Merge branch 'main' into update-1734016116

.github/workflows/Test-Rock.yaml

@@ -271,6 +271,36 @@ jobs:
           name: ${{ steps.configure-trivy.outputs.report-name }}
           path: ${{ steps.configure-trivy.outputs.report-name}}
 
+
+      # We have to walk through the vulnerabilities since trivy does not support outputting the results as Markdown
+      - name: Create markdown content
+        id: create-markdown
+        if: ${{ !cancelled() }}
+        run: |
+          set -x
+
+          vulnerabilities="$(jq -r -c '[
+            try(.scanner.result.Results[])
+            | .Target as $target
+            | .Vulnerabilities
+            | select(. != null)
+            | .[]
+            | {Target: $target, LastModifiedDate: .LastModifiedDate, VulnerabilityID: .VulnerabilityID,
+              PkgName: .PkgName, Severity: .Severity}
+                  ]' < ${{ steps.configure-trivy.outputs.report-name }})"
+
+          num_vulns=$(echo "$vulnerabilities" | jq -r 'length')
+          
+          if [[ $num_vulns -gt 0 ]]; then
+            echo "# Vulnerabilities found for ${{ inputs.oci-archive-name }}" >> $GITHUB_STEP_SUMMARY
+            title="Vulnerabilities found for ${{ inputs.oci-archive-name }}"
+            echo "## $title" >> $GITHUB_STEP_SUMMARY
+            echo "| ID | Target | Severity | Package |" >> $GITHUB_STEP_SUMMARY
+            echo "| -- | ----- | -------- | ------- |" >> $GITHUB_STEP_SUMMARY
+            echo "$vulnerabilities" | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> $GITHUB_STEP_SUMMARY
+          fi
+          
+
   test-malware:
     runs-on: ubuntu-22.04
     name: "test-malware ${{ inputs.oci-archive-name != '' && format('| {0}', inputs.oci-archive-name) || ' '}}"

.github/workflows/Vulnerability-Scan.yaml

@@ -213,12 +213,6 @@ jobs:
             echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Write to summary
-        if: ${{ !inputs.create-issue && steps.create-markdown.outputs.vulnerability-exists == 'true' }}
-        run: |
-          echo "# Vulnerabilities found for ${{ inputs.oci-image-name }}" >> $GITHUB_STEP_SUMMARY
-          cat ${{ steps.create-markdown.outputs.issue-body-file }} | tail -n +2 >> $GITHUB_STEP_SUMMARY
-
       - id: issue-exists
         if: ${{ inputs.create-issue}}
         run: |

README.md

@@ -5,6 +5,27 @@
 *Behind every great rock is a great quarry...*
 </div>
 
+## Index
+- [Before you get started](#-**Before-you-get-started**)
+  - [What is the OCI Factory?](#What-is-the-OCI-Factory?)
+  - [Why does it exist?](#Why-does-it-exist?)
+  - [Who is it for?](#Who-is-it-for?)
+  - [How to qualify as a Maintainer?](#How-to-qualify-as-a-Maintainer?)
+- [How to contribute](#-How-to-contribute)
+  - [As a developer](#As-a-developer)
+  - [As a Maintainer](#As-a-Maintainer--)
+- [Maintainer files](#-Maintainer-files)
+  - [Trigger files](#Trigger-files)
+    - [Image trigger file](#Image-trigger-file)
+    - [Documentation trigger file](#Documentation-trigger-file)
+  - [Other files](#Other-files)
+    - [Contacts](#Contacts)
+    - [Vulnerability Filtering](#Vulnerability-Filtering)
+- [Reusable workflows](#-Reusable-workflows)
+  - [Build-Rock Workflow](#Build-Rock-Workflow)
+  - [Test-Rock Workflow](#Test-Rock-Workflow)
+
+
 ## 🍿 **Before you get started**
 
 If you are planning on contributing to this repository, you **must** first
@@ -353,3 +374,87 @@ CVE-2024-0000
 # <justification>
 private-key
 ```
+
+## 📦 Reusable workflows
+
+The OCI Factory provides reusable GitHub workflows designed to support
+Rock-oriented CI/CD tasks in other repositories. Currently there are two
+reusable workflows available, Test-Rock and Build-Rock. As the name suggests,
+these workflows are capable of building and testing rocks, and use the same
+methods as the OCI Factory itself.
+
+
+### Build-Rock Workflow
+
+The [Build-Rock workflow](.github/workflows/Build-Rock.yaml)
+can create multi-architecture Rocks (OCI images) from a specified Rockcraft
+project file (rockcraft.yaml). This project file can be located in the
+repository initiating the workflow, an external repository hosted on GitHub, or
+a Git repository hosted elsewhere. The resulting image is uploaded as a build
+artifact in the GitHub workflow. Currently, multi-architecture builds support
+`amd64` and `arm64`, depending on the availability of GitHub runners for these
+architectures. Additional architectures, such as `ppc64el` and `s390x` are
+supported through Launchpad build services.
+
+**Samples:**
+- [Building an external Rock](https://github.com/canonical/rocks-toolbox/blob/main/.github/workflows/oci-factory_build_mock_rock.yaml) 
+  - Build the `mock-rock` located in `mock_rock/1.0`
+- [Build and Test EICAR Rock](https://github.com/canonical/rocks-toolbox/blob/main/.github/workflows/oci-factory_build_and_test_eicar_rock.yaml) 
+  - Build a Rock that includes the
+    [EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) and run the
+    Test-Rock workflow on it. The workflow is expected to fail during the
+    malware scan for demonstration purposes.
+- [Building an external Rock](https://github.com/canonical/rocks-toolbox/blob/main/.github/workflows/oci-factory_build_external_rock.yaml) 
+  - Build a Chiseled-Python Rock from an external repository using a specified Git commit hash.
+
+**Workflow Inputs:**
+| Property | Required | Type | Description |
+|---|---|---|---|
+| `oci-archive-name` | True | str | Final filename of the rock OCI archive. |
+| `build-id` | False | str | Optional string for identifying workflow jobs in GitHub UI |
+| `rock-repo` | True | str | Public Git repo where to build the rock from. |
+| `rock-repo-commit` | True | str | Git ref from where to build the rock from. |
+| `rockfile-directory` | True | str | Directory in repository where to find the rockcraft.yaml file. |
+| `arch-map` | False | JSON str | JSON string mapping target architecture to runners. |
+| `lpci-fallback` | False | bool | Enable fallback to Launchpad build when runners for target arch are not available. |
+
+### Test-Rock Workflow
+
+The [Test-Rock workflow](.github/workflows/Test-Rock.yaml)
+runs a series of tests on a rock or an OCI image. The image can be sourced either
+from a local artifact or from an external location uploaded as an artifact. The
+workflow includes the following tests, which can be enabled or disabled as
+needed.
+
+- OCI compliance testing of images using [Umoci](https://umo.ci/). The image's
+  readability and layout are tested by unpacking and listing the image tags.
+- Black-box testing of images performed using Docker to create a container and
+  attempting to run the Pebble service manager. This test applies only to
+  images created with Rockcraft.
+- Testing image storage efficiency using [Dive](https://github.com/wagoodman/dive)
+- Scanning for vulnerabilities using [Trivy](https://trivy.dev/)
+- Scanning for malware using [ClamAV](https://www.clamav.net/)
+
+**Samples:**
+- [Build and Test EICAR Rock](https://github.com/canonical/rocks-toolbox/blob/main/.github/workflows/oci-factory_build_and_test_eicar_rock.yaml) 
+  - Build a Rock that includes the
+    [EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) and run the
+    Test-Rock workflow on it. The workflow is expected to fail during the
+    malware scan for demonstration purposes.
+
+- [Test an External Image](https://github.com/canonical/rocks-toolbox/blob/main/.github/workflows/oci-factory_test_external_rock.yaml) 
+  - Download and test the
+    [bkimminich/juice-shop](https://hub.docker.com/r/bkimminich/juice-shop)
+    image from Docker Hub. Note that we must skip the Black Box testing since
+    this is not a rock and does not include [Pebble](https://github.com/canonical/pebble).
+
+**Workflow Inputs:**
+| Property | Required | Type | Description |
+|---|---|---|---|
+|`oci-archive-name`| True | str | Artifact name to download for testing. |
+|`test-black-box`| False | bool | Enable rock black-box test. Enabled by default. |
+|`test-oci-compliance`| False | bool | Enable Umoci OCI Image compliance test. Enabled by default. |
+|`test-efficiency`| False | bool | Enable Dive image efficiency test. Enabled by default. |
+|`test-vulnerabilities`| False | bool | Enable Trivy vulnerability test. Enabled by default. |
+|`trivyignore-path`| False | str | Optional path to `.trivyignore` file used in vulnerability scan. |
+|`test-malware`| False | bool | Enable ClamAV malware test. Enabled by default. |

oci/grafana-agent/.trivyignore

@@ -16,3 +16,5 @@ CVE-2023-49568
 GHSA-9763-4f94-gfch
 # github.com/opencontainers/runc - runc: file descriptor leak
 CVE-2024-21626
+# golang.org/x/crypto - Applications and libraries which misuse the ServerConfig.PublicKeyCall ...
+CVE-2024-45337

oci/grafana-agent/_releases.json

@@ -268,5 +268,50 @@
         "edge": {
             "target": "0.40.3-22.04_beta"
         }
+    },
+    "0-24.04": {
+        "end-of-life": "2025-03-12T00:00:00Z",
+        "stable": {
+            "target": "79"
+        },
+        "candidate": {
+            "target": "0-24.04_stable"
+        },
+        "beta": {
+            "target": "0-24.04_candidate"
+        },
+        "edge": {
+            "target": "0-24.04_beta"
+        }
+    },
+    "0.43-24.04": {
+        "end-of-life": "2025-03-12T00:00:00Z",
+        "stable": {
+            "target": "79"
+        },
+        "candidate": {
+            "target": "0.43-24.04_stable"
+        },
+        "beta": {
+            "target": "0.43-24.04_candidate"
+        },
+        "edge": {
+            "target": "0.43-24.04_beta"
+        }
+    },
+    "0.43.4-24.04": {
+        "end-of-life": "2025-03-12T00:00:00Z",
+        "stable": {
+            "target": "79"
+        },
+        "candidate": {
+            "target": "0.43.4-24.04_stable"
+        },
+        "beta": {
+            "target": "0.43.4-24.04_candidate"
+        },
+        "edge": {
+            "target": "0.43.4-24.04_beta"
+        }
     }
 }

oci/grafana-agent/image.yaml

@@ -1,34 +1,18 @@
 version: 1
 upload:
   - source: canonical/grafana-agent-rock
-    commit: 8fdc452a8c36d7f8916821b8b4a7a4e88136eff6
-    directory: 0.40.5
+    commit: d3c1eaec89c38897141ff2b5b2e549664dea3992
+    directory: 0.43.4
     release:
-      0.40.5-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
+      0-24.04:
+        end-of-life: '2025-03-12T00:00:00Z'
         risks:
           - stable
-      0.40-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
+      0.43-24.04:
+        end-of-life: '2025-03-12T00:00:00Z'
         risks:
           - stable
-      0-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
-        risks:
-          - stable
-  - source: canonical/grafana-agent-rock
-    commit: 8fdc452a8c36d7f8916821b8b4a7a4e88136eff6
-    directory: 0.40.4
-    release:
-      0.40.4-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
-        risks:
-          - stable
-  - source: canonical/grafana-agent-rock
-    commit: 8fdc452a8c36d7f8916821b8b4a7a4e88136eff6
-    directory: 0.40.3
-    release:
-      0.40.3-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
+      0.43.4-24.04:
+        end-of-life: '2025-03-12T00:00:00Z'
         risks:
           - stable

oci/grafana/.trivyignore

@@ -16,3 +16,5 @@ CVE-2023-49568
 CVE-2023-49569
 # github.com/cloudflare/circl - CIRCL's Kyber: timing side-channel (kyberslash2)
 GHSA-9763-4f94-gfch
+# golang.org/x/crypto - Applications and libraries which misuse the ServerConfig.PublicKeyCall ...
+CVE-2024-45337

oci/grafana/image.yaml

@@ -1,34 +1,18 @@
 version: 1
 upload:
   - source: canonical/grafana-rock
-    commit: 76e6113b71255cd3d83df9b6f01b0ab2b783920d
-    directory: 10.4.2
+    commit: a2d8bea8db1fc640cbe465429a70e79fcfbb83bb
+    directory: 11.4.0
     release:
-      10.4.2-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
+      11-24.04:
+        end-of-life: '2025-03-13T00:00:00Z'
         risks:
           - stable
-      10.4-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
+      11.4-24.04:
+        end-of-life: '2025-03-13T00:00:00Z'
         risks:
           - stable
-      10-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
-        risks:
-          - stable
-  - source: canonical/grafana-rock
-    commit: 76e6113b71255cd3d83df9b6f01b0ab2b783920d
-    directory: 11.0.0
-    release:
-      11.0.0-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
-        risks:
-          - stable
-      11.0-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
-        risks:
-          - stable
-      11-22.04:
-        end-of-life: "2025-05-28T00:00:00Z"
+      11.4.0-24.04:
+        end-of-life: '2025-03-13T00:00:00Z'
         risks:
           - stable

oci/metrics-proxy/_releases.json

@@ -43,5 +43,50 @@
         "edge": {
             "target": "0-22.04_beta"
         }
+    },
+    "0-24.04": {
+        "end-of-life": "2025-03-14T00:00:00Z",
+        "stable": {
+            "target": "2"
+        },
+        "candidate": {
+            "target": "0-24.04_stable"
+        },
+        "beta": {
+            "target": "0-24.04_candidate"
+        },
+        "edge": {
+            "target": "0-24.04_beta"
+        }
+    },
+    "0.1-24.04": {
+        "end-of-life": "2025-03-14T00:00:00Z",
+        "stable": {
+            "target": "2"
+        },
+        "candidate": {
+            "target": "0.1-24.04_stable"
+        },
+        "beta": {
+            "target": "0.1-24.04_candidate"
+        },
+        "edge": {
+            "target": "0.1-24.04_beta"
+        }
+    },
+    "0.1.1-24.04": {
+        "end-of-life": "2025-03-14T00:00:00Z",
+        "stable": {
+            "target": "2"
+        },
+        "candidate": {
+            "target": "0.1.1-24.04_stable"
+        },
+        "beta": {
+            "target": "0.1.1-24.04_candidate"
+        },
+        "edge": {
+            "target": "0.1.1-24.04_beta"
+        }
     }
 }

oci/metrics-proxy/image.yaml

@@ -1,18 +1,18 @@
 version: 1
 upload:
   - source: canonical/metrics-proxy-rock
-    commit: 66763a5703df2e3175b87c0da69b29103da47169
-    directory: "0.1.1"
+    commit: 78ab3165104b87d648d077a1c3f80c308a10b6af
+    directory: 0.1.1
     release:
-      0.1.1-22.04:
-        end-of-life: "2025-11-27T00:00:00Z"
+      0-24.04:
+        end-of-life: '2025-03-14T00:00:00Z'
         risks:
           - stable
-      0.1-22.04:
-        end-of-life: "2025-11-27T00:00:00Z"
+      0.1-24.04:
+        end-of-life: '2025-03-14T00:00:00Z'
         risks:
           - stable
-      0-22.04:
-        end-of-life: "2025-11-27T00:00:00Z"
+      0.1.1-24.04:
+        end-of-life: '2025-03-14T00:00:00Z'
         risks:
-          - stable
+          - stable