Skip to content

logging in container scanning #3369

logging in container scanning

logging in container scanning #3369

Workflow file for this run

# Build and test on each commit. Create a release on tagged commits.
#
# Binaries on each platform are stripped. This removes debug symbols.
name: Build
on: [push]
jobs:
build-all:
name: ${{ matrix.os-name }}-build
runs-on: ${{ matrix.os }}
container: ${{ matrix.container }}
env:
GHC_VERSION: '9.4.8'
defaults:
run:
shell: bash
strategy:
matrix:
os: ['windows-latest', 'ubuntu-latest', 'macos-12', 'macos-latest']
include:
- os: ubuntu-latest
os-name: Linux
container: fossa/haskell-static-alpine:ghc-9.4.8
project-file: cabal.project.ci.linux
ghc: '9.4.8'
# macos-latest pointed at macos-12 this before it was changed to ARM.
- os: macos-12
os-name: macOS-intel
project-file: cabal.project.ci.macos
ghc: '9.4.8'
- os: windows-latest
os-name: Windows
project-file: cabal.project.ci.windows
ghc: '9.4.8'
- os: macos-latest
os-name: macOS-arm64
project-file: cabal.project.ci.macos
ghc: '9.4.8'
steps:
- uses: actions/checkout@v4
with:
lfs: true
fetch-depth: 2
- name: Install MacOS binary dependencies
if: ${{ contains(matrix.os, 'macos') }}
run: |
brew install jq
# Set up Haskell.
- uses: haskell-actions/setup@v2
id: setup-haskell
name: Setup ghc/cabal (non-alpine)
if: ${{ !contains(matrix.os, 'ubuntu') }}
with:
ghc-version: ${{ matrix.ghc }}
cabal-version: '3.10.2.1'
# Set up Rust.
# This action installs the 'minimal' profile.
- uses: dtolnay/rust-toolchain@stable
- name: Install additional Rust tooling
uses: taiki-e/install-action@v2
with:
tool: nextest
- uses: Swatinem/rust-cache@v2
- name: Debugging information
run: |
ghc --version || echo "no ghc"
cabal --version || echo "no cabal"
ghcup --version || echo "no ghcup"
rustc -V || echo "no rustc"
cargo -V || echo "no cargo"
# Linux builds are run in Alpine, which builds them statically;
# using jemalloc reduces the performance impact of this
# over the default libc allocator (which performs very poorly in static builds).
- name: Build Rust dependencies (Linux)
if: ${{ matrix.os-name == 'linux' }}
run: cargo build --features jemalloc --release
# Non-Linux environments generally don't need `jemalloc`
# and in particular Windows doesn't support it.
- name: Build Rust dependencies (non-Linux)
if: ${{ matrix.os-name != 'linux' }}
run: cargo build --release
# Run tests in release mode to reduce the need for rebuilds.
- name: Test Rust dependencies
run: cargo nextest run --release
- name: Ensure git ownership check does not lead to compiler error
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Check git status and collect information
# https://github.com/actions/checkout/issues/760#issuecomment-1099519159
run: |
git status --porcelain
echo "parent_commit=$(git rev-parse HEAD^)" >> $GITHUB_ENV
# Compute cache key and save to a temporary file.
#
# We compute the cache key based on the solved install plan instead of just
# hashing the `.cabal` file, since there are many kinds of changes that will
# cause `.cabal` to change (e.g. adding new source modules).
- name: Compute cache key
id: compute-cache-key
env:
RUNNER_OS: ${{ runner.os }}
run: |
cabal --project-file=${{ matrix.project-file }} update
cabal --project-file=${{ matrix.project-file }} build --dry-run
cat dist-newstyle/cache/plan.json | jq '."install-plan"[]."id"' | sort > /tmp/cabal-cache-key
echo "Install plan:"
cat /tmp/cabal-cache-key
if [ "$RUNNER_OS" = "macOS" ]; then
PLAN_SUM=$(shasum -a256 /tmp/cabal-cache-key)
else
PLAN_SUM=$(sha256sum /tmp/cabal-cache-key)
fi
export CABAL_CACHE_KEY=$(echo $PLAN_SUM | awk '{print $1}')
echo "Cabal cache key: $CABAL_CACHE_KEY"
echo "cabal-cache-key=$CABAL_CACHE_KEY" >> $GITHUB_OUTPUT
# Build FOSSA CLI.
- uses: actions/cache@v4
name: Cache cabal store
with:
path: ${{ steps.setup-haskell.outputs.cabal-store || '~/.local/state/cabal' }}
key: ${{ matrix.os-name }}-${{ matrix.ghc }}-cabal-cache-${{ steps.compute-cache-key.outputs.cabal-cache-key }}
restore-keys: |
${{ matrix.os-name }}-${{ matrix.ghc }}-cabal-cache-
${{ matrix.os-name }}-${{ matrix.ghc }}-
${{ matrix.os-name }}-
- uses: actions/cache@v4
name: Cache dist-newstyle
with:
path: ${{ github.workspace }}/dist-newstyle
key: ${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ github.sha }}
restore-keys: |
${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ env.parent_commit }}
${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-
${{ matrix.os-name }}-${{ env.GHC_VERSION }}-
${{ matrix.os-name }}-
- name: Update vendored binaries
run: |
mkdir vendor-bins
./vendor_download.sh
env:
GITHUB_TOKEN: ${{ secrets.BASIS_ACCESS_TOKEN }}
- name: Build test data
run: |
make build-test-data
- name: Build
# Occasionally, we run out of memory on the build process.
# Since cabal uses incremental compilation, we can retry from where we left off
# by simply re-running cabal if we fail.
env:
RUN_CMD: cabal build --project-file=${{ matrix.project-file }} all
run: |
: # With dist-newstyle caches:
: # Cabal mainly knows to recompile based on changes to files.
: # Tagging in git doesn't reliably change a file in a fixed location that cabal/GHC can track to indicate that there's a new tag.
: # For our release process, we merge to master, which builds (and may store a dist-newstyle cache), then push a release tag.
: # During the tag build, cabal/GHC may not realize that they have to rebuild the Version.hs file because the tag is invisible to it.
: # This line adds a unique comment to our version source file to prompt cabal/GHC to rebuild Version.hs unconditionally.
echo "{- $RANDOM$RANDOM$RANDOM -}" >> src/App/Version.hs
cabal update
$RUN_CMD || $RUN_CMD
- name: Run unit tests
run: |
cabal test --project-file=${{ matrix.project-file }} unit-tests
- name: Validate diagnose commands run on the platform
run: |
cargo run --bin diagnose -- walk --trace-spans none --trace-level info
# Test cabal-install
- name: Test Cabal Install (Linux)
if: ${{ contains(matrix.os, 'linux') }}
run: cabal install --overwrite-policy=always --project=${{ matrix.project-file }} --ghc-options="-Wwarn"
# Save artifacts.
- name: Find and move binaries (Windows)
if: ${{ contains(matrix.os, 'windows') }}
run: |
mkdir release
find . -type f -path '*/fossa/fossa.exe' -exec cp {} release \;
./release/fossa.exe --version
cp target/release/diagnose.exe release
cp target/release/millhone.exe release
- name: Find and move binaries (non-Windows)
if: ${{ !contains(matrix.os, 'windows') }}
run: |
mkdir release
find . -type f -path '*/fossa/fossa' -exec cp {} release \;
./release/fossa --version
cp target/release/diagnose release
cp target/release/millhone release
- name: Strip binaries
run: |
strip release/*
- name: Sign and Notarize Binaries (Mac OS)
if: ${{ contains(matrix.os, 'macos') && startsWith(github.ref, 'refs/tags/v') }}
env:
MACOS_BUILD_CERT_BASE64: ${{ secrets.MACOS_BUILD_CERT_BASE64 }}
MACOS_BUILD_CERT_P12_PASSWORD: ${{ secrets.MACOS_BUILD_CERT_P12_PASSWORD }}
MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
APPLE_NOTARIZATION_DEV_PASS: ${{ secrets.APPLE_NOTARIZATION_DEV_PASS }}
APPLE_NOTARIZATION_DEV_ID: ${{ secrets.APPLE_NOTARIZATION_DEV_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
OS_NAME: ${{ matrix.os-name }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$MACOS_BUILD_CERT_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$MACOS_BUILD_CERT_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
chmod +x release/*
# '--options runtime' enables the hardened runtime: https://developer.apple.com/documentation/security/hardened_runtime
# On Apple Silicon there doesn't seem to be a default liblzma, and the one installed via homebrew is rejected.
# The entitlement line will relax that check.
# The hardened runtime is required for notarization.
if [ "$OS_NAME" = "macOS-arm64" ] ; then
codesign --entitlements .github/entitlements.plist --options runtime -s 'FOSSA, Inc.' release/fossa
else
# Intel does not need the entitlement to run liblzma, which is included in the base system.
codesign --options runtime -s 'FOSSA, Inc.' release/fossa
fi
codesign --options runtime -s 'FOSSA, Inc.' release/diagnose
codesign --options runtime -s 'FOSSA, Inc.' release/millhone
# Perform notarization
zip -rj notarization-archive.zip release
NOTARY_RESULTS=$(xcrun notarytool submit notarization-archive.zip --apple-id "$APPLE_NOTARIZATION_DEV_ID" --password "$APPLE_NOTARIZATION_DEV_PASS" --team-id "$APPLE_TEAM_ID" --wait)
echo "$NOTARY_RESULTS"
rm notarization-archive.zip
# The notarization tool doesn't set $?, so examine the output.
if ! echo "$NOTARY_RESULTS" | grep -q "status: Accepted"; then
exit 1
fi
- uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os-name }}-binaries
path: release
create-release:
name: create-release
runs-on: ubuntu-latest
needs: ['build-all']
permissions:
id-token: write
contents: write
steps:
- uses: actions/download-artifact@v4
# Sets VERSION from git's tag or sha.
# refer to: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-setting-an-output-parameter
- name: Get version
id: get-version
run: |
case $GITHUB_REF in
refs/tags/v*)
# This strips the 'v' prefix from the tag.
echo "VERSION=${GITHUB_REF/refs\/tags\/v/}" >> "$GITHUB_OUTPUT"
;;
*)
echo "VERSION=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
;;
esac
- name: Check that version info was embedded correctly
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
run: |
chmod +x Linux-binaries/fossa
echo $GITHUB_REF_NAME
echo $GITHUB_REF_TYPE
echo $GITHUB_SHA
echo ${GITHUB_SHA:0:12}
VERSION=$(echo $(Linux-binaries/fossa --version))
EXPECTED="fossa-cli version ${{ steps.get-version.outputs.VERSION }} (revision ${GITHUB_SHA:0:12} compiled with ghc-9.4)"
echo " VERSION: $VERSION"
echo "EXPECTED: $EXPECTED"
[ "$GITHUB_REF_TYPE" = "tag" ] && echo "Ref type OK"
[ "$VERSION" = "$EXPECTED" ] && echo "CLI version OK"
- name: Install Cosign
if: ${{ github.ref_type == 'tag' }}
uses: sigstore/[email protected]
- name: Sign Release (Linux)
if: ${{ github.ref_type == 'tag' }}
run: |
cosign version
cosign sign-blob --yes --bundle "Linux-binaries/fossa.bundle" "Linux-binaries/fossa"
cosign sign-blob --yes --bundle "Linux-binaries/diagnose.bundle" "Linux-binaries/diagnose"
cosign sign-blob --yes --bundle "Linux-binaries/millhone.bundle" "Linux-binaries/millhone"
- name: Verify Signatures
if: ${{ github.ref_type == 'tag' }}
run: |
cosign verify-blob --bundle "Linux-binaries/fossa.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/fossa"
cosign verify-blob --bundle "Linux-binaries/diagnose.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/diagnose"
cosign verify-blob --bundle "Linux-binaries/millhone.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/millhone"
# This uses names compatible with our install script.
#
# Originally, CLI >=2.x Linux releases were only packaged as zip files, but
# we added tar.gz to improve compatibility. Our install script depends on
# the unzip command, which is not installed in most Linux distributions by
# default. To avoid breaking compatibility with older install scripts, we
# release both formats but default to using tar.gz when installing.
- name: Bundle binaries
env:
LINUX_FOSSA_TAR_PATH: "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
LINUX_FOSSA_ZIP_PATH: "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
LINUX_DIAGNOSE_TAR_PATH: "release/diagnose_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
LINUX_DIAGNOSE_ZIP_PATH: "release/diagnose_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
LINUX_MILLHONE_TAR_PATH: "release/millhone_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
LINUX_MILLHONE_ZIP_PATH: "release/millhone_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
run: |
mkdir release
ls -R
chmod +x Linux-binaries/*
zip -j "$LINUX_FOSSA_ZIP_PATH" Linux-binaries/fossa
zip -j "$LINUX_DIAGNOSE_ZIP_PATH" Linux-binaries/diagnose
zip -j "$LINUX_MILLHONE_ZIP_PATH" Linux-binaries/millhone
tar --create --verbose --file "$LINUX_FOSSA_TAR_PATH" --directory Linux-binaries fossa
tar --create --verbose --file "$LINUX_DIAGNOSE_TAR_PATH" --directory Linux-binaries diagnose
tar --create --verbose --file "$LINUX_MILLHONE_TAR_PATH" --directory Linux-binaries millhone
if [ "$GITHUB_REF_TYPE" = "tag" ]; then
tar --append --file "$LINUX_FOSSA_TAR_PATH" --directory Linux-binaries fossa.bundle
tar --append --file "$LINUX_DIAGNOSE_TAR_PATH" --directory Linux-binaries diagnose.bundle
tar --append --file "$LINUX_MILLHONE_TAR_PATH" --directory Linux-binaries millhone.bundle
zip -j "$LINUX_FOSSA_ZIP_PATH" Linux-binaries/fossa.bundle
zip -j "$LINUX_DIAGNOSE_ZIP_PATH" Linux-binaries/diagnose.bundle
zip -j "$LINUX_MILLHONE_ZIP_PATH" Linux-binaries/millhone.bundle
fi
gzip "$LINUX_FOSSA_TAR_PATH"
gzip "$LINUX_DIAGNOSE_TAR_PATH"
gzip "$LINUX_MILLHONE_TAR_PATH"
chmod +x macOS-intel-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/fossa
zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/diagnose
zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/millhone
chmod +x macOS-arm64-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/fossa
zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/diagnose
zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/millhone
chmod +x Windows-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/fossa.exe
zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/diagnose.exe
zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/millhone.exe
- name: Create checksums
# We have to run from within the release dir so that "release" isn't prepended to the relative path of the zip file.
run: |
cd release
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip.sha256"
echo "Sanity-checking the checksums."
cat *.sha256 | sha256sum --check --status
# Uploads the generated archives (tar.gz/zip) as build artifacts to allow
# verifying them without needing to do an actual release. This step does not
# need to run for tagged release versions.
- name: Upload release archives
if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
uses: actions/upload-artifact@v4
with:
name: release-archives
path: release
- name: Release
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
uses: softprops/action-gh-release@v1
with:
files: release/*
draft: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}