github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-27 07:48:55 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11424 from katexochen/p/regorus-oras-cache

Browse Source 
ci/static-checks: use oras cache for regorus
This commit is contained in:
Dan Mihai 2025-06-24 14:49:00 -07:00 committed by GitHub
commit 2d43b3f9fc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 88 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/static-checks.yaml vendored
View File

@ -5,6 +5,7 @@ on:
- edited - edited
- reopened - reopened
- synchronize - synchronize
workflow_dispatch:
permissions: permissions:
contents: read contents: read
@ -105,6 +106,9 @@ jobs:
- "make static-checks" - "make static-checks"
env: env:
GOPATH: ${{ github.workspace }} GOPATH: ${{ github.workspace }}
permissions:
contents: read # for checkout
packages: write # for push to ghcr.io
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -131,6 +135,10 @@ jobs:
cd "${GOPATH}/src/github.com/${{ github.repository }}" cd "${GOPATH}/src/github.com/${{ github.repository }}"
./tests/install_opa.sh ./tests/install_opa.sh
- name: Install regorus - name: Install regorus
env:
ARTEFACT_REPOSITORY: "${{ github.repository }}"
ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
run: | run: |
"${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh" "${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh"
- name: Run check - name: Run check

89
tests/install_regorus.sh
View File

@ -9,6 +9,73 @@
test_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")") test_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
source "${test_dir}/common.bash" source "${test_dir}/common.bash"
install_regorus_oras()
{
local version
version=$1
if ! command -v oras &>/dev/null; then
warn "oras is not installed. Please install oras to install regorus."
return 1
fi
local image
image="${ARTEFACT_REGISTRY:-ghcr.io}/${ARTEFACT_REPOSITORY:-kata-containers/kata-containers}/cached-artefacts/regorus:${version}"
if ! oras pull "${image}" --no-tty; then
warn "Failed to pull regorus from oras cache"
return 1
fi
info "Successfully pulled regorus from oras cache"
if ! mv regorus "${HOME}/.cargo/bin/regorus"; then
warn "Failed to move regorus binary"
return 1
fi
if ! chmod +x "${HOME}/.cargo/bin/regorus"; then
warn "Failed to make regorus binary executable"
return 1
fi
}
install_regorus_cargo()
{
local version
version=$1
if ! cargo install regorus --version "${version}" --example regorus --locked; then
warn "Failed to cargo install regorus"
return 1
fi
info "Successfully installed regorus using cargo"
# Cache the installed binary using oras, so we don't have to build it again.
if [[ -z "${ARTEFACT_REGISTRY_PASSWORD}" ]]; then
warn "ARTEFACT_REGISTRY_PASSWORD is not set. Skipping caching of regorus binary."
return 0
fi
if [[ -z "${ARTEFACT_REGISTRY_USERNAME}" ]]; then
warn "ARTEFACT_REGISTRY_USERNAME is not set. Skipping caching of regorus binary."
return 0
fi
if ! echo "${ARTEFACT_REGISTRY_PASSWORD}" | oras login "${ARTEFACT_REGISTRY:-ghcr.io}" -u "${ARTEFACT_REGISTRY_USERNAME}" --password-stdin; then
warn "Failed to login to oras registry"
return 1
fi
local image
image="${ARTEFACT_REGISTRY:-ghcr.io}/${ARTEFACT_REPOSITORY:-kata-containers/kata-containers}/cached-artefacts/regorus:${version}"
if ! (cd "${HOME}/.cargo/bin/" && oras push "${image}" --no-tty regorus); then
warn "Failed to push regorus binary to oras cache"
return 1
fi
info "Successfully pushed regorus binary to oras cache as ${image}"
}
install_regorus() install_regorus()
{ {
command -v cargo &>/dev/null \ command -v cargo &>/dev/null \
@ -16,17 +83,12 @@ install_regorus()
command -v git &>/dev/null \ command -v git &>/dev/null \
|| die "git is not installed. Please install git." || die "git is not installed. Please install git."
if regorus --version 2>/dev/null | grep -q "${version}"; then
info "regorus version ${version} is already installed"
return 0
fi
# Get the regorus version from Cargo.toml of the agent policy crate instad of versions.yaml # Get the regorus version from Cargo.toml of the agent policy crate instad of versions.yaml
# so we test the version we are actually using. # so we test the version we are actually using.
local cargo_toml="${test_dir}/../src/agent/policy/Cargo.toml" local cargo_toml="${test_dir}/../src/agent/policy/Cargo.toml"
[[ -f "${cargo_toml}" ]] \ [[ -f "${cargo_toml}" ]] \
|| die "Cargo.toml not found at ${cargo_toml}" || die "Cargo.toml not found at ${cargo_toml}"
local version
version=$( version=$(
cargo tree -i regorus --edges normal --prefix none --manifest-path "${cargo_toml}" | cargo tree -i regorus --edges normal --prefix none --manifest-path "${cargo_toml}" |
head -n1 | head -n1 |
@ -34,12 +96,21 @@ install_regorus()
sed 's/v//' sed 's/v//'
) || die "Failed to get regorus version from cargo.toml" ) || die "Failed to get regorus version from cargo.toml"
if regorus --version 2>/dev/null | grep -q "${version}"; then
info "regorus version ${version} is already installed"
return 0
fi
info "Installing regorus version ${version}" info "Installing regorus version ${version}"
cargo install regorus --version "${version}" --example regorus \ if install_regorus_oras "${version}"; then
|| die "Failed to cargo install regorus" :
elif install_regorus_cargo "${version}"; then
:
else
die "Failed to install regorus"
fi
if ! echo "$PATH" | grep -q "${HOME}/.cargo/bin"; then if ! echo "${PATH}" | grep -q "${HOME}/.cargo/bin"; then
export PATH="${PATH}:${HOME}/.cargo/bin" export PATH="${PATH}:${HOME}/.cargo/bin"
fi fi