Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 30 additions & 10 deletions .github/workflows/publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,11 +63,14 @@ jobs:
contents: read
packages: write
strategy:
max-parallel: 1
matrix:
include:
- arch: amd64
platform: linux/amd64
nix_package: sysdig-mcp-server-image-amd64
- arch: arm64
platform: linux/arm64
nix_package: sysdig-mcp-server-image-aarch64
steps:
- name: Check out the repo
Expand All @@ -88,20 +91,37 @@ jobs:
- name: Build image
run: nix build .#${{ matrix.nix_package }} -o result

- name: Convert to OCI layout
run: |
skopeo copy docker-archive:result oci:/tmp/oci-image:latest
echo "FROM base" > /tmp/Dockerfile.push

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Container Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push image by digest
id: push
env:
REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
uses: docker/build-push-action@v6
with:
file: /tmp/Dockerfile.push
build-contexts: |
base=oci-layout:///tmp/oci-image
platforms: ${{ matrix.platform }}
provenance: false
outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true

- name: Export digest
run: |
skopeo copy --digestfile /tmp/digest \
docker-archive:result \
docker://$REGISTRY --format oci

mkdir -p /tmp/digests
cp /tmp/digest /tmp/digests/${{ matrix.arch }}
digest="${{ steps.push.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"

- name: Upload digest
uses: actions/upload-artifact@v5
Expand Down Expand Up @@ -144,10 +164,10 @@ jobs:
working-directory: /tmp/digests
run: |
docker buildx imagetools create --tag $REGISTRY:${VERSION} \
$(printf "$REGISTRY@%s " $(cat *))
$(printf "$REGISTRY@sha256:%s " *)

docker buildx imagetools create --tag $REGISTRY:latest \
$(printf "$REGISTRY@%s " $(cat *))
$(printf "$REGISTRY@sha256:%s " *)

- name: Inspect image
env:
Expand Down
188 changes: 188 additions & 0 deletions .github/workflows/pull-request-ci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
---
name: Pull Request CI

on:
pull_request:
branches:
- main
- master
workflow_call:
workflow_dispatch:

concurrency:
group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
cancel-in-progress: true

jobs:
build-and-test:
name: Build and Test
runs-on: ubuntu-latest
defaults:
run:
shell: nix develop --command bash {0}
steps:
- name: Check out the repo
uses: actions/checkout@v5

- name: Install Nix
# Pinned to v21 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21

- name: Enable Nix cache
# Pinned to v13 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
with:
use-flakehub: false

- name: Build
run: go build ./...

- name: Run Checks
run: just check
env:
SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }}
SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }}

test-image:
name: Test Image (${{ matrix.arch }})
runs-on: ubuntu-latest
needs: [build-and-test]
defaults:
run:
shell: nix develop --command bash {0}
permissions:
contents: read # required for actions/checkout
packages: write # required for pushing to GHCR
strategy:
max-parallel: 1
matrix:
include:
- arch: amd64
platform: linux/amd64
nix_package: sysdig-mcp-server-image-amd64
- arch: arm64
platform: linux/arm64
nix_package: sysdig-mcp-server-image-aarch64
steps:
- name: Check out the repo
uses: actions/checkout@v5
with:
ref: ${{ github.sha }}
fetch-depth: "0"

- name: Install Nix
# Pinned to v21 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21

- name: Enable Nix cache
# Pinned to v13 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
with:
use-flakehub: false

- name: Build image
run: nix build .#${{ matrix.nix_package }} -o result

- name: Load image
id: load
run: |
IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p')
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT

- name: Test image
if: matrix.arch == 'amd64'
run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server"

- name: Scan Docker image
uses: sysdiglabs/scan-action@v6
with:
image-tag: ${{ steps.load.outputs.image_tag }}
sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }}
sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true

- name: Convert to OCI layout
run: |
skopeo copy docker-archive:result oci:/tmp/oci-image:latest
echo "FROM base" > /tmp/Dockerfile.push

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push image by digest
id: push
uses: docker/build-push-action@v6
with:
file: /tmp/Dockerfile.push
build-contexts: |
base=oci-layout:///tmp/oci-image
platforms: ${{ matrix.platform }}
provenance: false
outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true

- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.push.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"

- name: Upload digest
uses: actions/upload-artifact@v5
with:
name: digests-${{ matrix.arch }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1

push-pr-image:
name: Push PR image to GitHub Packages
runs-on: ubuntu-latest
needs: [test-image]
if: github.event_name == 'pull_request'
permissions:
contents: read
packages: write
env:
REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
steps:
- name: Download digests
uses: actions/download-artifact@v6
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Create manifest list and push
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
working-directory: /tmp/digests
run: |
docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \
$(printf "$REGISTRY@sha256:%s " *)

- name: Inspect image
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
run: docker buildx imagetools inspect $REGISTRY:pr-${PR_NUMBER}
45 changes: 0 additions & 45 deletions .github/workflows/test.yaml

This file was deleted.

69 changes: 0 additions & 69 deletions .github/workflows/test_image.yaml

This file was deleted.

2 changes: 1 addition & 1 deletion package.nix
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{ buildGo124Module, versionCheckHook }:
buildGo124Module (finalAttrs: {
pname = "sysdig-mcp-server";
version = "1.0.1";
version = "1.0.2";
src = ./.;
# This hash is automatically re-calculated with `just rehash-package-nix`. This is automatically called as well by `just update`.
vendorHash = "sha256-qMgFlDqzmtpxNOFCX9TsE4sjz0ZdvTJ5Q5IpA8lzG8g=";
Expand Down