Initial commit

Author: asanvaq

.github/ci.yaml

@@ -0,0 +1,43 @@
+version: 1
+ghcr:
+  upload: true
+  cve-scan: true
+
+registries:
+  ## Example of specifying registries
+  # docker.io:
+  #   uri: docker.io/ubuntu
+  #   auth:
+  #     - method: basic
+  #       config:
+  #         username: secrets.DOCKERHUB_USERNAME          # @@@@@@ DO NOT PUT ACTUAL CREDENTIALS HERE @@@@@@
+  #         password: secrets.DOCKERHUB_TOKEN             # @@@@@@ DO NOT PUT ACTUAL CREDENTIALS HERE @@@@@@
+  # rocksdev-ecr-public:
+  #   uri: public.ecr.aws/rocksdev
+  #   auth:
+  #     - method: ecr-public
+  #       config:
+  #         region: us-east-1
+  #         username: secrets.AWS_ACCESS_KEY_ID           # @@@@@@ DO NOT PUT ACTUAL CREDENTIALS HERE @@@@@@
+  #         password: secrets.AWS_SECRET_ACCESS_KEY       # @@@@@@ DO NOT PUT ACTUAL CREDENTIALS HERE @@@@@@
+
+images:
+  - directory: "*"
+
+  ## Example of specifying different registries for a specific rock
+  # - directory: "my-rock-name/0.1-24.04"
+  #   registries:
+  #     - docker.io
+  #     - rocksdev-ecr-public
+
+  ## Example of specifying pro-services with custom config
+  # - directory: "my-rock-name/0.1-24.04"
+  #   pro:
+  #     services:
+  #       - esm-apps
+  #       - esm-infra
+  #     config:
+  #       token: secrets.MY_PRO_TOKEN                    # @@@@@@ DO NOT PUT ACTUAL CREDENTIALS HERE @@@@@@
+  #       artifact-passphrase: secrets.MY_PASSPHRASE     # @@@@@@ DO NOT PUT ACTUAL CREDENTIALS HERE @@@@@@
+  #   registries:
+  #   ...

.github/workflows/cve-scan.yaml

@@ -0,0 +1,35 @@
+name: Scan CVEs dispatch
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 1 * * *"
+
+jobs:
+
+  read-config:
+    runs-on: ubuntu-latest
+    outputs:
+      ghcr-scanning: ${{ steps.read-ci-config.outputs.ghcr-cve-scan }}
+      build-matrix: ${{ steps.read-ci-config.outputs.build-matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Read .github/ci.yaml
+        id: read-ci-config
+        uses: canonical/rocks-template-actions/actions/read-ci-config@v1
+
+  run-scan:
+    name: Run scan for released images
+    needs: [read-config]
+    uses: canonical/oci-factory/.github/workflows/Vulnerability-Scan.yaml@main
+    strategy:
+      matrix: ${{ fromJson(needs.read-config.outputs.build-matrix) }}
+    with:
+      oci-image-name: ghcr.io/${{ github.repository }}/${{ matrix.name }}:${{ matrix.tag }}
+      create-issue: true
+      trivyignore-path: ${{ matrix.directory }}/.trivyignore
+    permissions:
+      contents: read
+      packages: read

.github/workflows/image-internal.yaml

@@ -0,0 +1,137 @@
+# This workflow is intended for internal Canonical repositories only. 
+# It includes steps that rely on internal actions or secrets, 
+# and it performs additional checks to prevent accidental usage in public repositories. 
+# If you are working in a public repository, please use the .github/workflows/image.yaml workflow instead.
+#
+name: Build and Publish Rocks (Internal)
+
+on:
+  # Uncomment these lines to enable the workflow on push and pull_request events
+  # push:
+  #   branches: [main]
+  # pull_request:
+  #   branches: [main]
+  workflow_dispatch:
+
+jobs:
+
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      ghcr-upload: ${{ steps.read-ci-config.outputs.ghcr-upload }}
+      build-matrix: ${{ steps.read-ci-config.outputs.build-matrix }}
+      upload-matrix: ${{ steps.read-ci-config.outputs.upload-matrix }}
+    steps:
+      - name: Pre-Check
+        if: |
+          github.repository_owner != 'canonical' ||
+          github.event.repository.visibility == 'public'
+        run: |
+          echo "::error::This workflow is intended for internal repositories only. Please use the .github/workflows/image.yaml workflow instead."
+          exit 1
+
+      - name: Checkout Repository
+        uses: actions/checkout@v5
+
+      - name: Read .github/ci.yaml
+        id: read-ci-config
+        uses: canonical/rocks-template-actions/actions/read-ci-config@v1
+
+
+  build-internal:
+    needs: [prepare]
+    strategy:
+      fail-fast: true
+      matrix: ${{ fromJSON(needs.prepare.outputs.build-matrix) }}
+    uses: canonical/oci-factory-internal/.github/workflows/Build-Rock.yaml@main
+    with:
+      rock-repo: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+      rock-repo-commit: ${{ github.ref }}
+      rockfile-directory: ${{ matrix.directory }}
+      oci-archive-name: ${{ matrix.artifact-name }}
+    secrets:
+      host-github-token: ${{ secrets.GITHUB_TOKEN }}
+      source-github-token: ${{ secrets.REPO_CLONER_TOKEN }}
+
+
+  test:
+    needs: [prepare, build-internal]
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.prepare.outputs.build-matrix) }}
+    uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main
+    with:
+      oci-archive-name: ${{ matrix.artifact-name }}
+
+
+  upload-ghcr:
+    needs: [prepare, test]
+    runs-on: ubuntu-latest
+    if: |
+      needs.prepare.outputs.ghcr-upload == 'true' &&
+      github.event_name != 'pull_request' && 
+      github.ref == 'refs/heads/main'
+    strategy:
+      matrix: ${{ fromJSON(needs.prepare.outputs.build-matrix) }}
+      fail-fast: false
+    permissions:
+      packages: write
+    steps:
+      - name: Upload Rock to GHCR
+        uses: canonical/oci-factory/.github/actions/upload-rock@main
+        with:
+          artifact_name: ${{ matrix.artifact-name }}
+          tags: ${{ matrix.tag }}
+          name: ${{ matrix.name }}
+          registry: ghcr.io/${{ github.repository }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+
+  upload-registries:
+    needs: [prepare, test]
+    runs-on: ubuntu-latest
+    if: |
+      needs.prepare.outputs.upload-matrix != '{"include": []}' &&
+      github.event_name != 'pull_request' && 
+      github.ref == 'refs/heads/main'
+    strategy:
+      matrix: ${{ fromJSON(needs.prepare.outputs.upload-matrix) }}
+      fail-fast: false
+    steps:
+      - name: Prepare ECR Session Token
+        if: ${{ contains(matrix.registry-auth-method, 'ecr') }}
+        id: get-ecr-token
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets[matrix.registry-auth-username] }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets[matrix.registry-auth-password] }}
+        run: |
+          session_token=$(aws ${{ matrix.registry-auth-method }} \
+                          get-login-password \
+                          --region ${{ matrix.registry-auth-region }} \
+                          )
+          echo "::add-mask::$session_token"
+          echo "aws-session-token=$session_token" >> $GITHUB_OUTPUT
+
+      - name: Upload Rock to ECR
+        uses: canonical/oci-factory/.github/actions/upload-rock@main
+        if: ${{ contains(matrix.registry-auth-method, 'ecr') }}
+        with:
+          artifact_name: ${{ matrix.artifact-name }}
+          tags: ${{ matrix.tag }}
+          name: ${{ matrix.name }}
+          registry: ${{ matrix.registry-uri }}
+          username: AWS
+          password: ${{ steps.get-ecr-token.outputs.aws-session-token }}
+
+      - name: Upload Rock to Registry
+        uses: canonical/oci-factory/.github/actions/upload-rock@main
+        if: matrix.registry-auth-method == 'basic'
+        with:
+          artifact_name: ${{ matrix.artifact-name }}
+          tags: ${{ matrix.tag }}
+          name: ${{ matrix.name }}
+          registry: ${{ matrix.registry-uri }}
+          username: ${{ secrets[matrix.registry-auth-username] }}
+          password: ${{ secrets[matrix.registry-auth-password] }}
+

.github/workflows/image.yaml

@@ -0,0 +1,160 @@
+name: Build and Publish Rocks
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      ghcr-upload: ${{ steps.read-ci-config.outputs.ghcr-upload }}
+      build-matrix: ${{ steps.read-ci-config.outputs.build-matrix }}
+      upload-matrix: ${{ steps.read-ci-config.outputs.upload-matrix }}
+      arch-map: ${{ steps.set-map.outputs.arch-map }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v5
+
+      - name: Read .github/ci.yaml
+        id: read-ci-config
+        uses: canonical/rocks-template-actions/actions/read-ci-config@v1
+
+      - name: Set Architecture Map
+        id: set-map
+        run: |
+          if [[ "${{ github.repository_owner }}" != "canonical" ]]; then
+            echo 'arch-map={"amd64":["ubuntu-24.04"],"arm64":["ubuntu-24.04-arm"]}' >> $GITHUB_OUTPUT
+          fi
+
+      # TODO: remove once the pro-feature is stable in rockcraft
+      # Warn the user if using tests in a pro enabled build
+      - name: Check Pro and Test Incompatibility
+        run: |
+          build_matrix='${{ steps.read-ci-config.outputs.build-matrix }}'
+
+          # Use jq to iterate over the 'include' array
+          echo "$build_matrix" | jq -c '.include[]' | while read -r row; do
+            directory=$(echo "$row" | jq -r '.["directory"] // "unknown"')
+            pro_services=$(echo "$row" | jq -r '.["pro-services"] // ""')
+            run_tests=$(echo "$row" | jq -r '.["run-tests"] // "false"')
+
+            if [[ -n "$pro_services" && "$run_tests" == "true" ]]; then
+              echo "::warning::Tests for Pro Services are currently not supported. Rockcraft tests will be skipped for ${directory}."
+            fi
+          done
+
+
+  build:
+    needs: [prepare]
+    strategy:
+      matrix: ${{ fromJSON(needs.prepare.outputs.build-matrix) }}
+    uses: canonical/oci-factory/.github/workflows/Build-Rock.yaml@main
+    with:
+      rock-repo: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+      rock-repo-commit: ${{ github.head_ref || github.ref_name }}
+      rockfile-directory: ${{ matrix.directory }}
+      oci-archive-name: ${{ matrix.artifact-name }}
+      arch-map: ${{ needs.prepare.outputs.arch-map }}
+      rockcraft-test: ${{ matrix.run-tests }}
+      pro-services: ${{ matrix.pro-services }}
+    secrets:
+      source-github-token: ${{ secrets.REPO_CLONER_TOKEN }}
+      pro-token: ${{ secrets[matrix.pro-token] }}
+      pro-artifact-passphrase: ${{ secrets[matrix.pro-artifact-passphrase] }}
+
+
+  test:
+    needs: [prepare, build]
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.prepare.outputs.build-matrix) }}
+    uses: canonical/oci-factory/.github/workflows/Test-Rock.yaml@main
+    with:
+      oci-archive-name: ${{ matrix.artifact-name }}
+    secrets:
+      pro-artifact-passphrase: ${{ secrets[matrix.pro-artifact-passphrase] }}
+
+
+  upload-ghcr:
+    needs: [prepare, test]
+    runs-on: ubuntu-latest
+    if: |
+      needs.prepare.outputs.ghcr-upload == 'true' &&
+      github.event_name != 'pull_request' && 
+      github.ref == 'refs/heads/main'
+    strategy:
+      matrix: ${{ fromJSON(needs.prepare.outputs.build-matrix) }}
+      fail-fast: false
+    permissions:
+      packages: write
+    steps:
+      - name: Pre-Check Pro Enabled Rocks
+        if: ${{ github.event.repository.visibility == 'public' && matrix.pro-services != '' }}
+        run: |
+          echo "::warning::Uploading Pro enabled rocks to GHCR is not allowed for public repositories."
+      
+      - name: Upload Rock to GHCR
+        if: ${{ github.event.repository.visibility != 'public' || matrix.pro-services == '' }}
+        uses: canonical/oci-factory/.github/actions/upload-rock@main
+        with:
+          artifact_name: ${{ matrix.artifact-name }}
+          tags: ${{ matrix.tag }}
+          name: ${{ matrix.name }}
+          registry: ghcr.io/${{ github.repository }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          decrypt-passphrase: ${{ secrets[matrix.pro-artifact-passphrase] }}
+
+
+  upload-registries:
+    needs: [prepare, test]
+    runs-on: ubuntu-latest
+    if: |
+      needs.prepare.outputs.upload-matrix != '{"include": []}' &&
+      github.event_name != 'pull_request' && 
+      github.ref == 'refs/heads/main'
+    strategy:
+      matrix: ${{ fromJSON(needs.prepare.outputs.upload-matrix) }}
+      fail-fast: false
+    steps:
+      - name: Prepare ECR Session Token
+        if: ${{ contains(matrix.registry-auth-method, 'ecr') }}
+        id: get-ecr-token
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets[matrix.registry-auth-username] }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets[matrix.registry-auth-password] }}
+        run: |
+          session_token=$(aws ${{ matrix.registry-auth-method }} \
+                          get-login-password \
+                          --region ${{ matrix.registry-auth-region }} \
+                          )
+          echo "::add-mask::$session_token"
+          echo "aws-session-token=$session_token" >> $GITHUB_OUTPUT
+
+      - name: Upload Rock to ECR
+        uses: canonical/oci-factory/.github/actions/upload-rock@main
+        if: ${{ contains(matrix.registry-auth-method, 'ecr') }}
+        with:
+          artifact_name: ${{ matrix.artifact-name }}
+          tags: ${{ matrix.tag }}
+          name: ${{ matrix.name }}
+          registry: ${{ matrix.registry-uri }}
+          username: AWS
+          password: ${{ steps.get-ecr-token.outputs.aws-session-token }}
+          decrypt-passphrase: ${{ secrets[matrix.pro-artifact-passphrase] }}
+
+      - name: Upload Rock to Registry
+        uses: canonical/oci-factory/.github/actions/upload-rock@main
+        if: matrix.registry-auth-method == 'basic'
+        with:
+          artifact_name: ${{ matrix.artifact-name }}
+          tags: ${{ matrix.tag }}
+          name: ${{ matrix.name }}
+          registry: ${{ matrix.registry-uri }}
+          username: ${{ secrets[matrix.registry-auth-username] }}
+          password: ${{ secrets[matrix.registry-auth-password] }}
+          decrypt-passphrase: ${{ secrets[matrix.pro-artifact-passphrase] }}

.gitignore

@@ -0,0 +1,15 @@
+# rock
+*.rock
+
+# OS Files
+.DS_store
+
+# Spread
+.craft-spread*/
+.spread-reuse*
+
+# IDE
+.vs_code/
+.vscode/
+.idea/
+