diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-16 17:48:08 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-16 17:48:08 +0000 |
| commit | b65b89d538e8c6adad31b84584fe2c53ba8ebc09 (patch) | |
| tree | 6fe7ff2b7c36ddf98d24c8a854ca6299103658d1 /.github | |
| parent | Initial commit. (diff) | |
| download | go-containerregistry-b65b89d538e8c6adad31b84584fe2c53ba8ebc09.tar.xz go-containerregistry-b65b89d538e8c6adad31b84584fe2c53ba8ebc09.zip | |
Adding upstream version 0.14.0+ds1.upstream/0.14.0+ds1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '.github')
| -rw-r--r-- | .github/ISSUE_TEMPLATE/crane_bug_report.md | 25 | ||||
| -rw-r--r-- | .github/ISSUE_TEMPLATE/ggcr_bug_report.md | 25 | ||||
| -rw-r--r-- | .github/ISSUE_TEMPLATE/question.md | 9 | ||||
| -rw-r--r-- | .github/dependabot.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/analyze.yaml | 25 | ||||
| -rw-r--r-- | .github/workflows/boilerplate.yaml | 33 | ||||
| -rw-r--r-- | .github/workflows/build.yaml | 26 | ||||
| -rw-r--r-- | .github/workflows/bump-deps.yaml | 35 | ||||
| -rw-r--r-- | .github/workflows/donotsubmit.yaml | 15 | ||||
| -rw-r--r-- | .github/workflows/e2e.yaml | 94 | ||||
| -rw-r--r-- | .github/workflows/ecr-auth.yaml | 93 | ||||
| -rw-r--r-- | .github/workflows/ghcr-auth.yaml | 47 | ||||
| -rw-r--r-- | .github/workflows/presubmit.yaml | 34 | ||||
| -rw-r--r-- | .github/workflows/release.yml | 78 | ||||
| -rw-r--r-- | .github/workflows/stale.yaml | 30 | ||||
| -rw-r--r-- | .github/workflows/style.yaml | 55 | ||||
| -rw-r--r-- | .github/workflows/test.yaml | 28 |
17 files changed, 658 insertions, 0 deletions
diff --git a/.github/ISSUE_TEMPLATE/crane_bug_report.md b/.github/ISSUE_TEMPLATE/crane_bug_report.md new file mode 100644 index 0000000..fb14c38 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/crane_bug_report.md @@ -0,0 +1,25 @@ +--- +name: crane bug report +about: Create a report to help us improve the crane or gcrane CLIs +title: 'crane:' +labels: bug +assignees: '' + +--- + +### Describe the bug + +A clear and concise description of what the bug is. + +### To Reproduce + +### Expected behavior + +A clear and concise description of what you expected to happen. + +### Additional context + +Add any other context about the problem here. + +- Output of `crane version` +- Registry used (e.g., GCR, ECR, Quay) diff --git a/.github/ISSUE_TEMPLATE/ggcr_bug_report.md b/.github/ISSUE_TEMPLATE/ggcr_bug_report.md new file mode 100644 index 0000000..790d97a --- /dev/null +++ b/.github/ISSUE_TEMPLATE/ggcr_bug_report.md @@ -0,0 +1,25 @@ +--- +name: Go library bug report +about: Create a report to help us improve the Go library +title: 'ggcr:' +labels: bug +assignees: '' + +--- + +### Describe the bug + +A clear and concise description of what the bug is. + +### To Reproduce + +### Expected behavior + +A clear and concise description of what you expected to happen. + +### Additional context + +Add any other context about the problem here. + +- Version of the module +- Registry used (e.g., GCR, ECR, Quay) diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md new file mode 100644 index 0000000..ff4f551 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.md @@ -0,0 +1,9 @@ +--- +name: Question +about: Ask a question about the project +title: 'question:' +labels: question +assignees: '' + +--- + diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..e2347a8 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: +- package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/analyze.yaml b/.github/workflows/analyze.yaml new file mode 100644 index 0000000..5982e60 --- /dev/null +++ b/.github/workflows/analyze.yaml @@ -0,0 +1,25 @@ +name: Analyze + +on: + workflow_dispatch: + push: + branches: ['main'] + pull_request: + branches: ['main'] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + - uses: github/codeql-action/init@v2 + with: + languages: go + - uses: github/codeql-action/autobuild@v2 + - uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/boilerplate.yaml b/.github/workflows/boilerplate.yaml new file mode 100644 index 0000000..3782e51 --- /dev/null +++ b/.github/workflows/boilerplate.yaml @@ -0,0 +1,33 @@ +name: Boilerplate + +on: + pull_request: + branches: ['main'] + +jobs: + + check: + name: Boilerplate Check + runs-on: ubuntu-latest + strategy: + fail-fast: false # Keep running if one leg fails. + matrix: + extension: + - go + - sh + + # Map between extension and human-readable name. + include: + - extension: go + language: Go + - extension: sh + language: Bash + + steps: + - name: Check out code + uses: actions/checkout@v3 + + - uses: chainguard-dev/actions/boilerplate@5e21cb47971231c078a677dfe89a348371cb880c # main + with: + extension: ${{ matrix.extension }} + language: ${{ matrix.language }} diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..b3ba675 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,26 @@ +name: Build + +on: + pull_request: + branches: ['main'] + +jobs: + + build: + name: Build + runs-on: ubuntu-latest + + strategy: + matrix: + go-version: [1.19, '1.20'] + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: ${{ matrix.go-version }} + check-latest: true + + - run: | + go build ./... + go test -run=^$ ./... diff --git a/.github/workflows/bump-deps.yaml b/.github/workflows/bump-deps.yaml new file mode 100644 index 0000000..4712489 --- /dev/null +++ b/.github/workflows/bump-deps.yaml @@ -0,0 +1,35 @@ +name: Bump Deps + +on: + schedule: + - cron: '0 6 * * 2' # weekly at 6AM Tuesday + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + bump-deps: + name: Bump Deps + + # Don't bother bumping deps on forks. + if: ${{ github.repository == 'google/go-containerregistry' }} + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + + - run: ./hack/bump-deps.sh + - name: Create Pull Request + uses: peter-evans/create-pull-request@v4 + with: + title: "Bump dependencies using hack/bump-deps.sh" + commit-message: "Bump dependencies using hack/bump-deps.sh" + labels: dependencies + assignees: imjasonh + delete-branch: true diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml new file mode 100644 index 0000000..92d454b --- /dev/null +++ b/.github/workflows/donotsubmit.yaml @@ -0,0 +1,15 @@ +name: Do Not Submit + +on: + pull_request: + branches: ['main'] + +jobs: + + donotsubmit: + name: Do Not Submit + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - uses: chainguard-dev/actions/donotsubmit@5e21cb47971231c078a677dfe89a348371cb880c # main diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml new file mode 100644 index 0000000..0991bf7 --- /dev/null +++ b/.github/workflows/e2e.yaml @@ -0,0 +1,94 @@ +name: Basic e2e test + +on: + pull_request: + branches: ['main'] + +jobs: + e2e: + strategy: + fail-fast: false + matrix: + platform: + - ubuntu-latest + - windows-latest + name: e2e ${{ matrix.platform }} + runs-on: ${{ matrix.platform }} + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + + - name: crane append to an image, set the entrypoint, run it locally, roundtrip it + shell: bash + run: | + set -euxo pipefail + + # Setup local registry + go run ./cmd/registry & + + base=alpine + platform=linux/amd64 + if [[ "${{ matrix.platform }}" == "windows-latest" ]]; then + base=mcr.microsoft.com/windows/nanoserver:ltsc2022 + platform=windows/amd64 + fi + + CGO_ENABLED=0 go build -o app/crane ./cmd/crane + tar cvf crane.tar app + + # This prevents Bash for Windows from mangling path names. + # It shouldn't be necessary in general unless you're using Bash for + # Windows. + export MSYS_NO_PATHCONV=1 + + img=$(./app/crane mutate \ + --entrypoint=/app/crane,version \ + $(./app/crane append \ + --platform ${platform} \ + --base ${base} \ + --new_tag localhost:1338/append-test \ + --new_layer crane.tar)) + + # Run the image with and without args. + docker run $img + docker run $img --help + + # Make sure we can roundtrip it through pull/push + layout=$(mktemp -d) + dst=localhost:1338/roundtrip-test + + ./app/crane pull --format=oci $img $layout + ./app/crane push --image-refs=foo.images $layout $dst + diff <(./app/crane manifest $img) <(./app/crane manifest $(cat foo.images)) + + # Make sure we can roundtrip an index (distroless). + distroless=$(mktemp -d) + remote="gcr.io/distroless/static" + local="localhost:1338/distroless:static" + + ./app/crane pull --format=oci $remote $distroless + ./app/crane push $distroless $local + diff <(./app/crane manifest $remote) <(./app/crane manifest $local) + + # And that it works for a single platform (pulling from what we just pushed). + distroless=$(mktemp -d) + remote="$local" + local="localhost:1338/distroless/platform:static" + + ./app/crane pull --platform=linux/arm64 --format=oci $remote $distroless + ./app/crane push $distroless $local + diff <(./app/crane manifest --platform linux/arm64 $remote) <(./app/crane manifest $local) + + - name: crane pull image, and export it from stdin to filesystem tar to stdout + shell: bash + run: | + set -euxo pipefail + + ./app/crane pull ubuntu ubuntu.tar + ./app/crane export - - < ubuntu.tar > filesystem.tar + ls -la *.tar + diff --git a/.github/workflows/ecr-auth.yaml b/.github/workflows/ecr-auth.yaml new file mode 100644 index 0000000..47cfe29 --- /dev/null +++ b/.github/workflows/ecr-auth.yaml @@ -0,0 +1,93 @@ +name: ECR Authentication test + +on: + pull_request_target: + branches: [ 'main' ] + +permissions: + # This lets us clone the repo + contents: read + # This lets us mint identity tokens. + id-token: write + +jobs: + krane: + runs-on: ubuntu-latest + env: + AWS_ACCOUNT: 479305788615 + AWS_REGION: us-east-2 + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + + - name: Install krane + working-directory: ./cmd/krane + run: go install . + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2.0.0 + with: + role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT }}:role/federated-ecr-readonly + aws-region: ${{ env.AWS_REGION }} + + - name: Test krane + ECR + run: | + # List the tags + krane ls ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/go-containerregistry-test + + - name: Test krane auth get + ECR + shell: bash + run: | + CRED1=$(krane auth get ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com) + CRED2=$(krane auth get ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com) + if [[ "$CRED1" == "" ]] ; then + exit 1 + fi + if [[ "$CRED1" == "$CRED2" ]] ; then + echo "credentials are cached by infrastructure" + fi + + crane-ecr-login: + runs-on: ubuntu-latest + env: + AWS_ACCOUNT: 479305788615 + AWS_REGION: us-east-2 + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + + - name: Install crane + working-directory: ./cmd/crane + run: go install . + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2.0.0 + with: + role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT }}:role/federated-ecr-readonly + aws-region: ${{ env.AWS_REGION }} + + - run: | + wget https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.5.0/linux-amd64/docker-credential-ecr-login + chmod +x ./docker-credential-ecr-login + mv docker-credential-ecr-login /usr/local/bin + + cat > $HOME/.docker/config.json <<EOF + { + "credHelpers": { + "${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com": "ecr-login" + } + } + EOF + + - name: Test crane + ECR + run: | + # List the tags + crane ls ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/go-containerregistry-test diff --git a/.github/workflows/ghcr-auth.yaml b/.github/workflows/ghcr-auth.yaml new file mode 100644 index 0000000..a511827 --- /dev/null +++ b/.github/workflows/ghcr-auth.yaml @@ -0,0 +1,47 @@ +name: GHCR Authentication test + +on: + pull_request_target: + branches: ['main'] + push: + branches: ['main'] + +permissions: + contents: read + packages: read + +jobs: + krane: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + + - name: Install krane + working-directory: ./cmd/krane + run: go install . + + - name: Test krane + GHCR + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + # List the tags + krane ls ghcr.io/${{ github.repository }}/testimage + + - name: Test krane auth get + GHCR + env: + GITHUB_TOKEN: ${{ github.token }} + shell: bash + run: | + CRED1=$(krane auth get ghcr.io) + CRED2=$(krane auth get ghcr.io) + if [[ "$CRED1" == "" ]] ; then + exit 1 + fi + if [[ "$CRED1" == "$CRED2" ]] ; then + echo "credentials are cached by infrastructure" + fi + diff --git a/.github/workflows/presubmit.yaml b/.github/workflows/presubmit.yaml new file mode 100644 index 0000000..7771a7f --- /dev/null +++ b/.github/workflows/presubmit.yaml @@ -0,0 +1,34 @@ +# Copyright 2021 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Presubmit + +on: + push: + branches: ['main'] + pull_request: + branches: ['main'] + +jobs: + presubmit: + name: Presubmit + runs-on: 'ubuntu-latest' + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + - run: ./hack/presubmit.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..abdaad3 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,78 @@ +name: goreleaser + +on: + push: + tags: ['*'] + +jobs: + goreleaser: + runs-on: ubuntu-latest + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + steps: + - uses: actions/checkout@v3 + - name: Unshallow + run: git fetch --prune --unshallow + - uses: actions/setup-go@v3 + with: + go-version: 1.18 + check-latest: true + - uses: goreleaser/goreleaser-action@v4.2.0 + id: run-goreleaser + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Generate subject + id: hash + env: + ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)" + + provenance: + needs: [goreleaser] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true # upload to a new release + + verification: + needs: [goreleaser, provenance] + runs-on: ubuntu-latest + permissions: read-all + steps: + # Note: this will be replaced with the GHA in the future. + # See https://github.com/slsa-framework/slsa-verifier/issues/95 + - name: Install SLSA verifier + uses: slsa-framework/slsa-verifier/actions/installer@v2.0.1 + - name: Download assets + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -euo pipefail + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "multiple.intoto.jsonl" + - name: Verify assets + env: + CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} + PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}" + run: | + set -euo pipefail + checksums=$(echo "$CHECKSUMS" | base64 -d) + while read -r line; do + fn=$(echo $line | cut -d ' ' -f2) + echo "Verifying $fn" + ./slsa-verifier-linux-amd64 -artifact-path "$fn" \ + -provenance "$PROVENANCE" \ + -source "github.com/$GITHUB_REPOSITORY" \ + -tag "$GITHUB_REF_NAME" + done <<<"$checksums" diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml new file mode 100644 index 0000000..38d76ab --- /dev/null +++ b/.github/workflows/stale.yaml @@ -0,0 +1,30 @@ +name: 'Close stale' + +on: + schedule: + - cron: '0 1 * * *' + +jobs: + stale: + runs-on: 'ubuntu-latest' + steps: + - uses: 'actions/stale@v7' + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + + stale-issue-message: |- + This issue is stale because it has been open for 90 days with no + activity. It will automatically close after 30 more days of + inactivity. Keep fresh with the 'lifecycle/frozen' label. + stale-issue-label: 'lifecycle/stale' + exempt-issue-labels: 'lifecycle/frozen' + + stale-pr-message: |- + This Pull Request is stale because it has been open for 90 days with + no activity. It will automatically close after 30 more days of + inactivity. Keep fresh with the 'lifecycle/frozen' label. + stale-pr-label: 'lifecycle/stale' + exempt-pr-labels: 'lifecycle/frozen' + + days-before-stale: 90 + days-before-close: 30 diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml new file mode 100644 index 0000000..baf54c9 --- /dev/null +++ b/.github/workflows/style.yaml @@ -0,0 +1,55 @@ +name: Code Style + +on: + pull_request: + branches: ['main'] + +jobs: + + goimports: + name: check goimports + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + - uses: actions/checkout@v3 + - uses: chainguard-dev/actions/goimports@5e21cb47971231c078a677dfe89a348371cb880c # main + + lint: + name: Lint + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + + - uses: golangci/golangci-lint-action@v3.4.0 + with: + version: v1.51.2 + + - uses: reviewdog/action-misspell@v1 + if: ${{ always() }} + with: + github_token: ${{ secrets.github_token }} + fail_on_error: true + locale: "US" + exclude: ./vendor/* + + - uses: chainguard-dev/actions/trailing-space@5e21cb47971231c078a677dfe89a348371cb880c # main + if: ${{ always() }} + + - uses: chainguard-dev/actions/eof-newline@5e21cb47971231c078a677dfe89a348371cb880c # main + if: ${{ always() }} + + - uses: get-woke/woke-action-reviewdog@v0 + if: ${{ always() }} + with: + github-token: ${{ secrets.github_token }} + reporter: github-pr-check + level: error + fail-on-error: true diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..8f31fd2 --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,28 @@ +name: Test + +on: + push: + branches: ['main'] + pull_request: + branches: ['main'] + +jobs: + + test: + strategy: + matrix: + go-version: [1.19, '1.20'] + + name: Unit Tests + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: ${{ matrix.go-version }} + check-latest: true + + - run: go test -coverprofile=coverage.txt -covermode=atomic -race ./... + + - uses: codecov/codecov-action@v3.1.1 |