Replace image validity check with shell script

The script is more or less straight forward and saves us some go
dependencies and a custom go build execution.

Signed-off-by: Tom Wieczorek <[email protected]>

.github/workflows/go.yml

@@ -85,6 +85,32 @@ jobs:
       target-os: linux
       target-arch: amd64
 
+  check-images:
+    name: "Check :: Images"
+    needs: [build-k0s]
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: "Workflow run :: Checkout"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          show-progress: false
+
+      - name: "Download :: Airgap image list"
+        uses: actions/download-artifact@v4
+        with:
+          name: airgap-image-list-linux-amd64
+
+      - name: "Check :: Image validity"
+        run: |
+          mkdir -p embedded-bins/staging/linux/bin
+          make --touch airgap-images.txt
+          make check-image-validity
+
   generate-sbom:
     name: "Build :: SBOM"
     needs: [build-k0s]
@@ -144,9 +170,6 @@ jobs:
           make --touch codegen
           make check-unit
 
-      - name: Validate OCI images manifests
-        run: make check-image-validity
-
   unittests-k0s-windows-amd64:
     name: "Unit tests :: windows-amd64"
     runs-on: windows-2022

Makefile

@@ -259,8 +259,8 @@ check-unit: go.sum codegen
 	CGO_CFLAGS='$(BUILD_CGO_CFLAGS)' $(GO) test -tags=hack $(GO_TEST_RACE) -ldflags='$(LD_FLAGS)' `$(GO) list -tags=hack $(GO_CHECK_UNIT_DIRS)`
 
 .PHONY: check-image-validity
-check-image-validity: go.sum
-	$(GO) run -tags=hack hack/validate-images/main.go -architectures amd64,arm64,arm
+check-image-validity: go.sum airgap-images.txt
+	hack/validate-images.sh <airgap-images.txt
 
 .PHONY: clean-gocache
 clean-gocache:

go.mod

@@ -21,7 +21,6 @@ require (
 	github.com/containerd/cgroups/v3 v3.0.3
 	github.com/containerd/containerd v1.7.8
 	github.com/denisbrodbeck/machineid v1.0.1
-	github.com/estesp/manifest-tool/v2 v2.1.3
 	github.com/evanphx/json-patch v5.6.0+incompatible
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/go-logr/logr v1.4.1
@@ -38,7 +37,6 @@ require (
 	github.com/mesosphere/toml-merge v0.2.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/opencontainers/image-spec v1.1.0-rc5
 	github.com/opencontainers/runtime-spec v1.1.0
 	github.com/otiai10/copy v1.14.0
 	github.com/pelletier/go-toml v1.9.5
@@ -213,6 +211,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/opencontainers/runc v1.1.11 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
@@ -281,7 +280,6 @@ require (
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
 	k8s.io/metrics v0.29.0 // indirect
 	oras.land/oras-go v1.2.4 // indirect
-	oras.land/oras-go/v2 v2.2.1 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect

go.sum

@@ -180,8 +180,6 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA=
 github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE=
-github.com/estesp/manifest-tool/v2 v2.1.3 h1:Xd0oxiwkXIcCYVdU4s7IZBIPYy5xbRJE2hzqQqb81EE=
-github.com/estesp/manifest-tool/v2 v2.1.3/go.mod h1:fVIu8tz5/04LXjFyE/LLd+uD8VFHXy38YFbCN4GrWHM=
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
@@ -971,8 +969,6 @@ k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSn
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 oras.land/oras-go v1.2.4 h1:djpBY2/2Cs1PV87GSJlxv4voajVOMZxqqtq9AB8YNvY=
 oras.land/oras-go v1.2.4/go.mod h1:DYcGfb3YF1nKjcezfX2SNlDAeQFKSXmf+qrFmrh4324=
-oras.land/oras-go/v2 v2.2.1 h1:3VJTYqy5KfelEF9c2jo1MLSpr+TM3mX8K42wzZcd6qE=
-oras.land/oras-go/v2 v2.2.1/go.mod h1:GeAwLuC4G/JpNwkd+bSZ6SkDMGaaYglt6YK2WvZP7uQ=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 h1:TgtAeesdhpm2SGwkQasmbeqDo8th5wOBA5h/AjTKA4I=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0/go.mod h1:VHVDI/KrK4fjnV61bE2g3sA7tiETLn8sooImelsCx3Y=
 sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4=

hack/validate-images.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env sh
+#shellcheck disable=SC3043
+
+set -eu
+
+check_platforms() {
+  # shellcheck disable=SC2016
+  local filter='
+    $ARGS.positional - [.manifests[].platform | "\(.os)/\(.architecture)"]
+    | if length == 0 then "ok" else "missing platforms: " + join(", ") end
+  '
+  docker manifest inspect -- "$image" | jq --args -r "$filter" -- "$@"
+}
+
+ret=0
+while read -r image; do
+  case "$image" in
+  */envoy-distroless:*) set -- linux/amd64 linux/arm64 ;;
+  *) set -- linux/amd64 linux/arm64 linux/arm ;;
+  esac
+
+  printf 'Checking image validity for %s ... ' "$image" >&2
+  check=$(check_platforms "$@")
+  if [ "$check" != "ok" ]; then
+    ret=1
+    printf '\033[31m%s\033[0m\n' "$check" >&2
+  else
+    printf '\033[32mok: %s\033[0m\n' "$*" >&2
+  fi
+done
+
+exit $ret