Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add examples and project logo #5

Merged
merged 1 commit into from
Jul 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
149 changes: 100 additions & 49 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# wolfi-act

![](https://github.com/wolfi-dev/wolfi-act/assets/393494/661c31fc-762f-4b53-a64f-56b116e7ba41)
![](./wolfi-act.jpg)

Dynamic GitHub Actions from [Wolfi](https://wolfi.dev/) packages

Expand All @@ -15,84 +15,135 @@ and runs your command inside of it.
Pass in `packages` with a comma-separated list of packages available in
Wolfi, along with a `command` you wish to run.

### Example: run a grype and trivy scan on an image

```yaml
- uses: wolfi-dev/wolfi-act@main
with:
packages: grype,trivy
packages: jq,cosign
command: |
grype cgr.dev/chainguard/nginx
trivy image cgr.dev/chainguard/nginx
jq --version
cosign --version
```

### Example: full image publish pipeline
### Example: run a grype and trivy scan on an image

Here's a full Github Actions workflow example which does the following (source [here](./.github/workflows/build.yml)):
Source: [grype-trivy-scan-example.yaml](./examples/grype-trivy-scan-example.yaml)

1. Installs tools: `curl`, `apko`, `cosign`, `crane`, `grype`, `trivy`
2. Downloads an apko config file using `curl`
3. Logs into GHCR using `crane`
4. Publishes a container image using `apko`
5. Signs the image using `cosign`
6. Scans the image with `grype` and `trivy`
7. Tags the image using `crane`
8. Ensure that the tagged image runs using `docker`
```yaml
# .github/workflows/grype-trivy-scan-example.yaml
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
wolfi-act:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # needed for GitHub OIDC Token
steps:
- uses: actions/checkout@v3
- uses: wolfi-dev/wolfi-act@main
with:
packages: curl,apko,cosign,crane
command: |
set -x
grype cgr.dev/chainguard/nginx
trivy image cgr.dev/chainguard/nginx
```

### Example: build, push, sign, and tag an image

Source: [oci-image-push-sign-tag-example.yaml](./examples/oci-image-push-sign-tag-example.yaml)

```yaml
# .github/workflows/oci-image-push-sign-tag-example.yaml
on:
push:
branches:
- main
workflow_dispatch: {}
env:
IMAGE_REPO: ghcr.io/${{ github.repository }}/wolfi-act-test
APKO_CONFIG: https://raw.githubusercontent.com/chainguard-images/images/main/images/maven/configs/openjdk-17.apko.yaml
GHCR_USER: ${{ github.repository_owner }}
GHCR_PASS: ${{ github.token }}
jobs:
build:
wolfi-act:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # needed for GitHub OIDC Token
id-token: write # needed for GitHub OIDC Token
steps:
- name: Build, sign, inspect an image using wolfi-act
uses: wolfi-dev/wolfi-act@main
- uses: actions/checkout@v3
- uses: wolfi-dev/wolfi-act@main
env:
OCI_HOST: ghcr.io
OCI_REPO: ${{ github.repository }}/wolfi-act-demo
OCI_USER: ${{ github.repository_owner }}
OCI_PASS: ${{ github.token }}
OCI_TAG: latest
APKO_ARCHS: x86_64,aarch64
APKO_KEYS: https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
APKO_REPOS: https://packages.wolfi.dev/os
APKO_DEFAULT_CONF: https://raw.githubusercontent.com/chainguard-images/images/main/images/wolfi-base/configs/latest.apko.yaml
with:
packages: curl,apko,cosign,crane,grype,trivy
packages: curl,apko,cosign,crane
command: |
set -x

# Download an apko config file
curl -L -o apko.yaml "${APKO_CONFIG}"
# Make sure repo has an apko.yaml file, otherwise use default
if [[ ! -f apko.yaml ]]; then
echo "Warning: no apko.yaml in repo, downloading from $APKO_DEFAULT_CONF"
curl -sL -o apko.yaml $APKO_DEFAULT_CONF
fi

# Login to OCI registry
apko login $OCI_HOST -u $OCI_USER -p $OCI_PASS

# Login to GHCR
crane auth login ghcr.io -u "${GHCR_USER}" -p "${GHCR_PASS}"
# Publish image with apko and capture the index digest
digest=$(apko publish --arch $APKO_ARCHS \
-k $APKO_KEYS -r $APKO_REPOS \
apko.yaml $OCI_HOST/$OCI_REPO)

# Publish image using apko
apko publish apko.yaml "${IMAGE_REPO}" \
--repository-append=https://packages.wolfi.dev/os \
--keyring-append=https://packages.wolfi.dev/os/wolfi-signing.rsa.pub \
--package-append=wolfi-baselayout \
--arch=x86_64,aarch64 \
--image-refs=apko.images.txt | tee apko.index.txt
index_digest="$(cat apko.index.txt)"
# Sign with cosign
cosign sign --yes $digest

# Lastly, tag the image with crane
crane copy $digest $OCI_HOST/$OCI_REPO:$OCI_TAG
```

# Sign image with cosign
cosign sign --yes $(cat apko.images.txt)

# Scan image with grype and trivy
grype "${index_digest}"
trivy image "${index_digest}"
### Example: run multiple versions of kubectl using build matrix

# Tag image using crane
crane cp "${index_digest}" "${IMAGE_REPO}:latest"
Source: [multiple-versions-of-kubectl-example.yaml](./examples/multiple-versions-of-kubectl-example.yaml)

```yaml
# .github/workflows/multiple-versions-of-kubectl-example.yaml
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
wolfi-act:
runs-on: ubuntu-latest
strategy:
matrix:
wolfi_pkg_name_kubectl:
- kubectl-1.24
- kubectl-1.25
- kubectl-1.26
- kubectl # note: this is 1.27 or latest
steps:
- uses: actions/checkout@v3
- uses: wolfi-dev/wolfi-act@main
with:
packages: ${{ matrix.wolfi_pkg_name_kubectl }}
command: |
set -x

- name: Make sure the image runs
run: |
set -x
docker run --rm "${IMAGE_REPO}:latest" --version
# Make a symlink when "kubectl" is not the name of the binary in the package
if [[ "${{ matrix.wolfi_pkg_name_kubectl }}" != "kubectl" ]]; then
ln -sf /usr/bin/${{ matrix.wolfi_pkg_name_kubectl }} /usr/bin/kubectl
fi

kubectl version --client
```
22 changes: 22 additions & 0 deletions examples/grype-trivy-scan-example.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# .github/workflows/grype-trivy-scan-example.yaml
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
wolfi-act:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # needed for GitHub OIDC Token
steps:
- uses: actions/checkout@v3
- uses: wolfi-dev/wolfi-act@main
with:
packages: curl,apko,cosign,crane
command: |
set -x
grype cgr.dev/chainguard/nginx
trivy image cgr.dev/chainguard/nginx
30 changes: 30 additions & 0 deletions examples/multiple-versions-of-kubectl-example.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# .github/workflows/multiple-versions-of-kubectl-example.yaml
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
wolfi-act:
runs-on: ubuntu-latest
strategy:
matrix:
wolfi_pkg_name_kubectl:
- kubectl-1.24
- kubectl-1.25
- kubectl-1.26
- kubectl # note: this is 1.27 or latest
steps:
- uses: actions/checkout@v3
- uses: wolfi-dev/wolfi-act@main
with:
packages: ${{ matrix.wolfi_pkg_name_kubectl }}
command: |
set -x

# Make a symlink when "kubectl" is not the name of the binary in the package
if [[ "${{ matrix.wolfi_pkg_name_kubectl }}" != "kubectl" ]]; then
ln -sf /usr/bin/${{ matrix.wolfi_pkg_name_kubectl }} /usr/bin/kubectl
fi

kubectl version --client
50 changes: 50 additions & 0 deletions examples/oci-image-push-sign-tag-example.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# .github/workflows/oci-image-push-sign-tag-example.yaml
on:
push:
branches:
- main
workflow_dispatch: {}
jobs:
wolfi-act:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # needed for GitHub OIDC Token
steps:
- uses: actions/checkout@v3
- uses: wolfi-dev/wolfi-act@main
env:
OCI_HOST: ghcr.io
OCI_REPO: ${{ github.repository }}/wolfi-act-demo
OCI_USER: ${{ github.repository_owner }}
OCI_PASS: ${{ github.token }}
OCI_TAG: latest
APKO_ARCHS: x86_64,aarch64
APKO_KEYS: https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
APKO_REPOS: https://packages.wolfi.dev/os
APKO_DEFAULT_CONF: https://raw.githubusercontent.com/chainguard-images/images/main/images/wolfi-base/configs/latest.apko.yaml
with:
packages: curl,apko,cosign,crane
command: |
set -x

# Make sure repo has an apko.yaml file, otherwise use default
if [[ ! -f apko.yaml ]]; then
echo "Warning: no apko.yaml in repo, downloading from $APKO_DEFAULT_CONF"
curl -sL -o apko.yaml $APKO_DEFAULT_CONF
fi

# Login to OCI registry
apko login $OCI_HOST -u $OCI_USER -p $OCI_PASS

# Publish image with apko and capture the index digest
digest=$(apko publish --arch $APKO_ARCHS \
-k $APKO_KEYS -r $APKO_REPOS \
apko.yaml $OCI_HOST/$OCI_REPO)

# Sign with cosign
cosign sign --yes $digest

# Lastly, tag the image with crane
crane copy $digest $OCI_HOST/$OCI_REPO:$OCI_TAG
Binary file added wolfi-act.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.