Mirrors/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft synced 2024-11-10 06:14:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Revert "Add docker image and refactor release pipeline (#310)"

Browse source 
This reverts commit 6195002ae5.

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Alex Goodman 2021-03-11 12:41:10 -05:00 committed by Alex Goodman
parent 6195002ae5
commit 5e62bca72f
No known key found for this signature in database
GPG key ID: 5CB45AE22BAB7EA7
14 changed files with 231 additions and 619 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.dockerignore
View file

@ -1,3 +0,0 @@
*
!dist/syft_linux_amd64/syft
!snapshot/syft_linux_amd64/syft

61
.github/scripts/homebrew-formula-generate.sh vendored
View file

@ -1,61 +0,0 @@
#!/usr/bin/env bash
set -eu -o pipefail
BIN="syft"
TEMPDIR=$(mktemp -d syft-homebrew-formula-generate-XXXXXX)
VERSION_TAG=$1
HOMEBREW_FORMULA_FILE=$2
trap "rm -f ${TEMPDIR}/*; rmdir ${TEMPDIR};" EXIT
# dependencies: curl, jq, openssl
RELEASE_URL="https://api.github.com/repos/anchore/${BIN}/releases/tags/${VERSION_TAG}"
echo "Using release: ${RELEASE_URL}"
curl -sSL "${RELEASE_URL}" > "${TEMPDIR}/release.json"
function asset_url() {
cat "${1}" | jq -r ".assets[] | select(.name | contains(\"${2}\")) | .browser_download_url"
}
function sha256() {
openssl dgst -sha256 "${1}" | cut -d " " -f 2
}
export DARWIN_AMD64_ASSET_URL=$(asset_url "${TEMPDIR}/release.json" "darwin_amd64.zip")
curl -sSL "${DARWIN_AMD64_ASSET_URL}" > "${TEMPDIR}/darwin_amd64_asset"
export DARWIN_AMD64_ASSET_SHA256=$(sha256 "${TEMPDIR}/darwin_amd64_asset")
export LINUX_AMD64_ASSET_URL=$(asset_url "${TEMPDIR}/release.json" "linux_amd64.tar.gz")
curl -sSL "${LINUX_AMD64_ASSET_URL}" > "${TEMPDIR}/linux_amd64_asset"
export LINUX_AMD64_ASSET_SHA256=$(sha256 "${TEMPDIR}/linux_amd64_asset")
export VERSION=${VERSION_TAG#v}
cat > ${HOMEBREW_FORMULA_FILE} <<-EOF
class Syft < Formula
desc "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems"
homepage "https://github.com/anchore/syft"
version "$VERSION"
bottle :unneeded
if OS.mac?
if Hardware::CPU.intel?
url "$DARWIN_AMD64_ASSET_URL"
sha256 "$DARWIN_AMD64_ASSET_SHA256"
end
elsif OS.linux?
if Hardware::CPU.intel?
url "$LINUX_AMD64_ASSET_URL"
sha256 "$LINUX_AMD64_ASSET_SHA256"
end
end
def install
bin.install "syft"
end
end
EOF
echo "Generated ${HOMEBREW_FORMULA_FILE}:"
cat ${HOMEBREW_FORMULA_FILE}

47
.github/scripts/package-linux.sh vendored
View file

@ -1,47 +0,0 @@
#!/usr/bin/env bash
set -eu -o pipefail
BIN="syft"
DISTDIR=$1
VERSION=$2
TEMPDIR=$3
SYFT_BIN_PATH=${DISTDIR}/${BIN}_linux_amd64/${BIN}
# stage the release tar directory
WORK_DIR=$(mktemp -d -t "syft-packaging-XXXXXX")
trap "rm -f ${WORK_DIR}/*; rmdir ${WORK_DIR};" EXIT
cp ./README.md ${WORK_DIR}
cp ./LICENSE ${WORK_DIR}
cp ${SYFT_BIN_PATH} ${WORK_DIR}
# produce .tar.gz
tar -cvzf "${DISTDIR}/${BIN}_${VERSION}_linux_amd64.tar.gz" -C ${WORK_DIR} .
# produce .deb, .rpm
NFPM_CONFIG=$(mktemp -t "syft-nfpm-cfg-XXXXXX")
cat > ${NFPM_CONFIG} <<-EOF
name: "syft"
license: "Apache 2.0"
maintainer: "Anchore, Inc"
homepage: "https://github.com/anchore/syft"
description: "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems"
contents:
- src: ${SYFT_BIN_PATH}
dst: /usr/local/bin/syft
EOF
for packager in "deb" "rpm"; do
${TEMPDIR}/nfpm -f ${NFPM_CONFIG} pkg --packager="$packager" --target="${DISTDIR}/${BIN}_${VERSION}_linux_amd64.$packager"
done
# produce integrity-check files (checksums.txt, checksums.txt.sig)
pushd "${DISTDIR}"
CHECKSUMS_FILE="${BIN}_${VERSION}_checksums.txt"
echo "" > "$CHECKSUMS_FILE"
for file in ./*linux*.*; do
openssl dgst -sha256 "$file" >> "$CHECKSUMS_FILE"
done
gpg --detach-sign "$CHECKSUMS_FILE"
popd

8
.github/scripts/update-version-file.sh vendored
View file

@ -3,12 +3,12 @@ set -ue
BIN="syft"
DISTDIR=$1
VERSION_TAG=$2
VERSION=$2
# the source of truth as to whether we want to notify users of an update is if the release just created is NOT
# flagged as a pre-release on github
if [[ "$(curl -SsL https://api.github.com/repos/anchore/${BIN}/releases/tags/${VERSION_TAG} | jq .prerelease)" == "true" ]] ; then
echo "skipping publishing a version file (this is a pre-release: ${VERSION_TAG})"
if [[ "$(curl -SsL https://api.github.com/repos/anchore/${BIN}/releases/tags/${VERSION} | jq .prerelease)" == "true" ]] ; then
echo "skipping publishing a version file (this is a pre-release: ${VERSION})"
exit 0
fi
@ -16,7 +16,7 @@ echo "creating and publishing version file"
# create a version file for version-update checks
VERSION_FILE="${DISTDIR}/VERSION"
echo "${VERSION_TAG}" | tee "${VERSION_FILE}"
echo "${VERSION}" | tee "${VERSION_FILE}"
# upload the version file that supports the application version update check
export AWS_DEFAULT_REGION=us-west-2

35
.github/workflows/acceptance-test.yaml vendored
View file

@ -10,11 +10,11 @@ on:
- v*
env:
GO_VERSION: "1.15.x"
GO_VERSION: "1.14.x"
jobs:
Build-Snapshot-Artifacts:
runs-on: ubuntu-latest
runs-on: macos-latest # We're creating these snapshot builds on macOS to be consistent with our release workflow's build process, which also takes place on macOS (due to code signing requirements).
steps:
- uses: actions/setup-go@v2
with:
@ -52,7 +52,7 @@ jobs:
echo "name: ${{ steps.import_gpg.outputs.name }}"
echo "email: ${{ steps.import_gpg.outputs.email }}"
- name: Build & package snapshot artifacts
- name: Build snapshot artifacts
run: make snapshot
env:
GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
@ -75,6 +75,7 @@ jobs:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Acceptance-Linux:
needs: [Build-Snapshot-Artifacts]
# come Nov 30 2020 ubuntu-latest will be ubuntu-20.04, until then it needs to be explicitly referenced due to python 3.7 specific features being used
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
@ -123,6 +124,7 @@ jobs:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Inline-Compare:
needs: [Build-Snapshot-Artifacts]
# come Nov 30 2020 ubuntu-latest will be ubuntu-20.04, until then it needs to be explicitly referenced due to python 3.7 specific features being used
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
@ -153,30 +155,3 @@ jobs:
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
if: ${{ failure() }}
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
Smoke-Test-Container-Image:
needs: [Build-Snapshot-Artifacts]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/download-artifact@v2
with:
name: artifacts
path: snapshot
- name: Load docker image
run: docker image load --input snapshot/image.tar
- name: Test Docker images
run: make container-image-smoke-test
- uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
fields: repo,workflow,job,commit,message,author
text: The syft acceptance tests have failed tragically!
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
if: ${{ failure() }}

80
.github/workflows/release-follow-up.yaml vendored
View file

@ -1,80 +0,0 @@
name: "Release follow-up"
on:
release:
types: [published]
jobs:
create-homebrew-formula:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Generate homebrew formula
run: make homebrew-formula-generate
- uses: actions/upload-artifact@v2
with:
path: "./dist/syft.rb"
test-formula-linux:
runs-on: ubuntu-latest
needs: create-homebrew-formula
steps:
- uses: actions/download-artifact@v2
with:
path: "dist"
- name: Test homebrew formula
run: make homebrew-formula-test
test-formula-mac:
runs-on: macos-latest
needs: create-homebrew-formula
steps:
- uses: actions/download-artifact@v2
with:
path: "dist"
- name: Test homebrew formula
run: make homebrew-formula-test
publish-formula:
runs-on: ubuntu-latest
needs: [ test-formula-linux, test-formula-mac ]
steps:
- uses: actions/download-artifact@v2
- name: Publish updated homebrew formula
run: homebrew-formula-publish
update_version_check_file:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Update version check file
run: make version-check-update
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
build_and_push_container_image:
runs-on: ubuntu-latest
steps:
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.TOOLBOX_DOCKER_USER }}
password: ${{ secrets.TOOLBOX_DOCKER_PASS }}
- name: Stage released artifacts
run: make stage-released-linux-artifact
- name: Build and tag Docker images
run: make container-image-build
- name: Smoke test Docker image
run: make container-image-smoke-test
- name: Push Docker images
run: make container-image-push

146
.github/workflows/release.yaml vendored
View file

@ -9,14 +9,12 @@ on:
- "v*"
env:
GO_VERSION: "1.15.x"
GO_VERSION: "1.14.x"
jobs:
quality-gate:
environment: release
wait-for-checks:
runs-on: ubuntu-latest # This OS choice is arbitrary. None of the steps in this job are specific to either Linux or macOS.
steps:
- uses: actions/checkout@v2
# we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main
@ -71,74 +69,27 @@ jobs:
checkName: "Inline-Compare"
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check container image smoke test results
uses: fountainhead/action-wait-for-check@v1.0.0
id: smoke-test-container-image
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the circle-ci workflow name (in .github/workflows/acceptance-test.yaml)
checkName: "Smoke-Test-Container-Image"
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Quality gate
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit-integration.outputs.conclusion != 'success' || steps.inline-compare.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' || steps.smoke-test-container-image.outputs.conclusion != 'success'
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit-integration.outputs.conclusion != 'success' || steps.inline-compare.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
run: |
echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}"
echo "Unit & Integration Test Status: ${{ steps.unit-integration.outputs.conclusion }}"
echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}"
echo "Inline Compare Status: ${{ steps.inline-compare.outputs.conclusion }}"
echo "Smoke Test Container Image Status: ${{ steps.smoke-test-container-image.outputs.conclusion }}"
false
build-assets-mac:
needs: [ quality-gate ]
runs-on: macos-latest # Due to our code signing process, it's vital that we run these release steps on macOS.
release:
needs: [wait-for-checks]
runs-on: macos-latest # Due to our code signing process, it's vital that we run our release steps on macOS.
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@v2
# We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow.
- name: Restore bootstrap cache
id: cache
uses: actions/cache@v2.1.3
with:
path: |
~/go/pkg/mod
${{ github.workspace }}/.tmp
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: Build for macOS
run: make build-mac
- name: Create macOS release assets
run: make package-mac
env:
APPLE_DEVELOPER_ID_CERT: ${{ secrets.APPLE_DEVELOPER_ID_CERT }} # Used during macOS code signing.
APPLE_DEVELOPER_ID_CERT_PASS: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }} # Used during macOS code signing.
AC_USERNAME: ${{ secrets.ENG_CI_APPLE_ID }} # Used during macOS notarization.
AC_PASSWORD: ${{ secrets.ENG_CI_APPLE_ID_PASS }} # Used during macOS notarization.
- uses: actions/upload-artifact@v2
with:
name: macOS-artifacts
path: "./dist/*_darwin_*.*"
build-assets-linux:
needs: [ quality-gate ]
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@v2
fetch-depth: 0
# We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow.
- name: Restore bootstrap cache
@ -167,77 +118,19 @@ jobs:
echo "name: ${{ steps.import_gpg.outputs.name }}"
echo "email: ${{ steps.import_gpg.outputs.email }}"
- name: Build Linux assets
run: make build-linux
- name: Package Linux release assets
run: make package-linux
- name: Build & publish release artifacts
run: make release
env:
GITHUB_TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }}
GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
- uses: actions/upload-artifact@v2
with:
name: Linux-artifacts
path: |
./dist/*_linux_*.*
./dist/*_checksums.*
draft-release:
needs: [ build-assets-mac, build-assets-linux ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
# fetch all history --this is necessary since we are referencing multiple tags during the release process (for changelog generation)
fetch-depth: 0
# We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow.
- name: Restore bootstrap cache
id: cache
uses: actions/cache@v2.1.3
with:
path: |
~/go/pkg/mod
${{ github.workspace }}/.tmp
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- uses: actions/download-artifact@v2 # Downloads all artifacts
- name: Generate changelog
run: make changelog-release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
- name: Create draft release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
tag_name: ${{ github.ref }}
release_name: ${{ github.ref }}
body_path: "./CHANGELOG.md"
draft: true
prerelease: false
- name: Upload release assets
run: | # Solution found at https://github.com/actions/upload-release-asset/issues/28#issuecomment-617208601 after seeing that the native "actions/upload-release-asset" might not be actively maintained.
set -eux
assets=()
for asset in ./Linux-artifacts/*; do
assets+=("-a" "$asset")
done
for asset in ./macOS-artifacts/*; do
assets+=("-a" "$asset")
done
tag_name="${GITHUB_REF##*/}"
hub release edit -m "" "${assets[@]}" "$tag_name"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SIGNING_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
APPLE_DEVELOPER_ID_CERT: ${{ secrets.APPLE_DEVELOPER_ID_CERT }} # Used during macOS code signing.
APPLE_DEVELOPER_ID_CERT_PASS: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }} # Used during macOS code signing.
AC_USERNAME: ${{ secrets.ENG_CI_APPLE_ID }} # Used during macOS notarization.
AC_PASSWORD: ${{ secrets.ENG_CI_APPLE_ID_PASS }} # Used during macOS notarization.
- uses: 8398a7/action-slack@v3
with:
@ -247,3 +140,8 @@ jobs:
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
if: ${{ success() }}
- uses: actions/upload-artifact@v2
with:
name: artifacts
path: dist/**/*

4
.github/workflows/static-unit-integration.yaml vendored
View file

@ -34,7 +34,7 @@ jobs:
run: make bootstrap
- name: Bootstrap CI dependencies
run: make bootstrap-ci-linux
run: make ci-bootstrap
- name: Run static analysis
run: make static-analysis
@ -70,7 +70,7 @@ jobs:
run: make bootstrap
- name: Bootstrap CI dependencies
run: make bootstrap-ci-linux
run: make ci-bootstrap
- name: Build cache key for java test-fixture blobs (for unit tests)
run: make java-packages-fingerprint

92
.goreleaser.yaml Normal file
View file

@ -0,0 +1,92 @@
release:
# If set to auto, will mark the release as not ready for production in case there is an indicator for this in the
# tag e.g. v1.0.0-rc1 .If set to true, will mark the release as not ready for production.
prerelease: auto
# If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing.
draft: true
builds:
- binary: syft
id: syft
env:
- CGO_ENABLED=0
goos:
# windows not supported yet (due to jotframe)
# - windows
- linux
goarch:
- amd64
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: |
-w
-s
-extldflags '-static'
-X github.com/anchore/syft/internal/version.version={{.Version}}
-X github.com/anchore/syft/internal/version.gitCommit={{.Commit}}
-X github.com/anchore/syft/internal/version.buildDate={{.Date}}
-X github.com/anchore/syft/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
# For more info on this macOS build, see: https://github.com/mitchellh/gon#usage-with-goreleaser
- binary: syft
id: syft-macos
env:
- CGO_ENABLED=0
goos:
- darwin
goarch:
- amd64
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: |
-w
-s
-extldflags '-static'
-X github.com/anchore/syft/internal/version.version={{.Version}}
-X github.com/anchore/syft/internal/version.gitCommit={{.Commit}}
-X github.com/anchore/syft/internal/version.buildDate={{.Date}}
-X github.com/anchore/syft/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
archives:
- format: tar.gz
builds:
- syft # i.e. Linux only
- format: zip # This is a hack! We don't actually intend to use _this_ ZIP file, we just need goreleaser to consider the ZIP file produced by gon (which will have the same file name) to be an artifact so we can use it downstream in publishing (e.g. to a homebrew tap)
id: syft-zip
builds:
- syft-macos
signs:
- artifacts: checksum
cmd: sh
args:
- '-c'
# we should not include the zip artifact, as the artifact is mutated throughout the next macOS notarization step
# note: sed -i is not portable
- 'sed "/.*\.zip/d" ${artifact} > tmpfile && mv tmpfile ${artifact} && gpg --output ${signature} --detach-sign ${artifact}'
- id: syft-macos-signing
ids:
- syft-macos
cmd: ./.github/scripts/mac-sign-and-notarize.sh
signature: "syft_${VERSION}_darwin_amd64.dmg" # This is somewhat unintuitive. This gets the DMG file recognized as an artifact. In fact, both a DMG and a ZIP file are being produced by this signing step.
args:
- "{{ .IsSnapshot }}"
- "gon.hcl"
- "./dist/syft_{{ .Version }}_darwin_amd64"
artifacts: all
nfpms:
- license: "Apache 2.0"
maintainer: "Anchore, Inc"
homepage: &website "https://github.com/anchore/syft"
description: &description "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems"
formats:
- rpm
- deb
brews:
- tap:
owner: anchore
name: homebrew-syft
homepage: *website
description: *description

17
Dockerfile
View file

@ -1,17 +0,0 @@
FROM alpine:latest AS build
RUN apk --no-cache add ca-certificates
RUN mkdir -p /tmp
# —————————————————————————————————————————————————————————————————————
FROM scratch
ARG DIST_DIR=./dist
# Needed for version check HTTPS request
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
# Needed for image content cache
COPY --from=build /tmp /
COPY ${DIST_DIR}/syft_linux_amd64/syft /
ENTRYPOINT ["/syft"]

314
Makefile
View file

@ -1,15 +1,11 @@
.SHELLFLAGS := -o pipefail -ec
SHELL := /bin/bash
BIN := syft
TEMPDIR := ./.tmp
BIN = syft
TEMPDIR = ./.tmp
RESULTSDIR = $(TEMPDIR)/results
COVER_REPORT = $(RESULTSDIR)/cover.report
COVER_TOTAL = $(RESULTSDIR)/cover.total
LINTCMD = $(TEMPDIR)/golangci-lint run --tests=false --config .golangci.yaml
SNAPSHOT_CMD = $(shell realpath $(shell pwd)/$(SNAPSHOTDIR)/syft_linux_amd64/syft)
ACC_TEST_IMAGE := centos:8.2.2004
ACC_DIR := ./test/acceptance
ACC_TEST_IMAGE = centos:8.2.2004
ACC_DIR = ./test/acceptance
BOLD := $(shell tput -T linux bold)
PURPLE := $(shell tput -T linux setaf 5)
GREEN := $(shell tput -T linux setaf 2)
@ -26,39 +22,18 @@ INTEGRATION_CACHE_BUSTER="789bacdf"
BOOTSTRAP_CACHE="789bacdf"
## Build variables
DISTDIR := ./dist
SNAPSHOTDIR := ./snapshot
COMMIT = $(shell git log --format=%H -n 1)
DATE = $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
DISTDIR=./dist
SNAPSHOTDIR=./snapshot
GITTREESTATE=$(if $(shell git status --porcelain),dirty,clean)
SNAPSHOT_CMD=$(shell realpath $(shell pwd)/$(SNAPSHOTDIR)/syft_linux_amd64/syft)
# Homebrew variables
HOMEBREW_FORMULA_FILE = "$(DISTDIR)/$(BIN).rb"
BREW_DIR = "$(TEMPDIR)/homebrew"
BREW_BIN_DIR = "$(BREW_DIR)/bin"
BREW_CMD = "$(BREW_BIN_DIR)/brew"
ifeq "$(strip $(VERSION_TAG))" ""
override VERSION_TAG = $(shell git describe --always --tags --dirty)
ifeq "$(strip $(VERSION))" ""
override VERSION = $(shell git describe --always --tags --dirty)
endif
# Version variables and functions
is_dirty = $(findstring dirty,$(1))
get_version_from_version_tag = $(shell echo "$(1)" | tr -d 'v')
VERSION = $(call get_version_from_version_tag,$(VERSION_TAG))
major = $(shell echo "$(1)" | cut -d '.' -f 1)
minor = $(shell echo "$(1)" | cut -d '.' -f 2)
patch = $(shell echo "$(1)" | cut -d '.' -f 3)
# used to generate the changelog from the second to last tag to the current tag (used in the release pipeline when the release tag is in place)
LAST_TAG = $(shell git describe --abbrev=0 --tags $(shell git rev-list --tags --max-count=1))
SECOND_TO_LAST_TAG = $(shell git describe --abbrev=0 --tags $(shell git rev-list --tags --skip=1 --max-count=1))
CONTAINER_IMAGE_REPOSITORY := "anchore/$(BIN)"
CONTAINER_IMAGE_TAG_MAJOR := "$(CONTAINER_IMAGE_REPOSITORY):$(call major,$(VERSION))"
CONTAINER_IMAGE_TAG_MINOR := "$(CONTAINER_IMAGE_REPOSITORY):$(call major,$(VERSION)).$(call minor,$(VERSION))"
CONTAINER_IMAGE_TAG_PATCH := "$(CONTAINER_IMAGE_REPOSITORY):$(call major,$(VERSION)).$(call minor,$(VERSION)).$(call patch,$(VERSION))"
CONTAINER_IMAGE_TAG_LATEST := "$(CONTAINER_IMAGE_REPOSITORY):latest"
LAST_TAG := $(shell git describe --abbrev=0 --tags $(shell git rev-list --tags --max-count=1))
SECOND_TO_LAST_TAG := $(shell git describe --abbrev=0 --tags $(shell git rev-list --tags --skip=1 --max-count=1))
## Variable assertions
@ -78,34 +53,14 @@ ifndef DISTDIR
$(error DISTDIR is not set)
endif
ifndef SNAPSHOTDIR
$(error SNAPSHOTDIR is not set)
endif
define title
@printf '$(TITLE)$(1)$(RESET)\n'
endef
define build_binary
GOOS="$1" \
GOARCH="$2" \
CGO_ENABLED=0 \
go build \
-o "./$3/syft_$1_$2/syft" \
-ldflags "-w -s -extldflags '-static' \
-X github.com/anchore/syft/internal/version.version=$(VERSION) \
-X github.com/anchore/syft/internal/version.gitCommit=$(COMMIT) \
-X github.com/anchore/syft/internal/version.buildDate=$(DATE) \
-X github.com/anchore/syft/internal/version.gitTreeState=$(BUILD_GIT_TREE_STATE)"
endef
define build_container_image
tags=( \
"-t $(CONTAINER_IMAGE_TAG_MAJOR)" \
"-t $(CONTAINER_IMAGE_TAG_MINOR)" \
"-t $(CONTAINER_IMAGE_TAG_PATCH)" \
"-t $(CONTAINER_IMAGE_TAG_LATEST)" \
) && \
DOCKER_BUILDKIT=1 docker build --build-arg DIST_DIR=$1 --no-cache $${tags[@]} -f "./Dockerfile" .
# Using buildkit due to https://github.com/moby/moby/issues/37965
endef
## Tasks
.PHONY: all
@ -119,6 +74,14 @@ test: unit validate-cyclonedx-schema integration acceptance-linux ## Run all tes
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(BOLD)$(CYAN)%-25s$(RESET)%s\n", $$1, $$2}'
.PHONY: ci-bootstrap
ci-bootstrap:
DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y bc jq libxml2-utils
.PHONY:
ci-bootstrap-mac:
github_changelog_generator --version || sudo gem install github_changelog_generator
.PHONY: bootstrap
bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./tmp dir)
$(call title,Bootstrapping dependencies)
@ -131,15 +94,7 @@ bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./
# install utilities
[ -f "$(TEMPDIR)/golangci" ] || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ v1.26.0
[ -f "$(TEMPDIR)/bouncer" ] || curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMPDIR)/ v0.2.0
[ -f "$(TEMPDIR)/nfpm" ] || curl -sfL curl -sfL https://install.goreleaser.com/github.com/goreleaser/nfpm.sh | sh -s -- -b $(TEMPDIR)/ v2.2.2
[ -f "$(BREW_CMD)" ] || (mkdir -p "$(BREW_DIR)" && curl -L https://github.com/Homebrew/brew/tarball/master | tar -xz --strip 1 -C "$(BREW_DIR)")
.PHONY: bootstrap-ci-linux
bootstrap-ci-linux: bootstrap
DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y bc jq libxml2-utils gettext
.PHONY: bootstrap-ci-mac
bootstrap-ci-mac: bootstrap
[ -f "$(TEMPDIR)/goreleaser" ] || curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh -s -- -b $(TEMPDIR)/ v0.140.0
.PHONY: static-analysis
static-analysis: lint check-licenses
@ -183,8 +138,10 @@ unit: fixtures ## Run unit tests (with coverage)
.PHONY: integration
integration: ## Run integration tests
$(call title,Running integration tests)
go test -v ./test/integration
# note: this is used by CI to determine if the integration test fixture cache (docker image tars) should be busted
integration-fingerprint:
find test/integration/test-fixtures/image-* -type f -exec md5sum {} + | awk '{print $1}' | sort | md5sum | tee test/integration/test-fixtures/cache.fingerprint && echo "$(INTEGRATION_CACHE_BUSTER)" >> test/integration/test-fixtures/cache.fingerprint
@ -207,32 +164,22 @@ generate-json-schema: ## Generate a new json schema
clear-test-cache: ## Delete all test cache (built docker image tars)
find . -type f -wholename "**/test-fixtures/cache/*.tar" -delete
.PHONY: build-linux
build-linux: ## Build binaries for mac
$(call title,Building binaries for linux)
$(call build_binary,linux,amd64,$(DISTDIR))
.PHONY: build
build: $(SNAPSHOTDIR) ## Build release snapshot binaries and packages
.PHONY: build-mac
build-mac: ## Build binaries for mac
$(call title,Building binaries for macOS)
$(call build_binary,darwin,amd64,$(DISTDIR))
$(SNAPSHOTDIR): ## Build snapshot release binaries and packages
$(call title,Building snapshot artifacts)
# create a config with the dist dir overridden
echo "dist: $(SNAPSHOTDIR)" > $(TEMPDIR)/goreleaser.yaml
cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml
# note: mac packaging is intentionally left out (requires secrets and there is no acceptance test for packaged mac assets)
.PHONY: snapshot
snapshot:
$(call build_binary,linux,amd64,$(SNAPSHOTDIR))
$(call build_binary,darwin,amd64,$(SNAPSHOTDIR))
$(call build_container_image,$(SNAPSHOTDIR))
docker image save $(CONTAINER_IMAGE_TAG_LATEST) -o $(SNAPSHOTDIR)/image.tar
.github/scripts/package-linux.sh \
$(SNAPSHOTDIR) \
$(VERSION) \
$(TEMPDIR)
# build release snapshots
BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
$(TEMPDIR)/goreleaser release --skip-publish --rm-dist --snapshot --config $(TEMPDIR)/goreleaser.yaml
# note: we cannot clean the snapshot directory since the pipeline builds the snapshot separately
.PHONY: acceptance-mac
acceptance-mac: ## Run acceptance tests on built binaries (Mac)
acceptance-mac: $(SNAPSHOTDIR) ## Run acceptance tests on build snapshot binaries and packages (Mac)
$(call title,Running acceptance test: Run on Mac)
$(ACC_DIR)/mac.sh \
$(SNAPSHOTDIR) \
@ -240,11 +187,26 @@ acceptance-mac: ## Run acceptance tests on built binaries (Mac)
$(ACC_TEST_IMAGE) \
$(RESULTSDIR)
# note: we cannot clean the snapshot directory since the pipeline builds the snapshot separately
.PHONY: acceptance-linux
acceptance-linux: acceptance-test-deb-package-install acceptance-test-rpm-package-install ## Run acceptance tests on built binaries and packages (Linux)
acceptance-linux: acceptance-test-deb-package-install acceptance-test-rpm-package-install ## Run acceptance tests on build snapshot binaries and packages (Linux)
# note: this is used by CI to determine if the inline-scan report cache should be busted for the inline-compare tests
.PHONY: compare-fingerprint
compare-fingerprint:
find test/inline-compare/* -type f -exec md5sum {} + | grep -v '\-reports' | grep -v 'fingerprint' | awk '{print $1}' | sort | md5sum | tee test/inline-compare/inline-compare.fingerprint && echo "$(COMPARE_CACHE_BUSTER)" >> test/inline-compare/inline-compare.fingerprint
.PHONY: compare-snapshot
compare-snapshot: $(SNAPSHOTDIR) ## Compare the reports of a run of a snapshot build of syft against inline-scan
chmod 755 $(SNAPSHOT_CMD)
@cd test/inline-compare && SYFT_CMD=$(SNAPSHOT_CMD) make
.PHONY: compare
compare: ## Compare the reports of a run of a main-branch build of syft against inline-scan
@cd test/inline-compare && make
.PHONY: acceptance-test-deb-package-install
acceptance-test-deb-package-install:
acceptance-test-deb-package-install: $(SNAPSHOTDIR)
$(call title,Running acceptance test: DEB install)
$(ACC_DIR)/deb.sh \
$(SNAPSHOTDIR) \
@ -253,7 +215,7 @@ acceptance-test-deb-package-install:
$(RESULTSDIR)
.PHONY: acceptance-test-rpm-package-install
acceptance-test-rpm-package-install:
acceptance-test-rpm-package-install: $(SNAPSHOTDIR)
$(call title,Running acceptance test: RPM install)
$(ACC_DIR)/rpm.sh \
$(SNAPSHOTDIR) \
@ -261,56 +223,11 @@ acceptance-test-rpm-package-install:
$(ACC_TEST_IMAGE) \
$(RESULTSDIR)
# note: this is used by CI to determine if the inline-scan report cache should be busted for the inline-compare tests
.PHONY: compare-fingerprint
compare-fingerprint:
find test/inline-compare/* -type f -exec md5sum {} + | grep -v '\-reports' | grep -v 'fingerprint' | awk '{print $1}' | sort | md5sum | tee test/inline-compare/inline-compare.fingerprint && echo "$(COMPARE_CACHE_BUSTER)" >> test/inline-compare/inline-compare.fingerprint
.PHONY: compare-snapshot
compare-snapshot: ## Compare the reports of a run of a snapshot build of syft against inline-scan
chmod 755 $(SNAPSHOT_CMD)
@cd test/inline-compare && SYFT_CMD=$(SNAPSHOT_CMD) make
.PHONY: compare
compare: ## Compare the reports of a run of a main-branch build of syft against inline-scan
cd test/inline-compare && make
.PHONY: setup-macos-signing
setup-macos-signing: ## Prepare for macOS-specific signing process
$(call title,Preparing macOS environment for code signing)
.github/scripts/mac-prepare-for-signing.sh
.PHONY: package-mac
package-mac: setup-macos-signing bootstrap-ci-mac ## Create signed and notarized release assets for macOS
$(call title,Creating packaging for macOS -- signed and notarized)
# Create signed and notarized assets
gon "./gon.hcl"
# Update asset names. This won't be necessary once Gon supports variable injection.
@ORIGINAL_NAME="$(DISTDIR)/output" && NEW_NAME="$(DISTDIR)/syft_$(VERSION)_darwin_amd64" && \
mv -v "$${ORIGINAL_NAME}.dmg" "$${NEW_NAME}.dmg" && \
mv -v "$${ORIGINAL_NAME}.zip" "$${NEW_NAME}.zip"
.PHONY: package-linux
package-linux:
$(call title,Creating packaging for Linux)
.github/scripts/package-linux.sh \
$(DISTDIR) \
$(VERSION) \
$(TEMPDIR)
.PHONY: package
package: package-mac package-linux
.PHONY: changlog-release
.SILIENT: changelog-release
changelog-release:
echo "Last tag: $(SECOND_TO_LAST_TAG)"
echo "Current tag: $(VERSION_TAG)"
docker run --rm \
-v "$(shell pwd)":/usr/local/src/your-app \
ferrarimarco/github-changelog-generator \
@echo "Last tag: $(SECOND_TO_LAST_TAG)"
@echo "Current tag: $(VERSION)"
@github_changelog_generator \
--user anchore \
--project $(BIN) \
-t ${GITHUB_TOKEN} \
@ -319,13 +236,12 @@ changelog-release:
--no-issues-wo-labels \
--since-tag $(SECOND_TO_LAST_TAG)
printf '\n$(BOLD)$(CYAN)Release $(VERSION_TAG) Changelog$(RESET)\n\n'
cat CHANGELOG.md
@printf '\n$(BOLD)$(CYAN)Release $(VERSION) Changelog$(RESET)\n\n'
@cat CHANGELOG.md
.PHONY: changelog-unreleased
.SILENCE: changelog-unreleased
changelog-unreleased: ## show the current changelog that will be produced on the next release (note: requires GITHUB_TOKEN set)
docker run -it --rm \
@docker run -it --rm \
-v "$(shell pwd)":/usr/local/src/your-app \
ferrarimarco/github-changelog-generator \
--user anchore \
@ -334,104 +250,48 @@ changelog-unreleased: ## show the current changelog that will be produced on the
--exclude-labels 'duplicate,question,invalid,wontfix,size:small,size:medium,size:large,size:x-large' \
--since-tag $(LAST_TAG)
printf '\n$(BOLD)$(CYAN)Unreleased Changes (closed PRs and issues will not be in the final changelog)$(RESET)\n'
@printf '\n$(BOLD)$(CYAN)Unreleased Changes (closed PRs and issues will not be in the final changelog)$(RESET)\n'
docker run -it --rm \
@docker run -it --rm \
-v $(shell pwd)/CHANGELOG.md:/CHANGELOG.md \
rawkode/mdv \
-t 748.5989 \
/CHANGELOG.md
.PHONY: homebrew-formula-generate
.SILENT: homebrew-formula-generate
homebrew-formula-generate:
$(call title,Generating homebrew formula)
.github/scripts/homebrew-formula-generate.sh \
"$(VERSION_TAG)" \
"$(HOMEBREW_FORMULA_FILE)"
.PHONY: release
release: clean-dist ci-bootstrap-mac changelog-release ## Build and publish final binaries and packages. Intended to be run only on macOS.
$(call title,Publishing release artifacts)
.PHONY: homebrew-formula-test
.SILENT: homebrew-formula-test
homebrew-formula-test: bootstrap
$(call title,Testing homebrew formula)
# Prepare for macOS-specific signing process
.github/scripts/mac-prepare-for-signing.sh
echo "Cleaning up any versions of $(BIN) previously installed by $(BREW_CMD)"
$(BREW_CMD) uninstall --force "$(HOMEBREW_FORMULA_FILE)"
# create a config with the dist dir overridden
echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml
cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml
echo "Testing homebrew installation using formula"
$(BREW_CMD) install --formula "$(HOMEBREW_FORMULA_FILE)"
# release (note the version transformation from v0.7.0 --> 0.7.0)
bash -c "\
BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
VERSION=$(VERSION:v%=%) \
$(TEMPDIR)/goreleaser \
--rm-dist \
--config $(TEMPDIR)/goreleaser.yaml \
--release-notes <(cat CHANGELOG.md)"
INSTALLED_BIN="$(BREW_BIN_DIR)/$(BIN)" && \
echo "Now running '$${INSTALLED_BIN} version':" && \
"$${INSTALLED_BIN}" version
.PHONY: homebrew-formula-publish
.SILENT: homebrew-formula-publish
homebrew-formula-publish:
$(call title,Publishing homebrew formula)
FORMULA_FILE="$$(realpath $(HOMEBREW_FORMULA_FILE))" && \
\
pushd "$(TEMPDIR)" && \
rm -rfv "./homebrew-syft" && \
gh repo clone anchore/homebrew-syft && \
\
pushd "homebrew-syft" && \
cp -vf "$${FORMULA_FILE}" "./$(BIN).rb" && \
git commit -am "Brew formula update for $(BIN) version $(VERSION_TAG)" && \
git push && \
popd && \
popd
.PHONY: version-check-update
.SILENT: version-check-update
version-check-update:
$(call title,Updating version check)
# verify checksum signatures
.github/scripts/verify-signature.sh "$(DISTDIR)"
# upload the version file that supports the application version update check (excluding pre-releases)
.github/scripts/update-version-file.sh "$(DISTDIR)" "$(VERSION_TAG)"
.PHONY: stage-released-linux-artifact
stage-released-linux-artifact:
mkdir -p ./$(DISTDIR)/syft_linux_amd64
curl -L -o ./$(DISTDIR)/syft.tar.gz https://github.com/anchore/syft/releases/download/$(VERSION_TAG)/syft_$(VERSION)_linux_amd64.tar.gz
tar -C ./$(DISTDIR)/syft_linux_amd64 -xvf ./$(DISTDIR)/syft.tar.gz syft
.PHONY: container-image-build
.SILENT: container-image-build
container-image-build:
$(call title,Building and tagging container image for $(BIN))
$(call build_container_image,$(DISTDIR))
.PHONY: container-image-test
.SILENT: container-image-test
container-image-smoke-test:
$(call title,Smoke testing container image)
docker run --pull never --rm "$(CONTAINER_IMAGE_TAG_LATEST)" version
.PHONY: container-image-push
.SILENT: container-image-push
container-image-push:
$(call title,Pushing container image tags)
tags=( \
"$(CONTAINER_IMAGE_TAG_MAJOR)" \
"$(CONTAINER_IMAGE_TAG_MINOR)" \
"$(CONTAINER_IMAGE_TAG_PATCH)" \
"$(CONTAINER_IMAGE_TAG_LATEST)" \
) && \
for tag in $${tags[@]}; do \
docker push "$${tag}"; \
done
.github/scripts/update-version-file.sh "$(DISTDIR)" "$(VERSION)"
.PHONY: clean
clean: clean-dist clean-snapshot ## Remove previous builds and result reports
rm -rf $(RESULTSDIR)/*
.PHONY: clean-dist
clean-dist:
rm -rf $(DISTDIR) $(TEMPDIR)/goreleaser.yaml
.PHONY: clean-snapshot
clean-snapshot:
rm -rf $(SNAPSHOTDIR) $(TEMPDIR)/goreleaser.yaml
.PHONY: clean-dist
clean-dist:
rm -rf $(DISTDIR) $(TEMPDIR)/goreleaser.yaml

14
RELEASE.md
View file

@ -44,7 +44,7 @@ for each release.
This project auto-generates the Changelog contents for each current release and posts the
generated contents to the GitHub Release page. Leveraging the GitHub Releases feature
allows GitHub to manage the Changelog on each release outside the git repository while
allows GitHub to manage the Changelog on each release outside of the git repository while
still being hosted with the released assets.
The Changelog is generated from the metadata from in-repository issues and PRs, using
@ -89,13 +89,11 @@ This release process itself should be as automated as possible, and have only a
milestone with a partial version, the full version should be used for the git tag (e.g.
with a Milestone of `v0.1` the tag should be `v0.1.0`).
1. Push the tag.
1. Push the tag, the release pipeline will generate and publish all assets as well as a
draft GitHub Release.
1. A release admin must approve the release on the Github Actions release pipeline run page.
Once approved, the release pipeline will generate all assets and draft a GitHub Release.
1. Navigate to the Github Release draft page to review the final changelog and publish the
release. Once published, a release-follow-up pipeline will publish derivative artifacts
(docker image to DockerHub, brew formula to the external homebrew git repo, etc).
1. Promote the GitHub Release from draft to public. Note: since extra assets are made
available immediately from previous steps (i.e. the brew formula) the release should
only be in this state for a small amount of time (minutes).
1. If there is a release Milestone, close it.

2
gon.hcl
View file

@ -1,4 +1,4 @@
source = ["./dist/syft_darwin_amd64/syft"] # The 'dist' directory path should ideally reference an env var, where the source of truth is the Makefile. I wasn't able to figure out how to solve this.
source = ["./dist/syft-macos_darwin_amd64/syft"] # The 'dist' directory path should ideally reference an env var, where the source of truth is the Makefile. I wasn't able to figure out how to solve this.
bundle_id = "com.anchore.toolbox.syft"
sign {

25
test/acceptance/mac.sh
View file

@ -7,23 +7,19 @@ ACC_DIR=$2
TEST_IMAGE=$3
RESULTSDIR=$4
TEST_IMAGE_TAR=/tmp/image.tar
TEST_TYPE=mac
WORK_DIR=$(mktemp -d -t "syft-acceptance-test-${TEST_TYPE}-XXXXXX")
TEST_IMAGE_TAR=${WORK_DIR}/image.tar
NORMAL_TEST_IMAGE=$(echo "${TEST_IMAGE}" | tr ':' '-' )
WORK_DIR=`mktemp -d -t "syft-acceptance-test-${TEST_TYPE}-XXXXXX"`
NORMAL_TEST_IMAGE=$(echo ${TEST_IMAGE} | tr ':' '-' )
REPORT=${WORK_DIR}/acceptance-${TEST_TYPE}-${NORMAL_TEST_IMAGE}.json
GOLDEN_REPORT=${ACC_DIR}/test-fixtures/acceptance-${NORMAL_TEST_IMAGE}.json
SYFT_PATH="${DISTDIR}/syft_darwin_amd64/syft"
# check if tmp dir was created
if [[ ! "${WORK_DIR}" || ! -d "${WORK_DIR}" ]]; then
echo "Could not create temp dir"
exit 1
fi
trap "rm -f ${WORK_DIR}/*; rmdir ${WORK_DIR};" EXIT
function cleanup {
# we should still preserve previous failures
exit_code=$?
@ -37,19 +33,20 @@ trap cleanup EXIT
skopeo --version || brew install skopeo
# fetch test image
skopeo --override-os linux --insecure-policy copy "docker://docker.io/${TEST_IMAGE}" "docker-archive:${TEST_IMAGE_TAR}"
ls -alh "${TEST_IMAGE_TAR}"
skopeo --override-os linux copy docker://docker.io/${TEST_IMAGE} docker-archive:${TEST_IMAGE_TAR}
ls -alh ${TEST_IMAGE_TAR}
# run syft
SYFT_PATH="${DISTDIR}/syft-macos_darwin_amd64/syft"
chmod 755 "${SYFT_PATH}"
"${SYFT_PATH}" version
SYFT_CHECK_FOR_APP_UPDATE=0 "${SYFT_PATH}" "docker-archive://${TEST_IMAGE_TAR}" -vv -o json > "${REPORT}"
SYFT_CHECK_FOR_APP_UPDATE=0 "${SYFT_PATH}" docker-archive://${TEST_IMAGE_TAR} -vv -o json > "${REPORT}"
# keep the generated report around
mkdir -p "${RESULTSDIR}"
cp "${REPORT}" "${RESULTSDIR}"
mkdir -p ${RESULTSDIR}
cp ${REPORT} ${RESULTSDIR}
# compare the results to a known good output
${ACC_DIR}/compare.py \
"${GOLDEN_REPORT}" \
"${REPORT}" | tee "${RESULTSDIR}/acceptance-${TEST_TYPE}.txt"
${GOLDEN_REPORT} \
${REPORT} | tee ${RESULTSDIR}/acceptance-${TEST_TYPE}.txt