particle-os/particle-os-cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(github): Add Github support in Build command

Browse source
This commit is contained in:
Gerald Pinder 2023-12-30 16:32:57 +00:00
parent 386308f649
commit 6a15c56a90
6 changed files with 366 additions and 187 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/bin/ublue.rs
View file

@ -1,4 +1,3 @@
use anyhow::Result;
use clap::{Parser, Subcommand};
use clap_verbosity_flag::{InfoLevel, Verbosity};
use env_logger::WriteStyle;
@ -35,7 +34,7 @@ enum CommandArgs {
Build(build::BuildCommand),
}
fn main() -> Result<()> {
fn main() {
let args = UblueArgs::parse();
env_logger::builder()
@ -46,16 +45,15 @@ fn main() -> Result<()> {
trace!("{args:#?}");
match args.command {
CommandArgs::Template(command) => command.run()?,
CommandArgs::Template(command) => command.run(),
#[cfg(feature = "init")]
CommandArgs::Init(command) => command.run()?,
CommandArgs::Init(command) => command.run(),
#[cfg(feature = "init")]
CommandArgs::New(command) => command.run()?,
CommandArgs::New(command) => command.run(),
#[cfg(feature = "build")]
CommandArgs::Build(command) => command.run()?,
CommandArgs::Build(command) => command.run(),
}
Ok(())
}

426
src/build.rs
View file

@ -56,31 +56,9 @@ pub struct BuildCommand {
}
impl BuildCommand {
pub fn run(&self) -> Result<()> {
info!("Templating for recipe at {}", self.recipe.display());
pub fn try_run(&self) -> Result<()> {
trace!("BuildCommand::try_run()");
if let Err(e) = TemplateCommand::builder()
.recipe(self.recipe.clone())
.containerfile(self.containerfile.clone())
.output(PathBuf::from("Containerfile"))
.build()
.run()
{
error!("Failed to template file: {e}");
process::exit(1);
}
info!("Building image for recipe at {}", self.recipe.display());
if let Err(e) = self.build_image() {
error!("Failed to build image: {e}");
process::exit(1);
}
Ok(())
}
fn build_image(&self) -> Result<()> {
trace!("BuildCommand::build_image()");
if let Err(e1) = ops::check_command_exists("buildah") {
ops::check_command_exists("podman").map_err(|e2| {
anyhow!("Need either 'buildah' or 'podman' commands to proceed: {e1}, {e2}")
@ -90,8 +68,31 @@ impl BuildCommand {
if self.push {
ops::check_command_exists("cosign")?;
ops::check_command_exists("skopeo")?;
check_cosign_files()?;
}
TemplateCommand::builder()
.recipe(self.recipe.clone())
.containerfile(self.containerfile.clone())
.output(PathBuf::from("Containerfile"))
.build()
.try_run()?;
info!("Building image for recipe at {}", self.recipe.display());
self.build_image()
}
pub fn run(&self) {
trace!("BuildCommand::run()");
if let Err(e) = self.try_run() {
error!("Failed to build image: {e}");
process::exit(1);
}
}
fn build_image(&self) -> Result<()> {
trace!("BuildCommand::build_image()");
let recipe: Recipe = serde_yaml::from_str(fs::read_to_string(&self.recipe)?.as_str())?;
let tags = recipe.generate_tags();
@ -109,42 +110,73 @@ impl BuildCommand {
}
fn login(&self) -> Result<()> {
info!("Attempting to login to the registry");
trace!("BuildCommand::login()");
info!("Attempting to login to the registry");
let registry = match &self.registry {
Some(registry) => registry.to_owned(),
None => env::var("CI_REGISTRY")?,
let registry = match (
self.registry.as_ref(),
env::var("CI_REGISTRY").ok(),
env::var("GITHUB_ACTIONS").ok(),
) {
(Some(registry), _, _) => registry.to_owned(),
(None, Some(ci_registry), None) => ci_registry,
(None, None, Some(_)) => "ghcr.io".to_string(),
_ => bail!("Need '--registry' set in order to login"),
};
let username = match &self.username {
Some(username) => username.to_owned(),
None => env::var("CI_REGISTRY_USER")?,
let username = match (
self.username.as_ref(),
env::var("CI_REGISTRY_USER").ok(),
env::var("GITHUB_ACTOR").ok(),
) {
(Some(username), _, _) => username.to_owned(),
(None, Some(ci_registry_user), None) => ci_registry_user,
(None, None, Some(github_actor)) => github_actor,
_ => bail!("Need '--username' set in order to login"),
};
let password = match &self.password {
Some(password) => password.to_owned(),
None => env::var("CI_REGISTRY_PASSWORD")?,
let password = match (
self.password.as_ref(),
env::var("CI_REGISTRY_PASSWORD").ok(),
env::var("REGISTRY_TOKEN").ok(),
) {
(Some(password), None, None) => password.to_owned(),
(None, Some(ci_registry_password), None) => ci_registry_password,
(None, None, Some(github_token)) => github_token,
_ => bail!("Need '--password' set in order to login"),
};
trace!("buildah login -u {username} -p [MASKED] {registry}");
match Command::new("buildah")
.arg("login")
.arg("-u")
.arg(&username)
.arg("-p")
.arg(&password)
.arg(&registry)
.output()?
.status
.success()
{
true => info!("Buildah login success at {registry} for user {username}!"),
false => bail!("Failed to login for buildah!"),
if !match (
ops::check_command_exists("buildah"),
ops::check_command_exists("podman"),
) {
(Ok(_), _) => {
trace!("buildah login -u {username} -p [MASKED] {registry}");
Command::new("buildah")
}
(Err(_), Ok(_)) => {
trace!("podman login -u {username} -p [MASKED] {registry}");
Command::new("podman")
}
_ => bail!("Need 'buildah' or 'podman' to login"),
}
.arg("login")
.arg("-u")
.arg(&username)
.arg("-p")
.arg(&password)
.arg(&registry)
.output()?
.status
.success()
{
bail!("Failed to login for buildah!");
}
info!("Buildah login success at {registry} for user {username}!");
trace!("cosign login -u {username} -p [MASKED] {registry}");
match Command::new("cosign")
if !Command::new("cosign")
.arg("login")
.arg("-u")
.arg(&username)
@ -155,9 +187,9 @@ impl BuildCommand {
.status
.success()
{
true => info!("Cosign login success at {registry} for user {username}!"),
false => bail!("Failed to login for cosign!"),
bail!("Failed to login for cosign!");
}
info!("Cosign login success at {registry} for user {username}!");
Ok(())
}
@ -166,39 +198,53 @@ impl BuildCommand {
info!("Generating full image name");
trace!("BuildCommand::generate_full_image_name({recipe:#?})");
let image_name = recipe.name.as_str();
let image_name = if env::var("CI").is_ok() {
warn!("Detected running in Gitlab CI");
if let (Ok(registry), Ok(project_namespace), Ok(project_name)) = (
env::var("CI_REGISTRY"),
env::var("CI_PROJECT_NAMESPACE"),
env::var("CI_PROJECT_NAME"),
) {
trace!("CI_REGISTRY={registry}, CI_PROJECT_NAMESPACE={project_namespace}, CI_PROJECT_NAME={project_name}");
format!("{registry}/{project_namespace}/{project_name}/{image_name}")
} else {
bail!("Unable to generate image name for Gitlab CI env!")
}
} else {
warn!("Detected running locally");
if let (Some(registry), Some(registry_path)) =
(self.registry.as_ref(), self.registry_path.as_ref())
{
let image_name = match (
env::var("CI_REGISTRY").ok(),
env::var("CI_PROJECT_NAMESPACE").ok(),
env::var("CI_PROJECT_NAME").ok(),
env::var("GITHUB_REPOSITORY_OWNER").ok(),
self.registry.as_ref(),
self.registry_path.as_ref(),
) {
(_, _, _, _, Some(registry), Some(registry_path)) => {
trace!("registry={registry}, registry_path={registry_path}");
format!(
"{}/{}/{image_name}",
registry.trim_matches('/'),
registry_path.trim_matches('/')
"{}/{}/{}",
registry.trim().trim_matches('/'),
registry_path.trim().trim_matches('/'),
&recipe.name
)
} else {
}
(
Some(ci_registry),
Some(ci_project_namespace),
Some(ci_project_name),
None,
None,
None,
) => {
trace!("CI_REGISTRY={ci_registry}, CI_PROJECT_NAMESPACE={ci_project_namespace}, CI_PROJECT_NAME={ci_project_name}");
warn!("Generating Gitlab Registry image");
format!(
"{ci_registry}/{ci_project_namespace}/{ci_project_name}/{}",
&recipe.name
)
}
(None, None, None, Some(github_repository_owner), None, None) => {
trace!("GITHUB_REPOSITORY_OWNER={github_repository_owner}");
warn!("Generating Github Registry image");
format!("ghcr.io/{github_repository_owner}/{}", &recipe.name)
}
_ => {
trace!("Nothing to indicate an image name with a registry");
if self.push {
bail!("Need '--registry' and '--registry-path' in order to push image");
}
image_name.to_string()
recipe.name.to_owned()
}
};
info!("Using image name {image_name}");
info!("Using image name '{image_name}'");
Ok(image_name)
}
@ -324,87 +370,175 @@ impl BuildCommand {
fn sign_images(&self, image_name: &str, tag: &str) -> Result<()> {
trace!("BuildCommand::sign_images({image_name}, {tag})");
if env::var("SIGSTORE_ID_TOKEN").is_ok() && env::var("CI").is_ok() {
debug!("SIGSTORE_ID_TOKEN detected, signing image");
env::set_var("COSIGN_PASSWORD", "");
env::set_var("COSIGN_YES", "true");
if let (
Ok(project_url),
Ok(default_branch),
Ok(commit_branch),
Ok(server_protocol),
Ok(server_host),
) = (
env::var("CI_PROJECT_URL"),
env::var("CI_DEFAULT_BRANCH"),
env::var("CI_COMMIT_REF_NAME"),
env::var("CI_SERVER_PROTOCOL"),
env::var("CI_SERVER_HOST"),
) {
trace!("CI_PROJECT_URL={project_url}, CI_DEFAULT_BRANCH={default_branch}, CI_COMMIT_REF_NAME={commit_branch}, CI_SERVER_PROTOCOL={server_protocol}, CI_SERVER_HOST={server_host}");
let image_digest = get_image_digest(image_name, tag)?;
if default_branch == commit_branch {
debug!("On default branch, retrieving image digest");
match (
env::var("CI_DEFAULT_BRANCH"),
env::var("CI_COMMIT_REF_NAME"),
env::var("CI_PROJECT_URL"),
env::var("CI_SERVER_PROTOCOL"),
env::var("CI_SERVER_HOST"),
env::var("SIGSTORE_ID_TOKEN"),
env::var("GITHUB_EVENT_NAME"),
env::var("GITHUB_REF_NAME"),
env::var("COSIGN_PRIVATE_KEY"),
) {
(
Ok(ci_default_branch),
Ok(ci_commit_ref),
Ok(ci_project_url),
Ok(ci_server_protocol),
Ok(ci_server_host),
Ok(_),
_,
_,
_,
) if ci_default_branch == ci_commit_ref => {
trace!("CI_PROJECT_URL={ci_project_url}, CI_DEFAULT_BRANCH={ci_default_branch}, CI_COMMIT_REF_NAME={ci_commit_ref}, CI_SERVER_PROTOCOL={ci_server_protocol}, CI_SERVER_HOST={ci_server_host}");
let image_name_tag = format!("{image_name}:{tag}");
let image_url = format!("docker://{image_name_tag}");
debug!("On default branch");
trace!("skopeo inspect --format='{{.Digest}}' {image_url}");
let image_digest = String::from_utf8(
Command::new("skopeo")
.arg("inspect")
.arg("--format='{{.Digest}}'")
.arg(&image_url)
.output()?
.stdout,
)?;
info!("Signing image: {image_digest}");
let image_digest =
format!("{image_name}@{}", image_digest.trim().trim_matches('\''));
trace!("cosign sign {image_digest}");
info!("Signing image: {image_digest}");
env::set_var("COSIGN_PASSWORD", "");
env::set_var("COSIGN_YES", "true");
trace!("cosign sign {image_digest}");
let status = Command::new("cosign")
.arg("sign")
.arg(&image_digest)
.status()?;
if status.success() {
info!("Successfully signed image!");
} else {
bail!("Failed to sign image: {image_digest}");
}
let cert_ident =
format!("{project_url}//.gitlab-ci.yml@refs/heads/{default_branch}");
let cert_oidc = format!("{server_protocol}://{server_host}");
trace!("cosign verify --certificate-identity {cert_ident}");
let status = Command::new("cosign")
.arg("verify")
.arg("--certificate-identity")
.arg(&cert_ident)
.arg("--certificate-oidc-issuer")
.arg(&cert_oidc)
.arg(&image_name_tag)
.status()?;
if !status.success() {
bail!("Failed to verify image!");
}
if Command::new("cosign")
.arg("sign")
.arg(&image_digest)
.status()?
.success()
{
info!("Successfully signed image!");
} else {
warn!("Unable to determine OIDC host, not signing image");
warn!("Please ensure your build environment has the variables CI_PROJECT_URL, CI_DEFAULT_BRANCH, CI_COMMIT_REF_NAME, CI_SERVER_PROTOCOL, CI_SERVER_HOST")
bail!("Failed to sign image: {image_digest}");
}
let cert_ident =
format!("{ci_project_url}//.gitlab-ci.yml@refs/heads/{ci_default_branch}");
let cert_oidc = format!("{ci_server_protocol}://{ci_server_host}");
trace!("cosign verify --certificate-identity {cert_ident} --certificate-oidc-issuer {cert_oidc} {image_name}:{tag}");
if !Command::new("cosign")
.arg("verify")
.arg("--certificate-identity")
.arg(&cert_ident)
.arg("--certificate-oidc-issuer")
.arg(&cert_oidc)
.arg(&format!("{image_name}:{tag}"))
.status()?
.success()
{
bail!("Failed to verify image!");
}
}
} else {
debug!("No SIGSTORE_ID_TOKEN detected, not signing image");
(_, _, _, _, _, _, Ok(github_event_name), Ok(github_ref_name), Ok(_))
if github_event_name != "pull_request" && github_ref_name == "live" =>
{
trace!("GITHUB_EVENT_NAME={github_event_name}, GITHUB_REF_NAME={github_ref_name}");
debug!("On live branch");
info!("Signing image: {image_digest}");
trace!("cosign sign --key=env://COSIGN_PRIVATE_KEY {image_digest}");
if Command::new("cosign")
.arg("sign")
.arg("--key=env://COSIGN_PRIVATE_KEY")
.arg(&image_digest)
.status()?
.success()
{
info!("Successfully signed image!");
} else {
bail!("Failed to sign image: {image_digest}");
}
trace!("cosign verify --key ./cosign.pub {image_name}:{tag}");
if !Command::new("cosign")
.arg("verify")
.arg("--key=./cosign.pub")
.arg(&format!("{image_name}:{tag}"))
.status()?
.success()
{
bail!("Failed to verify image!");
}
}
_ => debug!("Not running in CI with cosign variables, not signing"),
}
Ok(())
}
}
pub fn get_image_digest(image_name: &str, tag: &str) -> Result<String> {
trace!("get_image_digest({image_name}, {tag})");
let image_url = format!("docker://{image_name}:{tag}");
trace!("skopeo inspect --format='{{.Digest}}' {image_url}");
let image_digest = String::from_utf8(
Command::new("skopeo")
.arg("inspect")
.arg("--format='{{.Digest}}'")
.arg(&image_url)
.output()?
.stdout,
)?;
Ok(format!(
"{image_name}@{}",
image_digest.trim().trim_matches('\'')
))
}
pub fn check_cosign_files() -> Result<()> {
trace!("check_for_cosign_files()");
match (
env::var("GITHUB_EVENT_NAME").ok(),
env::var("GITHUB_REF_NAME").ok(),
env::var("COSIGN_PRIVATE_KEY").ok(),
) {
(Some(github_event_name), Some(github_ref), Some(_))
if github_event_name != "pull_request" && github_ref == "live" =>
{
env::set_var("COSIGN_PASSWORD", "");
env::set_var("COSIGN_YES", "true");
debug!("Building on live branch, checking cosign files");
trace!("cosign public-key --key env://COSIGN_PRIVATE_KEY");
let output = Command::new("cosign")
.arg("public-key")
.arg("--key=env://COSIGN_PRIVATE_KEY")
.output()?;
if !output.status.success() {
error!("{}", String::from_utf8_lossy(&output.stderr));
bail!("Failed to run cosign public-key");
}
let calculated_pub_key = String::from_utf8(output.stdout)?;
let found_pub_key = fs::read_to_string("./cosign.pub")?;
trace!("calculated_pub_key={calculated_pub_key},found_pub_key={found_pub_key}");
if calculated_pub_key.trim() == found_pub_key.trim() {
debug!("Cosign files match, continuing build");
Ok(())
} else {
bail!("Public key 'cosign.pub' does not match private key")
}
}
_ => {
debug!("Not building on live branch, skipping cosign file check");
Ok(())
}
}
}

26
src/init.rs
View file

@ -1,7 +1,11 @@
use std::path::{Path, PathBuf};
use std::{
path::{Path, PathBuf},
process,
};
use anyhow::Result;
use clap::Args;
use log::error;
use typed_builder::TypedBuilder;
const GITLAB_CI_FILE: &'static str = include_str!("../templates/init/gitlab-ci.yml.tera");
@ -27,7 +31,7 @@ pub struct InitCommand {
}
impl InitCommand {
pub fn run(&self) -> Result<()> {
pub fn try_run(&self) -> Result<()> {
let base_dir = match self.dir.as_ref() {
Some(dir) => dir,
None => std::path::Path::new("./"),
@ -37,6 +41,13 @@ impl InitCommand {
Ok(())
}
pub fn run(&self) {
if let Err(e) = self.try_run() {
error!("Failed to init ublue project: {e}");
process::exit(1);
}
}
fn initialize_directory(&self, base_dir: &Path) {
let recipe_path = base_dir.join("recipe.yml");
@ -64,13 +75,18 @@ pub struct NewCommand {
}
impl NewCommand {
pub fn run(&self) -> Result<()> {
pub fn try_run(&self) -> Result<()> {
InitCommand::builder()
.dir(self.dir.clone())
.common(self.common.clone())
.build()
.run()?;
.try_run()
}
Ok(())
pub fn run(&self) {
if let Err(e) = self.try_run() {
error!("Failed to create new project: {e}");
process::exit(1);
}
}
}

74
src/module_recipe.rs
View file

@ -28,52 +28,74 @@ pub struct Recipe {
impl Recipe {
pub fn generate_tags(&self) -> Vec<String> {
debug!("Generating image tags for {}", &self.name);
trace!("BuildCommand::generate_tags({self:#?})");
trace!("Recipe::generate_tags()");
let mut tags: Vec<String> = Vec::new();
let image_version = self.image_version;
let timestamp = Local::now().format("%Y%m%d").to_string();
if env::var("CI").is_ok() {
if let (Ok(commit_branch), Ok(default_branch), Ok(commit_sha), Ok(pipeline_source)) = (
env::var("CI_COMMIT_REF_NAME"),
env::var("CI_DEFAULT_BRANCH"),
env::var("CI_COMMIT_SHORT_SHA"),
env::var("CI_PIPELINE_SOURCE"),
) {
trace!("CI_COMMIT_REF_NAME={commit_branch}, CI_DEFAULT_BRANCH={default_branch},CI_COMMIT_SHORT_SHA={commit_sha}, CI_PIPELINE_SOURCE={pipeline_source}");
warn!("Detected running in Gitlab, pulling information from CI variables");
if let (Ok(mr_iid), Ok(pipeline_source)) = (
env::var("CI_MERGE_REQUEST_IID"),
env::var("CI_PIPELINE_SOURCE"),
) {
trace!("CI_MERGE_REQUEST_IID={mr_iid}, CI_PIPELINE_SOURCE={pipeline_source}");
if let Ok(mr_iid) = env::var("CI_MERGE_REQUEST_IID") {
trace!("CI_MERGE_REQUEST_IID={mr_iid}");
if pipeline_source == "merge_request_event" {
debug!("Running in a MR");
tags.push(format!("{mr_iid}-{image_version}"));
tags.push(format!("mr-{mr_iid}-{image_version}"));
}
}
if let Ok(commit_sha) = env::var("CI_COMMIT_SHORT_SHA") {
trace!("CI_COMMIT_SHORT_SHA={commit_sha}");
tags.push(format!("{commit_sha}-{image_version}"));
if default_branch != commit_branch {
debug!("Running on branch {commit_branch}");
tags.push(format!("{commit_branch}-{image_version}"));
} else {
debug!("Running on the default branch");
tags.push(image_version.to_string());
tags.push(format!("{image_version}-{timestamp}"));
tags.push(timestamp.to_string());
}
if let (Ok(commit_branch), Ok(default_branch)) = (
env::var("CI_COMMIT_REF_NAME"),
env::var("CI_DEFAULT_BRANCH"),
) {
trace!("CI_COMMIT_REF_NAME={commit_branch}, CI_DEFAULT_BRANCH={default_branch}");
if default_branch != commit_branch {
debug!("Running on branch {commit_branch}");
tags.push(format!("br-{commit_branch}-{image_version}"));
} else {
debug!("Running on the default branch");
tags.push(image_version.to_string());
tags.push(format!("{image_version}-{timestamp}"));
tags.push(timestamp.to_string());
}
tags.push(format!("{commit_sha}-{image_version}"));
} else if let (
Ok(github_event_name),
Ok(github_event_number),
Ok(github_sha),
Ok(github_ref_name),
) = (
env::var("GITHUB_EVENT_NAME"),
env::var("PR_EVENT_NUMBER"),
env::var("GITHUB_SHA"),
env::var("GITHUB_REF_NAME"),
) {
trace!("GITHUB_EVENT_NAME={github_event_name},PR_EVENT_NUMBER={github_event_number},GITHUB_SHA={github_sha},GITHUB_REF_NAME={github_ref_name}");
warn!("Detected running in Github, pulling information from GITHUB variables");
let mut short_sha = github_sha.clone();
short_sha.truncate(7);
if github_event_name == "pull_request" {
debug!("Running in a PR");
tags.push(format!("pr-{github_event_number}-{image_version}"));
} else if github_ref_name == "live" {
tags.push(format!("{image_version}"));
tags.push(format!("{image_version}-{timestamp}"));
tags.push("latest".to_string());
} else {
tags.push(format!("br-{github_ref_name}-{image_version}"));
}
tags.push(format!("{short_sha}-{image_version}"));
} else {
warn!("Running locally");
tags.push(format!("{image_version}-local"));
}
info!("Finished generating tags!");
trace!("Tags: {tags:#?}");
debug!("Tags: {tags:#?}");
tags
}
}

9
src/template.rs
View file

@ -33,14 +33,17 @@ pub struct TemplateCommand {
}
impl TemplateCommand {
pub fn run(&self) -> Result<()> {
pub fn try_run(&self) -> Result<()> {
info!("Templating for recipe at {}", self.recipe.display());
if let Err(e) = self.template_file() {
self.template_file()
}
pub fn run(&self) {
if let Err(e) = self.try_run() {
error!("Failed to template file: {e}");
process::exit(1);
}
Ok(())
}
fn template_file(&self) -> Result<()> {

6
templates/Containerfile.tera
View file

@ -1,5 +1,11 @@
FROM {{ base_image }}:{{ image_version }}
LABEL org.opencontainers.image.title="{{ name }}"
LABEL org.opencontainers.image.version="{{ image_version }}"
LABEL org.opencontainers.image.description="{{ description }}"
LABEL io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md
LABEL io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
ARG RECIPE={{ recipe }}
{%- if running_gitlab_actions() %}
ARG IMAGE_REGISTRY=ghcr.io/ublue-os