ci: unify PR workflows and fix multiarch images #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Pull Request CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - master | |
| workflow_call: | |
| workflow_dispatch: | |
| concurrency: | |
| group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" | |
| cancel-in-progress: true | |
| jobs: | |
| build-and-test: | |
| name: Build and Test | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: nix develop --command bash {0} | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v5 | |
| - name: Install Nix | |
| # Pinned to v21 commit SHA for supply-chain safety. | |
| # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag> | |
| uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 | |
| - name: Enable Nix cache | |
| # Pinned to v13 commit SHA for supply-chain safety. | |
| # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag> | |
| uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 | |
| with: | |
| use-flakehub: false | |
| - name: Build | |
| run: go build ./... | |
| - name: Run Checks | |
| run: just check | |
| env: | |
| SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }} | |
| SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }} | |
| test-image: | |
| name: Test Image (${{ matrix.arch }}) | |
| runs-on: ubuntu-latest | |
| needs: [build-and-test] | |
| defaults: | |
| run: | |
| shell: nix develop --command bash {0} | |
| permissions: | |
| contents: read # required for actions/checkout | |
| packages: write # required for pushing to GHCR | |
| strategy: | |
| max-parallel: 1 | |
| matrix: | |
| include: | |
| - arch: amd64 | |
| nix_package: sysdig-mcp-server-image-amd64 | |
| - arch: arm64 | |
| nix_package: sysdig-mcp-server-image-aarch64 | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.sha }} | |
| fetch-depth: "0" | |
| - name: Install Nix | |
| # Pinned to v21 commit SHA for supply-chain safety. | |
| # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag> | |
| uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 | |
| - name: Enable Nix cache | |
| # Pinned to v13 commit SHA for supply-chain safety. | |
| # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag> | |
| uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 | |
| with: | |
| use-flakehub: false | |
| - name: Build image | |
| run: nix build .#${{ matrix.nix_package }} -o result | |
| - name: Load image | |
| id: load | |
| run: | | |
| IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p') | |
| echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
| - name: Test image | |
| if: matrix.arch == 'amd64' | |
| run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server" | |
| - name: Scan Docker image | |
| uses: sysdiglabs/scan-action@v6 | |
| with: | |
| image-tag: ${{ steps.load.outputs.image_tag }} | |
| sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }} | |
| sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }} | |
| stop-on-failed-policy-eval: true | |
| stop-on-processing-error: true | |
| - name: Log in to GitHub Container Registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin | |
| - name: Push image by digest | |
| env: | |
| REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server | |
| run: | | |
| skopeo copy --digestfile /tmp/digest \ | |
| docker-archive:result \ | |
| docker://$REGISTRY --format oci | |
| mkdir -p /tmp/digests | |
| cp /tmp/digest /tmp/digests/${{ matrix.arch }} | |
| echo >> /tmp/digests/${{ matrix.arch }} | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: digests-${{ matrix.arch }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| push-pr-image: | |
| name: Push PR image to GitHub Packages | |
| runs-on: ubuntu-latest | |
| needs: [test-image] | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| env: | |
| REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v6 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-* | |
| merge-multiple: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create manifest list and push | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \ | |
| $(printf "$REGISTRY@%s " $(cat *)) | |
| - name: Inspect image | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: docker buildx imagetools inspect $REGISTRY:pr-${PR_NUMBER} |