fix: Dockerfile to reduce vulnerabilities #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # We use a single workflow to build all packages because github.run_number is | |
| # specific to each workflow. This ensures that each package has an | |
| # OTC_BUILD_NUMBER that is greater than previous runs which allows package | |
| # upgrades from one build to the next. | |
| name: 'Build packages' | |
| # Sets the name of the CI run based on whether the run was triggered by a push | |
| # or remotely with or without workflow_run_id set. The name used for push events | |
| # is the full commit message as I have not been able to find a way to only show | |
| # the commit title (first 72 characters of commit message) - Justin K. | |
| run-name: > | |
| ${{ | |
| github.event.inputs.workflow_id != '' && | |
| format('Build for Remote Workflow: {0}', github.event.inputs.workflow_id) | |
| || | |
| github.event.inputs.otc_version != '' && | |
| github.event.inputs.otc_sumo_version != '' && | |
| format('Build for GitHub Release: {0}-sumo-{1}', | |
| github.event.inputs.otc_version, github.event.inputs.otc_sumo_version) | |
| || | |
| github.event.head_commit.message | |
| }} | |
| on: | |
| push: | |
| branches: | |
| - '**' | |
| tags-ignore: | |
| - '**' | |
| pull_request: | |
| workflow_dispatch: | |
| inputs: | |
| workflow_id: | |
| description: | | |
| Workflow Run ID from the SumoLogic/sumologic-otel-collector repository | |
| to download artifacts from. The artifacts for the specified workflow | |
| must contain an otelcol-sumo binary for each platform that packages | |
| are being built for. | |
| required: false | |
| type: string | |
| otc_version: | |
| description: | | |
| Version of otelcol-sumo to package in A.B.C format. | |
| required: false | |
| type: string | |
| otc_sumo_version: | |
| description: | | |
| Sumo version of otelcol-sumo to package. E.g. the X in A.B.C-sumo-X. | |
| required: false | |
| type: string | |
| release: | |
| description: Publish release | |
| type: boolean | |
| require: false | |
| default: false | |
| jobs: | |
| # Determines the latest version which will be used to fetch artifacts from a | |
| # GitHub Release and as the version of the packages being built. This is | |
| # skipped if the otc_version and otc_sumo_version inputs have been set. | |
| determine_version: | |
| runs-on: ubuntu-latest | |
| name: Determine version | |
| outputs: | |
| otc_version: >- | |
| ${{ | |
| github.event.inputs.otc_version || | |
| steps.version-core.outputs.version | |
| }} | |
| otc_sumo_version: >- | |
| ${{ | |
| github.event.inputs.otc_sumo_version || | |
| steps.sumo-version.outputs.version | |
| }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Output Remote Workflow URL | |
| if: github.event.inputs.workflow_id != '' | |
| run: echo ::notice title=Remote Workflow URL::https://github.com/SumoLogic/sumologic-otel-collector/actions/runs/${{ github.event.inputs.workflow_id }} | |
| - name: Determine latest release | |
| id: release | |
| uses: ./ci/github-actions/get-latest-release | |
| if: > | |
| github.event.inputs.otc_version == '' && | |
| github.event.inputs.otc_sumo_version == '' | |
| with: | |
| token: ${{ github.token }} | |
| owner: SumoLogic | |
| repository: sumologic-otel-collector | |
| - name: Determine version core from release | |
| id: version-core | |
| if: > | |
| github.event.inputs.otc_version == '' && | |
| github.event.inputs.otc_sumo_version == '' | |
| env: | |
| VERSION_TAG: ${{ steps.release.outputs.tag_name }} | |
| run: > | |
| ./ci/get_version.sh otc_version > /tmp/otc_version && | |
| cat /tmp/otc_version && | |
| echo "version=$(cat /tmp/otc_version)" >> $GITHUB_OUTPUT | |
| - name: Determine sumo version from release | |
| id: sumo-version | |
| if: > | |
| github.event.inputs.otc_version == '' && | |
| github.event.inputs.otc_sumo_version == '' | |
| env: | |
| VERSION_TAG: ${{ steps.release.outputs.tag_name }} | |
| run: > | |
| ./ci/get_version.sh otc_sumo_version > /tmp/otc_sumo_version && | |
| cat /tmp/otc_sumo_version && | |
| echo "version=$(cat /tmp/otc_sumo_version)" >> $GITHUB_OUTPUT | |
| - name: Debug 1 | |
| run: env | |
| - name: Debug 2 | |
| run: cat $GITHUB_OUTPUT | |
| # Builds a package for each cmake target in the matrix. The target must be an | |
| # existing file name (without extension) in the targets directory. | |
| build_packages: | |
| name: ${{ matrix.target }} | |
| uses: ./.github/workflows/_reusable_build_package.yml | |
| needs: | |
| - determine_version | |
| with: | |
| otc_version: ${{ needs.determine_version.outputs.otc_version }} | |
| otc_sumo_version: ${{ needs.determine_version.outputs.otc_sumo_version }} | |
| otc_build_number: ${{ github.run_number }} | |
| cmake_target: ${{ matrix.target }} | |
| workflow_id: ${{ github.event.inputs.workflow_id }} | |
| runs_on: ${{ matrix.runs_on }} | |
| secrets: | |
| gh_artifacts_token: ${{ secrets.GH_ARTIFACTS_TOKEN }} | |
| strategy: | |
| matrix: | |
| include: | |
| - target: otc_linux_amd64_deb | |
| runs_on: ubuntu-latest | |
| - target: otc_linux_amd64_rpm | |
| runs_on: ubuntu-latest | |
| - target: otc_darwin_amd64_productbuild | |
| runs_on: macos-latest | |
| - target: otc_darwin_arm64_productbuild | |
| runs_on: macos-latest | |
| publish_release: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build_packages | |
| - determine_version | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download all packages stored as artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| path: artifacts/ | |
| - name: Debug | |
| run: env | |
| - uses: ncipollo/release-action@v1 | |
| with: | |
| name: v${{ needs.determine_version.outputs.otc_version }}-${{ github.run_number }} | |
| commit: ${{ github.sha }} | |
| tag: v${{ needs.determine_version.outputs.otc_version }}-${{ github.run_number }} | |
| draft: true | |
| prerelease: false | |
| allowUpdates: true | |
| omitBodyDuringUpdate: true | |
| omitNameDuringUpdate: true | |
| artifacts: "artifacts/*/*" | |
| artifactErrorsFailBuild: true | |
| replacesArtifacts: true | |
| body: | | |
| ## v${{ needs.determine_version.outputs.otc_version }}-${{ github.run_number }} | |
| **TODO** |