mirror of
https://github.com/marcoallegretti/karapace.git
synced 2026-03-26 21:43:09 +00:00
bb03d3adad
- .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve, build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl), cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract - .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish - .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign, verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal, adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script, adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable - .github/actions/karapace-build/action.yml — reusable build action - .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility - CI_CONTRACT.md — required jobs list enforced by ci-contract gate job - scripts/generate-sbom.sh — CycloneDX SBOM generation - CARGO_INCREMENTAL=0 globally, cargo clean before all release builds - Cosign keyless signing with GitHub Actions OIDC - 32 total CI jobs across 3 workflows
62 lines
2 KiB
YAML
62 lines
2 KiB
YAML
name: 'Karapace Build'
|
|
description: 'Build a Karapace environment from a manifest file'
|
|
inputs:
|
|
manifest:
|
|
description: 'Path to the karapace.toml manifest file'
|
|
required: true
|
|
default: 'karapace.toml'
|
|
name:
|
|
description: 'Optional name for the environment'
|
|
required: false
|
|
karapace-version:
|
|
description: 'Version of Karapace to install (or "latest")'
|
|
required: false
|
|
default: 'latest'
|
|
store-path:
|
|
description: 'Path to the Karapace store directory'
|
|
required: false
|
|
default: '/tmp/karapace-store'
|
|
outputs:
|
|
env-id:
|
|
description: 'The environment ID of the built environment'
|
|
value: ${{ steps.build.outputs.env_id }}
|
|
short-id:
|
|
description: 'The short ID of the built environment'
|
|
value: ${{ steps.build.outputs.short_id }}
|
|
runs:
|
|
using: 'composite'
|
|
steps:
|
|
- name: Install prerequisites
|
|
shell: bash
|
|
run: |
|
|
sudo apt-get update -qq
|
|
sudo apt-get install -y -qq fuse-overlayfs curl
|
|
sudo sysctl -w kernel.unprivileged_userns_clone=1 || true
|
|
|
|
- name: Install Karapace
|
|
shell: bash
|
|
run: |
|
|
if [ "${{ inputs.karapace-version }}" = "latest" ]; then
|
|
cargo install --path crates/karapace-cli --root /usr/local 2>/dev/null || \
|
|
cargo install karapace-cli --root /usr/local 2>/dev/null || \
|
|
echo "::warning::Could not install karapace; using local build"
|
|
fi
|
|
|
|
- name: Build environment
|
|
id: build
|
|
shell: bash
|
|
run: |
|
|
ARGS="--store ${{ inputs.store-path }} --json"
|
|
if [ -n "${{ inputs.name }}" ]; then
|
|
ARGS="$ARGS --name ${{ inputs.name }}"
|
|
fi
|
|
OUTPUT=$(karapace $ARGS build "${{ inputs.manifest }}" 2>&1) || {
|
|
echo "::error::Karapace build failed"
|
|
echo "$OUTPUT"
|
|
exit 1
|
|
}
|
|
echo "$OUTPUT"
|
|
ENV_ID=$(echo "$OUTPUT" | jq -r '.env_id // empty')
|
|
SHORT_ID=$(echo "$OUTPUT" | jq -r '.short_id // empty')
|
|
echo "env_id=$ENV_ID" >> "$GITHUB_OUTPUT"
|
|
echo "short_id=$SHORT_ID" >> "$GITHUB_OUTPUT"
|