ci: unify PR workflows and fix multiarch images #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Pull Request CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - master | |
| workflow_call: | |
| workflow_dispatch: | |
| concurrency: | |
| group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" | |
| cancel-in-progress: true | |
| jobs: | |
| build-and-test: | |
| name: Build and Test | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: nix develop --command bash {0} | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v5 | |
| - name: Install Nix | |
| # Pinned to v21 commit SHA for supply-chain safety. | |
| # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag> | |
| uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 | |
| - name: Enable Nix cache | |
| # Pinned to v13 commit SHA for supply-chain safety. | |
| # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag> | |
| uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 | |
| with: | |
| use-flakehub: false | |
| - name: Build | |
| run: go build ./... | |
| - name: Run Checks | |
| run: just check | |
| env: | |
| SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }} | |
| SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }} | |
| test-image: | |
| name: Test Image (${{ matrix.arch }}) | |
| runs-on: ubuntu-latest | |
| needs: [build-and-test] | |
| defaults: | |
| run: | |
| shell: nix develop --command bash {0} | |
| permissions: | |
| contents: read # required for actions/checkout | |
| packages: write # required for pushing to GHCR | |
| strategy: | |
| max-parallel: 1 | |
| matrix: | |
| include: | |
| - arch: amd64 | |
| platform: linux/amd64 | |
| nix_package: sysdig-mcp-server-image-amd64 | |
| - arch: arm64 | |
| platform: linux/arm64 | |
| nix_package: sysdig-mcp-server-image-aarch64 | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.sha }} | |
| fetch-depth: "0" | |
| - name: Install Nix | |
| # Pinned to v21 commit SHA for supply-chain safety. | |
| # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag> | |
| uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 | |
| - name: Enable Nix cache | |
| # Pinned to v13 commit SHA for supply-chain safety. | |
| # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag> | |
| uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 | |
| with: | |
| use-flakehub: false | |
| - name: Build image | |
| run: nix build .#${{ matrix.nix_package }} -o result | |
| - name: Load image | |
| id: load | |
| run: | | |
| IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p') | |
| echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
| - name: Test image | |
| if: matrix.arch == 'amd64' | |
| run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server" | |
| - name: Scan Docker image | |
| uses: sysdiglabs/scan-action@v6 | |
| with: | |
| image-tag: ${{ steps.load.outputs.image_tag }} | |
| sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }} | |
| sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }} | |
| stop-on-failed-policy-eval: true | |
| stop-on-processing-error: true | |
| - name: Convert to OCI layout | |
| run: | | |
| skopeo copy docker-archive:result oci:/tmp/oci-image:latest | |
| echo "FROM base" > /tmp/Dockerfile.push | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push image by digest | |
| id: push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| file: /tmp/Dockerfile.push | |
| build-contexts: | | |
| base=oci-layout:///tmp/oci-image | |
| platforms: ${{ matrix.platform }} | |
| provenance: false | |
| outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.push.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: digests-${{ matrix.arch }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| push-pr-image: | |
| name: Push PR image to GitHub Packages | |
| runs-on: ubuntu-latest | |
| needs: [test-image] | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| env: | |
| REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v6 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-* | |
| merge-multiple: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create manifest list and push | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \ | |
| $(printf "$REGISTRY@sha256:%s " *) | |
| - name: Inspect image | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: docker buildx imagetools inspect $REGISTRY:pr-${PR_NUMBER} |