From 204bfc03ad8e5cab2defb9fa7c93d101f1d3c8d8 Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Mon, 20 May 2024 15:19:57 +0300 Subject: [PATCH 1/6] workflow: pin actions with sha And run update check only once a week. Signed-off-by: Tuomas Katila --- .github/dependabot.yml | 5 +++-- .github/workflows/lib-build.yaml | 4 ++-- .github/workflows/lib-codeql.yaml | 8 ++++---- .github/workflows/lib-e2e.yaml | 2 +- .github/workflows/lib-publish.yaml | 8 ++++---- .github/workflows/lib-scorecard.yaml | 6 +++--- .github/workflows/lib-trivy.yaml | 26 +++++++++++++------------- .github/workflows/lib-validate.yaml | 16 ++++++++-------- .github/workflows/publish.yml | 8 ++++---- 9 files changed, 42 insertions(+), 41 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 73b6f0798..5eaaa1a85 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,5 +12,6 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - # Check for updates to GitHub Actions every weekday - interval: "daily" + # Check for updates to GitHub Actions every week on Sunday + interval: "weekly" + day: "sunday" diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml index d44b4e663..f2f19b64f 100644 --- a/.github/workflows/lib-build.yaml +++ b/.github/workflows/lib-build.yaml @@ -45,8 +45,8 @@ jobs: - dlb-libdlb-demo builder: [buildah, docker] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml index 8365c754b..b6585f89c 100644 --- a/.github/workflows/lib-codeql.yaml +++ b/.github/workflows/lib-codeql.yaml @@ -18,19 +18,19 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@187e591bef188a41dd329c95d7905134173654ae # v3 with: languages: 'go' - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@187e591bef188a41dd329c95d7905134173654ae # v3 with: category: "/language:go" diff --git a/.github/workflows/lib-e2e.yaml b/.github/workflows/lib-e2e.yaml index 9752373db..4dc34cb72 100644 --- a/.github/workflows/lib-e2e.yaml +++ b/.github/workflows/lib-e2e.yaml @@ -67,7 +67,7 @@ jobs: IMAGES: ${{ join(matrix.images, ' ') }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 - name: Describe test environment diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml index 93b2fd8d0..ff856e268 100644 --- a/.github/workflows/lib-publish.yaml +++ b/.github/workflows/lib-publish.yaml @@ -42,8 +42,8 @@ jobs: #- crypto-perf #- opae-nlb-demo steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true @@ -54,7 +54,7 @@ jobs: run: | REG=intel/ make ${IMAGE_NAME} BUILDER=docker - name: Trivy scan for image - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: scan-type: image image-ref: intel/${{ matrix.image }}:${{ inputs.image_tag }} @@ -64,7 +64,7 @@ jobs: if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }} run: IMG=intel/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker - name: Login - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PASS }} diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml index 4d0edb1b6..0414c7dcf 100644 --- a/.github/workflows/lib-scorecard.yaml +++ b/.github/workflows/lib-scorecard.yaml @@ -16,18 +16,18 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: persist-credentials: false - name: "Analyze project" - uses: ossf/scorecard-action@v2.3.3 + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: results_file: results.sarif results_format: sarif publish_results: true - name: "Upload results to security" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5 with: sarif_file: results.sarif diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml index 7afe9796f..842d30248 100644 --- a/.github/workflows/lib-trivy.yaml +++ b/.github/workflows/lib-trivy.yaml @@ -30,10 +30,10 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - name: Run Trivy in config mode for deployments - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: scan-type: config scan-ref: deployments/ @@ -49,10 +49,10 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - name: Run Trivy in config mode for dockerfiles - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: scan-type: config scan-ref: build/docker/ @@ -64,10 +64,10 @@ jobs: name: Scan licenses steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - name: Run Trivy in fs mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: scan-type: fs scan-ref: . @@ -83,11 +83,11 @@ jobs: name: Scan vulnerabilities steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - name: Run Trivy in fs mode continue-on-error: true - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: scan-type: fs scan-ref: . @@ -97,7 +97,7 @@ jobs: output: trivy-report.json - name: Show report in human-readable format - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: scan-type: convert vuln-type: '' @@ -107,7 +107,7 @@ jobs: - name: Convert report to sarif if: ${{ inputs.upload-to-github-security-tab }} - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: scan-type: convert vuln-type: '' @@ -118,13 +118,13 @@ jobs: - name: Upload sarif report to GitHub Security tab if: ${{ inputs.upload-to-github-security-tab }} - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@187e591bef188a41dd329c95d7905134173654ae # v3 with: sarif_file: trivy-report.sarif - name: Convert report to csv if: ${{ inputs.export-csv }} - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 with: scan-type: convert vuln-type: '' @@ -136,7 +136,7 @@ jobs: - name: Upload CSV report as an artifact if: ${{ inputs.export-csv }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 with: name: trivy-report path: trivy-report.csv \ No newline at end of file diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml index caa0ef04a..19fde0ddc 100644 --- a/.github/workflows/lib-validate.yaml +++ b/.github/workflows/lib-validate.yaml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3-venv - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 - name: Set up doc directory @@ -35,13 +35,13 @@ jobs: name: lint runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6 with: version: v1.57.2 args: -v --timeout 5m @@ -50,8 +50,8 @@ jobs: name: Build and check device plugins runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true @@ -74,8 +74,8 @@ jobs: - 1.29.x - 1.30.x steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod check-latest: true diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 13d5fccc8..d7f6f54ff 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,7 +23,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3-venv git - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 ref: main @@ -44,7 +44,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html/* $HOME/output/ - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 ref: release-0.28 @@ -55,7 +55,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html $HOME/output/0.28 - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 ref: release-0.29 @@ -66,7 +66,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html $HOME/output/0.29 - - uses: actions/checkout@v4 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: fetch-depth: 0 ref: release-0.30 From e2f205fc0931e4c0fd74d3f13bd651b7c281c822 Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Mon, 20 May 2024 15:31:03 +0300 Subject: [PATCH 2/6] demo: pin base image with sha And setup a workflow to update them montly Signed-off-by: Tuomas Katila --- .github/workflows/demo-img-update.yaml | 47 ++++++++++++++++++++++++++ demo/accel-config-demo/Dockerfile | 4 +-- demo/crypto-perf/Dockerfile | 4 +-- demo/dlb-dpdk-demo/Dockerfile | 4 +-- demo/dlb-libdlb-demo/Dockerfile | 4 +-- demo/intel-opencl-icd/Dockerfile | 2 +- demo/opae-nlb-demo/Dockerfile | 4 +-- demo/openssl-qat-engine/Dockerfile | 2 +- demo/sgx-aesmd-demo/Dockerfile | 2 +- demo/sgx-sdk-demo/Dockerfile | 4 +-- demo/update-shas.sh | 29 ++++++++++++++++ 11 files changed, 91 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/demo-img-update.yaml create mode 100755 demo/update-shas.sh diff --git a/.github/workflows/demo-img-update.yaml b/.github/workflows/demo-img-update.yaml new file mode 100644 index 000000000..d0cf1d4ca --- /dev/null +++ b/.github/workflows/demo-img-update.yaml @@ -0,0 +1,47 @@ +name: Update demo bases +on: + schedule: + - cron: '0 0 1 * *' # once a month + workflow_dispatch: + +permissions: + contents: read + pull-requests: write + +jobs: + demo_base_update: + name: Create a PR for demo image updates + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - name: Install frizbee + run: | + export FRIZBEE_HASH=cda91f86d0c96d0bc3c464c57a601ca414e0b2415372eb19b9a4c82fa3d4f802 + export FRIZBEE_VERSION=0.0.15 + + mkdir /tmp/frizbee + wget -q https://github.com/stacklok/frizbee/releases/download/v${FRIZBEE_VERSION}/frizbee_${FRIZBEE_VERSION}_linux_amd64.tar.gz -O /tmp/frizbee/frizbee.tar.gz + cd /tmp/frizbee + echo "$FRIZBEE_HASH frizbee.tar.gz" | sha256sum -c - + tar xzf frizbee.tar.gz + chmod +x /tmp/frizbee/frizbee + - name: Run update script + run: | + export PATH=$PATH:/tmp/frizbee + cd demo + bash update-shas.sh + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + - name: Create Pull Request + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6 + with: + commit-message: "demo: update base images ${{ steps.date.outputs.date }}" + title: "Update demo base images (${{ steps.date.outputs.date }})" + token: ${{ secrets.GH_PR_TOKEN }} + branch: demo-base-update-${{ steps.date.outputs.date }} + body: > + PR is auto-generated by GH action. + + + diff --git a/demo/accel-config-demo/Dockerfile b/demo/accel-config-demo/Dockerfile index e1db15805..d2f93f0bf 100644 --- a/demo/accel-config-demo/Dockerfile +++ b/demo/accel-config-demo/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM debian:unstable-slim AS builder +FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb AS builder RUN apt-get update && apt-get install -y --no-install-recommends libaccel-config-dev \ gcc g++ nasm make cmake autoconf automake libtool pkg-config git ca-certificates uuid-dev @@ -29,7 +29,7 @@ RUN cd / && git clone --recurse-submodules --depth 1 --branch v1.5.0 https://git cmake -DLOG_HW_INIT=ON .. && \ make install -FROM debian:unstable-slim +FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends pciutils accel-config accel-config-test kmod && rm -rf /var/lib/apt/lists/\* diff --git a/demo/crypto-perf/Dockerfile b/demo/crypto-perf/Dockerfile index f7ff318e5..23039ee11 100644 --- a/demo/crypto-perf/Dockerfile +++ b/demo/crypto-perf/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:unstable-slim as builder +FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb as builder ARG DIR=/dpdk-build WORKDIR $DIR @@ -37,7 +37,7 @@ RUN mkdir -p /install_root/licenses/dpdk && \ cd /install_root/licenses/dpdk && \ apt-get source --download-only -y libatomic1 libnuma1 -FROM debian:unstable-slim +FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libipsec-mb1 libnuma1 libatomic1 && ldconfig -v COPY --from=builder /install_root / COPY run-dpdk-test /usr/bin/ diff --git a/demo/dlb-dpdk-demo/Dockerfile b/demo/dlb-dpdk-demo/Dockerfile index 18fa7ce09..e94686871 100644 --- a/demo/dlb-dpdk-demo/Dockerfile +++ b/demo/dlb-dpdk-demo/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 as builder +FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b as builder ARG DIR=/dpdk-build WORKDIR $DIR @@ -24,7 +24,7 @@ RUN wget -q https://fast.dpdk.org/rel/$DPDK_TARBALL \ RUN cd dpdk-* && patch -Np1 < $(echo ../dlb/dpdk/dpdk_dlb_*.patch) && sed -i 's/270b,2710,2714/270b,2710,2711,2714/g' ./usertools/dpdk-devbind.py && meson setup --prefix $(pwd)/installdir builddir RUN cd dpdk-* && ninja -C builddir install && install -D builddir/app/dpdk-test-eventdev /install_root/usr/bin/dpdk-test-eventdev -FROM ubuntu:20.04 +FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b RUN apt-get update && apt-get install -y --no-install-recommends libnuma1 libatomic1 COPY --from=builder /install_root / COPY test.sh /usr/bin/ diff --git a/demo/dlb-libdlb-demo/Dockerfile b/demo/dlb-libdlb-demo/Dockerfile index ba490438b..3bb0cd499 100644 --- a/demo/dlb-libdlb-demo/Dockerfile +++ b/demo/dlb-libdlb-demo/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 AS builder +FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b AS builder WORKDIR /dlb-build @@ -16,7 +16,7 @@ RUN wget https://downloadmirror.intel.com/791459/$DLB_TARBALL \ # Build libdlb RUN cd dlb/libdlb && make -FROM ubuntu:20.04 +FROM ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b COPY --from=builder /dlb-build/dlb/libdlb/libdlb.so /usr/local/lib RUN ldconfig diff --git a/demo/intel-opencl-icd/Dockerfile b/demo/intel-opencl-icd/Dockerfile index 8d31f609b..fba243ded 100644 --- a/demo/intel-opencl-icd/Dockerfile +++ b/demo/intel-opencl-icd/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2 ARG APT="env DEBIAN_FRONTEND=noninteractive apt" diff --git a/demo/opae-nlb-demo/Dockerfile b/demo/opae-nlb-demo/Dockerfile index ba6311907..0aef114b8 100644 --- a/demo/opae-nlb-demo/Dockerfile +++ b/demo/opae-nlb-demo/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:unstable-slim AS builder +FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb AS builder # Install build dependencies RUN apt-get update && apt-get install -y curl python3-dev git gcc g++ make cmake uuid-dev libjson-c-dev libedit-dev libudev-dev @@ -24,7 +24,7 @@ RUN cd /usr/src/opae/opae-sdk-${OPAE_RELEASE} && \ make -j xfpga nlb0 nlb3 -FROM debian:unstable-slim +FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb RUN apt-get update && apt-get upgrade -y && apt-get install --no-install-recommends -y libjson-c5 diff --git a/demo/openssl-qat-engine/Dockerfile b/demo/openssl-qat-engine/Dockerfile index 6cda0a4c3..4a81638fa 100644 --- a/demo/openssl-qat-engine/Dockerfile +++ b/demo/openssl-qat-engine/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:24.04 +FROM ubuntu:24.04@sha256:3f85b7caad41a95462cf5b787d8a04604c8262cdcdf9a472b8c52ef83375fe15 RUN apt update && \ apt install --no-install-recommends -y qatengine qatlib-examples qatzip openssl diff --git a/demo/sgx-aesmd-demo/Dockerfile b/demo/sgx-aesmd-demo/Dockerfile index 78b9f7a7c..181f331e8 100644 --- a/demo/sgx-aesmd-demo/Dockerfile +++ b/demo/sgx-aesmd-demo/Dockerfile @@ -1,6 +1,6 @@ # This Dockerfile is currently provided as a reference to build aesmd with ECDSA attestation # but is not published along with the device plugin container images. -FROM ubuntu:22.04 +FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2 RUN apt update && apt install -y curl gnupg-agent \ && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" | \ diff --git a/demo/sgx-sdk-demo/Dockerfile b/demo/sgx-sdk-demo/Dockerfile index 66d6684ac..bf4386db6 100644 --- a/demo/sgx-sdk-demo/Dockerfile +++ b/demo/sgx-sdk-demo/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 AS builder +FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2 AS builder WORKDIR /root @@ -66,7 +66,7 @@ RUN cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample \ && sgx_sign sign -key ../QuoteGenerationSample/Enclave/Enclave_private_sample.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml \ && cd - -FROM ubuntu:22.04 +FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2 RUN apt-get update && \ apt-get install -y \ diff --git a/demo/update-shas.sh b/demo/update-shas.sh new file mode 100755 index 000000000..a34d82e35 --- /dev/null +++ b/demo/update-shas.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +type frizbee > /dev/null 2>&1 || { + echo "no 'frizbee' installed, please install it from https://github.com/stacklok/frizbee" + exit 1 +} + +echo "frizbee available, continue" + +files=$(grep -sr "^FROM" * | cut -d":" -f1 | sort | uniq) + +for file in $files; do + echo "checking $file" + + base=$(grep "^FROM" $file | head -1 | cut -d' ' -f2) + baseimg=$(echo $base | cut -d'@' -f1) + prevhash=$(echo $base | cut -d'@' -f2 | cut -d' ' -f1) + + hash=$(frizbee containerimage one $baseimg | cut -d'@' -f2) + [ $? -ne 0 ] && exit 1 + + [ "x$verbose" != "x" ] && echo $prevhash ?= $hash + + if [ $prevhash != $hash ]; then + echo "> updating hash in $file: $hash" + + sed -i s/$prevhash/$hash/ $file + fi +done From fe7b474edc5affdad3e2ccf1f65ec7f2b2aed418 Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Tue, 21 May 2024 10:49:32 +0300 Subject: [PATCH 3/6] downgrade a few images on purpose Signed-off-by: Tuomas Katila --- demo/accel-config-demo/Dockerfile | 4 ++-- demo/intel-opencl-icd/Dockerfile | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/demo/accel-config-demo/Dockerfile b/demo/accel-config-demo/Dockerfile index d2f93f0bf..ef71ed488 100644 --- a/demo/accel-config-demo/Dockerfile +++ b/demo/accel-config-demo/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb AS builder +FROM debian:unstable-slim@sha256:af74cdf95de28a354b88a41ddc167ecc3d8bed2fa121a642bcdfb83310afd25e AS builder RUN apt-get update && apt-get install -y --no-install-recommends libaccel-config-dev \ gcc g++ nasm make cmake autoconf automake libtool pkg-config git ca-certificates uuid-dev @@ -29,7 +29,7 @@ RUN cd / && git clone --recurse-submodules --depth 1 --branch v1.5.0 https://git cmake -DLOG_HW_INIT=ON .. && \ make install -FROM debian:unstable-slim@sha256:1168b5db3ac36ac7dba548f4cc9d4a2bac856d1404000a07e936d2012d2820bb +FROM debian:unstable-slim@sha256:af74cdf95de28a354b88a41ddc167ecc3d8bed2fa121a642bcdfb83310afd25e RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends pciutils accel-config accel-config-test kmod && rm -rf /var/lib/apt/lists/\* diff --git a/demo/intel-opencl-icd/Dockerfile b/demo/intel-opencl-icd/Dockerfile index fba243ded..33d1b16dc 100644 --- a/demo/intel-opencl-icd/Dockerfile +++ b/demo/intel-opencl-icd/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e57fd7aec21dd0d1b0761bbfb2 +FROM ubuntu:22.04@sha256:7af9ba4f0a47d9bc8b1ffa492c6b0276476f1889cf4e699fba2236924e5932ed ARG APT="env DEBIAN_FRONTEND=noninteractive apt" From 2777c8cbdccc19c9f05cfb4ef3094c47ac03abdb Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Wed, 12 Jun 2024 11:33:25 +0300 Subject: [PATCH 4/6] Update devel.yaml --- .github/workflows/devel.yaml | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/.github/workflows/devel.yaml b/.github/workflows/devel.yaml index cf5bb5a40..de20ed9d2 100644 --- a/.github/workflows/devel.yaml +++ b/.github/workflows/devel.yaml @@ -34,22 +34,3 @@ jobs: id-token: write security-events: write uses: "./.github/workflows/lib-scorecard.yaml" - - build: - needs: - - validate - - trivy - uses: "./.github/workflows/lib-build.yaml" - - e2e: - needs: - - build - uses: "./.github/workflows/lib-e2e.yaml" - - # devel image push - publish: - needs: - - e2e - - build - uses: "./.github/workflows/lib-publish.yaml" - secrets: inherit From beb6a399ab1e1d82d076aa55a299b5d3fea1d4e0 Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Wed, 12 Jun 2024 11:49:22 +0300 Subject: [PATCH 5/6] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 862c87eb7..54b35efae 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ along with a number of device plugin implementations utilizing that framework. The [v0.30 release](https://github.com/intel/intel-device-plugins-for-kubernetes/releases/latest) is the latest feature release with its documentation available [here](https://intel.github.io/intel-device-plugins-for-kubernetes/0.30/). -Table of Contents +Table of Content(s) * [Prerequisites](#prerequisites) * [Plugins](#plugins) From 397102c60fc5b78757adfd08a93e60d250bc1b21 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 16 Jun 2024 22:54:59 +0000 Subject: [PATCH 6/6] build(deps): bump actions/checkout from 4.1.6 to 4.1.7 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/demo-img-update.yaml | 2 +- .github/workflows/lib-build.yaml | 2 +- .github/workflows/lib-codeql.yaml | 2 +- .github/workflows/lib-e2e.yaml | 2 +- .github/workflows/lib-publish.yaml | 2 +- .github/workflows/lib-scorecard.yaml | 2 +- .github/workflows/lib-trivy.yaml | 8 ++++---- .github/workflows/lib-validate.yaml | 8 ++++---- .github/workflows/publish.yml | 8 ++++---- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/demo-img-update.yaml b/.github/workflows/demo-img-update.yaml index d0cf1d4ca..7863e1dde 100644 --- a/.github/workflows/demo-img-update.yaml +++ b/.github/workflows/demo-img-update.yaml @@ -13,7 +13,7 @@ jobs: name: Create a PR for demo image updates runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install frizbee run: | export FRIZBEE_HASH=cda91f86d0c96d0bc3c464c57a601ca414e0b2415372eb19b9a4c82fa3d4f802 diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml index f2f19b64f..bc3993253 100644 --- a/.github/workflows/lib-build.yaml +++ b/.github/workflows/lib-build.yaml @@ -45,7 +45,7 @@ jobs: - dlb-libdlb-demo builder: [buildah, docker] steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml index b6585f89c..d71c51c55 100644 --- a/.github/workflows/lib-codeql.yaml +++ b/.github/workflows/lib-codeql.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: diff --git a/.github/workflows/lib-e2e.yaml b/.github/workflows/lib-e2e.yaml index 4dc34cb72..659a5271c 100644 --- a/.github/workflows/lib-e2e.yaml +++ b/.github/workflows/lib-e2e.yaml @@ -67,7 +67,7 @@ jobs: IMAGES: ${{ join(matrix.images, ' ') }} steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Describe test environment diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml index ff856e268..e673db7e0 100644 --- a/.github/workflows/lib-publish.yaml +++ b/.github/workflows/lib-publish.yaml @@ -42,7 +42,7 @@ jobs: #- crypto-perf #- opae-nlb-demo steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml index 0414c7dcf..c65290c6c 100644 --- a/.github/workflows/lib-scorecard.yaml +++ b/.github/workflows/lib-scorecard.yaml @@ -16,7 +16,7 @@ jobs: id-token: write steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: persist-credentials: false diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml index 842d30248..948068306 100644 --- a/.github/workflows/lib-trivy.yaml +++ b/.github/workflows/lib-trivy.yaml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Run Trivy in config mode for deployments uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Run Trivy in config mode for dockerfiles uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 @@ -64,7 +64,7 @@ jobs: name: Scan licenses steps: - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Run Trivy in fs mode uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0 @@ -83,7 +83,7 @@ jobs: name: Scan vulnerabilities steps: - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Run Trivy in fs mode continue-on-error: true diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml index 19fde0ddc..0ca420c6d 100644 --- a/.github/workflows/lib-validate.yaml +++ b/.github/workflows/lib-validate.yaml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3-venv - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 - name: Set up doc directory @@ -35,7 +35,7 @@ jobs: name: lint runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod @@ -50,7 +50,7 @@ jobs: name: Build and check device plugins runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod @@ -74,7 +74,7 @@ jobs: - 1.29.x - 1.30.x steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 with: go-version-file: go.mod diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d7f6f54ff..2c16df682 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,7 +23,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y python3-venv git - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 ref: main @@ -44,7 +44,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html/* $HOME/output/ - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 ref: release-0.28 @@ -55,7 +55,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html $HOME/output/0.28 - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 ref: release-0.29 @@ -66,7 +66,7 @@ jobs: rm -rf _work/venv make vhtml mv _build/html $HOME/output/0.29 - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 with: fetch-depth: 0 ref: release-0.30