Skip to content

ci: unify PR workflows and fix multiarch images #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tembleking merged 6 commits into from
Feb 10, 2026
Merged

ci: unify PR workflows and fix multiarch images #63

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
15c1a11
ci: push test image tagged pr-<id> on pull requests
tembleking Feb 9, 2026
d02911e
ci: unify PR workflows and fix multi-arch image push
tembleking Feb 10, 2026
f45b0be
chore: bump version to 1.0.2
tembleking Feb 10, 2026
28d5a21
ci: push images by digest only, never overwrite :latest
tembleking Feb 10, 2026
f3896dd
fix(ci): use Dockerfile with FROM base instead of /dev/null
tembleking Feb 10, 2026
1f51aff
fix(ci): disable provenance attestation to avoid unknown/unknown mani…
tembleking Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/publish.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ jobs:
contents: read
packages: write
strategy:
max-parallel: 1
matrix:
include:
- arch: amd64
Expand Down Expand Up @@ -102,6 +103,7 @@ jobs:

mkdir -p /tmp/digests
cp /tmp/digest /tmp/digests/${{ matrix.arch }}
echo >> /tmp/digests/${{ matrix.arch }}

- name: Upload digest
uses: actions/upload-artifact@v5
Expand Down
169 changes: 169 additions & 0 deletions .github/workflows/pull-request-ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
---
name: Pull Request CI

on:
pull_request:
branches:
- main
- master
workflow_call:
workflow_dispatch:

concurrency:
group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
Comment thread
tembleking marked this conversation as resolved.
cancel-in-progress: true

jobs:
build-and-test:
name: Build and Test
runs-on: ubuntu-latest
defaults:
run:
shell: nix develop --command bash {0}
steps:
- name: Check out the repo
uses: actions/checkout@v5

- name: Install Nix
# Pinned to v21 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21

- name: Enable Nix cache
# Pinned to v13 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
with:
use-flakehub: false

- name: Build
run: go build ./...

- name: Run Checks
run: just check
env:
SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }}
SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }}

test-image:
name: Test Image (${{ matrix.arch }})
runs-on: ubuntu-latest
needs: [build-and-test]
defaults:
run:
shell: nix develop --command bash {0}
permissions:
contents: read # required for actions/checkout
packages: write # required for pushing to GHCR
strategy:
max-parallel: 1
matrix:
include:
- arch: amd64
nix_package: sysdig-mcp-server-image-amd64
- arch: arm64
nix_package: sysdig-mcp-server-image-aarch64
steps:
- name: Check out the repo
uses: actions/checkout@v5
with:
ref: ${{ github.sha }}
fetch-depth: "0"

- name: Install Nix
# Pinned to v21 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21

- name: Enable Nix cache
# Pinned to v13 commit SHA for supply-chain safety.
# To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
with:
use-flakehub: false

- name: Build image
run: nix build .#${{ matrix.nix_package }} -o result

- name: Load image
id: load
run: |
IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p')
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT

- name: Test image
if: matrix.arch == 'amd64'
run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server"

- name: Scan Docker image
uses: sysdiglabs/scan-action@v6
with:
image-tag: ${{ steps.load.outputs.image_tag }}
sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }}
sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }}
stop-on-failed-policy-eval: true
stop-on-processing-error: true
Comment thread
tembleking marked this conversation as resolved.

- name: Log in to GitHub Container Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin

- name: Push image by digest
env:
REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
run: |
skopeo copy --digestfile /tmp/digest \
docker-archive:result \
docker://$REGISTRY --format oci
Comment thread
tembleking marked this conversation as resolved.
Outdated

mkdir -p /tmp/digests
cp /tmp/digest /tmp/digests/${{ matrix.arch }}
echo >> /tmp/digests/${{ matrix.arch }}

- name: Upload digest
uses: actions/upload-artifact@v5
with:
name: digests-${{ matrix.arch }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1

push-pr-image:
name: Push PR image to GitHub Packages
runs-on: ubuntu-latest
needs: [test-image]
if: github.event_name == 'pull_request'
Comment thread
tembleking marked this conversation as resolved.
permissions:
contents: read
packages: write
env:
REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
steps:
- name: Download digests
uses: actions/download-artifact@v6
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Create manifest list and push
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
working-directory: /tmp/digests
run: |
docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \
$(printf "$REGISTRY@%s " $(cat *))
Comment thread
tembleking marked this conversation as resolved.
Outdated

- name: Inspect image
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
run: docker buildx imagetools inspect $REGISTRY:pr-${PR_NUMBER}
45 changes: 0 additions & 45 deletions .github/workflows/test.yaml
View file
Open in desktop

This file was deleted.

69 changes: 0 additions & 69 deletions .github/workflows/test_image.yaml
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion package.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{ buildGo124Module, versionCheckHook }:
buildGo124Module (finalAttrs: {
pname = "sysdig-mcp-server";
version = "1.0.1";
version = "1.0.2";
src = ./.;
# This hash is automatically re-calculated with `just rehash-package-nix`. This is automatically called as well by `just update`.
vendorHash = "sha256-qMgFlDqzmtpxNOFCX9TsE4sjz0ZdvTJ5Q5IpA8lzG8g=";
Expand Down