diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index ba54425..6684632 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -63,11 +63,14 @@ jobs: contents: read packages: write strategy: + max-parallel: 1 matrix: include: - arch: amd64 + platform: linux/amd64 nix_package: sysdig-mcp-server-image-amd64 - arch: arm64 + platform: linux/arm64 nix_package: sysdig-mcp-server-image-aarch64 steps: - name: Check out the repo @@ -88,20 +91,37 @@ jobs: - name: Build image run: nix build .#${{ matrix.nix_package }} -o result + - name: Convert to OCI layout + run: | + skopeo copy docker-archive:result oci:/tmp/oci-image:latest + echo "FROM base" > /tmp/Dockerfile.push + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Log in to GitHub Container Registry - run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Push image by digest id: push - env: - REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server + uses: docker/build-push-action@v6 + with: + file: /tmp/Dockerfile.push + build-contexts: | + base=oci-layout:///tmp/oci-image + platforms: ${{ matrix.platform }} + provenance: false + outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true + + - name: Export digest run: | - skopeo copy --digestfile /tmp/digest \ - docker-archive:result \ - docker://$REGISTRY --format oci - mkdir -p /tmp/digests - cp /tmp/digest /tmp/digests/${{ matrix.arch }} + digest="${{ steps.push.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" - name: Upload digest uses: actions/upload-artifact@v5 @@ -144,10 +164,10 @@ jobs: working-directory: /tmp/digests run: | docker buildx imagetools create --tag $REGISTRY:${VERSION} \ - $(printf "$REGISTRY@%s " $(cat *)) + $(printf "$REGISTRY@sha256:%s " *) docker buildx imagetools create --tag $REGISTRY:latest \ - $(printf "$REGISTRY@%s " $(cat *)) + $(printf "$REGISTRY@sha256:%s " *) - name: Inspect image env: diff --git a/.github/workflows/pull-request-ci.yaml b/.github/workflows/pull-request-ci.yaml new file mode 100644 index 0000000..1e4aa79 --- /dev/null +++ b/.github/workflows/pull-request-ci.yaml @@ -0,0 +1,188 @@ +--- +name: Pull Request CI + +on: + pull_request: + branches: + - main + - master + workflow_call: + workflow_dispatch: + +concurrency: + group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + +jobs: + build-and-test: + name: Build and Test + runs-on: ubuntu-latest + defaults: + run: + shell: nix develop --command bash {0} + steps: + - name: Check out the repo + uses: actions/checkout@v5 + + - name: Install Nix + # Pinned to v21 commit SHA for supply-chain safety. + # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git + uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 + + - name: Enable Nix cache + # Pinned to v13 commit SHA for supply-chain safety. + # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git + uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 + with: + use-flakehub: false + + - name: Build + run: go build ./... + + - name: Run Checks + run: just check + env: + SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }} + SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }} + + test-image: + name: Test Image (${{ matrix.arch }}) + runs-on: ubuntu-latest + needs: [build-and-test] + defaults: + run: + shell: nix develop --command bash {0} + permissions: + contents: read # required for actions/checkout + packages: write # required for pushing to GHCR + strategy: + max-parallel: 1 + matrix: + include: + - arch: amd64 + platform: linux/amd64 + nix_package: sysdig-mcp-server-image-amd64 + - arch: arm64 + platform: linux/arm64 + nix_package: sysdig-mcp-server-image-aarch64 + steps: + - name: Check out the repo + uses: actions/checkout@v5 + with: + ref: ${{ github.sha }} + fetch-depth: "0" + + - name: Install Nix + # Pinned to v21 commit SHA for supply-chain safety. + # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git + uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 + + - name: Enable Nix cache + # Pinned to v13 commit SHA for supply-chain safety. + # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git + uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 + with: + use-flakehub: false + + - name: Build image + run: nix build .#${{ matrix.nix_package }} -o result + + - name: Load image + id: load + run: | + IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p') + echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT + + - name: Test image + if: matrix.arch == 'amd64' + run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server" + + - name: Scan Docker image + uses: sysdiglabs/scan-action@v6 + with: + image-tag: ${{ steps.load.outputs.image_tag }} + sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }} + sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }} + stop-on-failed-policy-eval: true + stop-on-processing-error: true + + - name: Convert to OCI layout + run: | + skopeo copy docker-archive:result oci:/tmp/oci-image:latest + echo "FROM base" > /tmp/Dockerfile.push + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push image by digest + id: push + uses: docker/build-push-action@v6 + with: + file: /tmp/Dockerfile.push + build-contexts: | + base=oci-layout:///tmp/oci-image + platforms: ${{ matrix.platform }} + provenance: false + outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true + + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.push.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v5 + with: + name: digests-${{ matrix.arch }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + push-pr-image: + name: Push PR image to GitHub Packages + runs-on: ubuntu-latest + needs: [test-image] + if: github.event_name == 'pull_request' + permissions: + contents: read + packages: write + env: + REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server + steps: + - name: Download digests + uses: actions/download-artifact@v6 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create manifest list and push + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + working-directory: /tmp/digests + run: | + docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \ + $(printf "$REGISTRY@sha256:%s " *) + + - name: Inspect image + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + run: docker buildx imagetools inspect $REGISTRY:pr-${PR_NUMBER} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml deleted file mode 100644 index 882f907..0000000 --- a/.github/workflows/test.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Test - -on: - pull_request: - branches: - - main - - master - workflow_call: - workflow_dispatch: - -concurrency: - group: "tests-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" - cancel-in-progress: true - -jobs: - build-and-test: - name: Build and Test - runs-on: ubuntu-latest - defaults: - run: - shell: nix develop --command bash {0} - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - - name: Install nix - # Pinned to v21 commit SHA for supply-chain safety. - # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 - - - name: Enable Nix cache - # Pinned to v13 commit SHA for supply-chain safety. - # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 - with: - use-flakehub: false - - - name: Build - run: go build ./... - - - name: Run Checks - run: just check - env: - SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }} - SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }} diff --git a/.github/workflows/test_image.yaml b/.github/workflows/test_image.yaml deleted file mode 100644 index 9dac66b..0000000 --- a/.github/workflows/test_image.yaml +++ /dev/null @@ -1,69 +0,0 @@ ---- -name: Test Image Build - -on: - pull_request: - branches: - - main - - master - workflow_call: - workflow_dispatch: - -concurrency: - group: "test-image-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" - cancel-in-progress: true - -jobs: - test_build: - name: Test Build (${{ matrix.arch }}) - runs-on: ubuntu-latest - permissions: - contents: read # required for actions/checkout - strategy: - max-parallel: 1 - matrix: - include: - - arch: amd64 - nix_package: sysdig-mcp-server-image-amd64 - - arch: arm64 - nix_package: sysdig-mcp-server-image-aarch64 - steps: - - name: Check out the repo - uses: actions/checkout@v5 - with: - ref: ${{ github.sha }} - fetch-depth: "0" - - - name: Install Nix - # Pinned to v21 commit SHA for supply-chain safety. - # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 - - - name: Enable Nix cache - # Pinned to v13 commit SHA for supply-chain safety. - # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 - with: - use-flakehub: false - - - name: Build image - run: nix build .#${{ matrix.nix_package }} -o result - - - name: Load image - id: load - run: | - IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p') - echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT - - - name: Test image - if: matrix.arch == 'amd64' - run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server" - - - name: Scan Docker image - uses: sysdiglabs/scan-action@v6 - with: - image-tag: ${{ steps.load.outputs.image_tag }} - sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }} - sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }} - stop-on-failed-policy-eval: true - stop-on-processing-error: true diff --git a/package.nix b/package.nix index a2c073c..4b647ef 100644 --- a/package.nix +++ b/package.nix @@ -1,7 +1,7 @@ { buildGo124Module, versionCheckHook }: buildGo124Module (finalAttrs: { pname = "sysdig-mcp-server"; - version = "1.0.1"; + version = "1.0.2"; src = ./.; # This hash is automatically re-calculated with `just rehash-package-nix`. This is automatically called as well by `just update`. vendorHash = "sha256-qMgFlDqzmtpxNOFCX9TsE4sjz0ZdvTJ5Q5IpA8lzG8g=";