hosted elsewhere. The resulting image is uploaded as a build +artifact in the GitHub workflow. Currently, multi-architecture builds support +AMD64 and ARM64, depending on the availability of GitHub runners for these +architectures. Additional architectures, such as PPC64EL and S390X, are +supported through Launchpad build services. + +**Samples:** +- [Building an Simple Rock](oci_factory_workflows/samples/build_mock_rock.yaml) + - Build the "Mock Rock" located in `mock_rock/1.0` +- [Build and Test EICAR Rock](oci_factory_workflows/samples/build_and_test_eicar_rock.yaml) + - Build a Rock that includes the + [EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) and run the + Test-Rock workflow on it. The workflow is expected to fail during the + malware scan for demonstration purposes. +- [Building an external Rock](oci_factory_workflows/samples/build_external_rock.yaml) + - Build a Chiseled-Python Rock from an external repository using a specified Git commit hash. + +**Workflow Inputs:** +- `oci-archive-name` + - Final filename of the rock OCI archive. + - Type: string + - Required +- `build-id` + - Optional string for identifying workflow jobs in GitHub UI + - Type: string + - Optional, default: `""` +- `rock-repo` + - Public Git repo where to build the rock from. + - Type: string + - Required +- `rock-repo-commit` + - Git ref from where to build the rock from. + - Type: string + - Required +- `rockfile-directory` + - Directory in repository where to find the rockcraft.yaml file. + - Type: string + - Required +- `arch-map` + - JSON string mapping target architecture to runners. + - Type: string + - Optional, default: `'{"amd64": ["linux", "X64"], "arm64": ["linux", "ARM64"]}'` +- `lpci-fallback` + - Enable fallback to Launchpad build when runners for target arch are not available. + - Type: boolean + - Optional, default: `false` + + +## Test-Rock Workflow + +The [Test-Rock workflow](https://github.com/canonical/oci-factory/blob/main/.github/workflows/Test-Rock.yaml) +runs a series of tests on a Rock or OCI image. The image can be sourced either +from a local artifact or from an external location uploaded as an artifact. The +workflow includes the following tests, which can be enabled or disabled as +needed. + +- Testing OCI Compliance of Rock images using [Umoci](https://umo.ci/) +- Testing image storage efficiency using [Dive](https://github.com/wagoodman/dive) +- Scanning for vulnerabilities using [trivy](https://trivy.dev/) +- Scanning for malware using [ClamAV](https://www.clamav.net/) + +**Samples:** +- [Build and Test EICAR Rock](oci_factory_workflows/samples/build_and_test_eicar_rock.yaml) + - Build a Rock that includes the + [EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) and run the + Test-Rock workflow on it. The workflow is expected to fail during the + malware scan for demonstration purposes. + +**Workflow Inputs:** +- `oci-archive-name` + - Artifact name to download for testing. + - required + - type: string +- `test-oci-compliance` + - Enable Umoci OCI Image compliance test. + - optional, default: `true` + - type: boolean +- `test-efficiency` + - Enable Dive image efficiency test. + - optional, default: `true` + - type: boolean +- `test-vulnerabilities` + - Enable Trivy vulnerability test. + - optional, default: `true` + - type: boolean +- `trivyignore-path` + - Optional path to `.trivyignore` file used in vulnerability scan. + - optional, default: `""` + - type: string +- `test_malware` + - Enable ClamAV malware test. + - optional, default: `true` + - type: boolean diff --git a/oci_factory_workflows/samples/build_and_test_eicar_rock.yaml b/oci_factory_workflows/samples/build_and_test_eicar_rock.yaml new file mode 120000 index 0000000..3bc0344 --- /dev/null +++ b/oci_factory_workflows/samples/build_and_test_eicar_rock.yaml @@ -0,0 +1 @@ +../../.github/workflows/build_and_test_eicar_rock.yaml \ No newline at end of file diff --git a/oci_factory_workflows/samples/build_external_rock.yaml b/oci_factory_workflows/samples/build_external_rock.yaml new file mode 120000 index 0000000..b9395c0 --- /dev/null +++ b/oci_factory_workflows/samples/build_external_rock.yaml @@ -0,0 +1 @@ +../../.github/workflows/build_external_rock.yaml \ No newline at end of file diff --git a/oci_factory_workflows/samples/build_mock_rock.yaml b/oci_factory_workflows/samples/build_mock_rock.yaml new file mode 120000 index 0000000..f349739 --- /dev/null +++ b/oci_factory_workflows/samples/build_mock_rock.yaml @@ -0,0 +1 @@ +../../.github/workflows/build_mock_rock.yaml \ No newline at end of file