anselmes · sanselme · Oct 9, 2024 · Jul 11, 2024 · Jul 11, 2024 · Jul 11, 2024
@@ -1,15 +1,8 @@
-// For format details, see https://aka.ms/devcontainer.json. For config options, see the
-// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
   "name": "DevOS",
-  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-  // "image": "mcr.microsoft.com/devcontainers/base:dev-ubuntu",
-  // "build": {"dockerfile": "${localWorkspaceFolder}/build/package/Dockerfile"},
-  "dockerComposeFile": [
-    "${localWorkspaceFolder}/compose-dev.yaml"
-  ],
+  "dockerComposeFile": ["${localWorkspaceFolder}/compose-dev.yaml"],
   "service": "devos",
-  "workspaceFolder": "/workspace",
-  // Use 'postCreateCommand' to run commands after the container is created.
-  "postCreateCommand": "${containerWorkspaceFolder}/scripts/setup-devcontainer.sh"
+  "workspaceFolder": "/home/devos/workspace",
+  "postCreateCommand": "${containerWorkspaceFolder}/scripts/config-devos.sh",
+  "remoteUser": "devos"
 }
@@ -0,0 +1,89 @@
+name: Build Workflow
+description: Workflow for building images
+
+inputs:
+  build-container-image:
+    default: "false"
+    description: Build container images
+  container-image-build-args:
+    description: Container image build args
+  container-image-context:
+    default: .
+    description: Container image context
+  container-image-custom-tag:
+    description: Container image custom tag
+  container-image-file:
+    description: Container image file
+  container-image-name:
+    description: Container image name
+  container-image-platforms:
+    default: linux/amd64,linux/arm64
+    description: Container image platforms
+  container-image-repo-password:
+    description: Container image repository password
+  container-image-repo-username:
+    description: Container image repository username
+  container-image-repo:
+    default: ghcr.io
+    description: Container image repository
+  push-container-image:
+    default: "false"
+    description: Push container images
+
+runs:
+  using: composite
+  steps:
+    # todo: setup cosign
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 https://github.com/docker/setup-qemu-action/commit/49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
+      if: ${{ inputs.build-container-image == 'true' }}
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 https://github.com/docker/setup-buildx-action/commit/988b5a0280414f521da01fcc63a27aeeb4b104db
+      if: ${{ inputs.build-container-image == 'true' }}
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 https://github.com/docker/metadata-action/commit/8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+      if: ${{ inputs.build-container-image == 'true' }}
+      with:
+        # images: ${{ inputs.container-image-repo }}/${{ inputs.container-image-repo-username }}/${{ inputs.container-image-name }}
+        images: ghcr.io/sanselme/devcontainer
+        labels: |
+          org.opencontainers.image.title=${{ inputs.container-image-name }}
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{major}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{version}}
+    - name: Login to Container Registry
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 https://github.com/docker/login-action/commit/9780b0c442fbb1117ed29e0efdff1e18412f7567
+      if: ${{ inputs.build-container-image == 'true' && inputs.push-container-image == 'true' }}
+      with:
+        registry: ${{ inputs.container-image-repo }}
+        username: ${{ github.repository_owner }}
+        password: ${{ inputs.container-image-repo-password }}
+    - name: Build and push
+      id: build
+      uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 https://github.com/docker/build-push-action/commit/5cd11c3a4ced054e52742c5fd54dca954e0edd85
+      if: ${{ inputs.build-container-image == 'true' }}
+      with:
+        context: ${{ inputs.container-image-context }}
+        file: ${{ inputs.container-image-file }}
+        push: ${{ inputs.push-container-image }}
+        sbom: true
+        annotations: ${{ steps.meta.outputs.labels }}
+        build-args: ${{ inputs.container-image-build-args }}
+        labels: ${{ steps.meta.outputs.labels }}
+        provenance: true
+        tags: ${{ steps.meta.outputs.tags }} # todo: ,${{ inputs.container-image-repo }}/${{ inputs.container-image-repo-username }}/${{ inputs.container-image-custom-tag }}
+        platforms: ${{ inputs.container-image-platforms }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+    - name: Attest Build Provenance
+      uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 https://github.com/actions/attest-build-provenance/commit/1c608d11d69870c2092266b3f9a6f3abbf17002c
+      if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+      with:
+        subject-name: ${{ steps.build.outputs.metadata.image.name }} #${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        push-to-registry: true
+        subject-digest: ${{ steps.build.outputs.digest }}
+        subject-path: ${{ inputs.container-image-file }}
@@ -13,3 +13,9 @@ updates:
       - /.devcontainer
     schedule:
       interval: monthly
+  # Maintain dependencies for Container Images
+  - package-ecosystem: docker
+    directories:
+      - /build/img
+    schedule:
+      interval: weekly
@@ -1,4 +1,4 @@
-name: Bot
+name: Bot Workflow
 
 on:
   - workflow_call

@@ -0,0 +1,37 @@
+name: Build Pipeline
+
+on:
+  push:
+    paths:
+      - build/img/**
+      - build/scripts/init-devos.sh
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+permissions: read-all
+
+jobs:
+  container:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7  https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Build Container
+        uses: ./.github/actions/build
+        with:
+          build-container-image: true
+          container-image-file: build/img/Dockerfile
+          container-image-name: devos
+          container-image-platforms: linux/amd64,linux/arm64,linux/riscv64
+          container-image-repo-password: ${{ secrets.GHCR_TOKEN }}
+          container-image-repo-username: ${{ github.repository_owner }}
+          push-container-image: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
@@ -11,21 +11,21 @@ permissions: read-all
 
 jobs:
   bot:
-    uses: ./.github/workflows/ondemand/bot.yml
+    uses: ./.github/workflows/bot.yml
     permissions:
       issues: write
       pull-requests: write
       repository-projects: write
 
   sonarqube:
-    uses: ./.github/workflows/gate/sonarqube.yml
+    uses: ./.github/workflows/sonarqube.yml
   trivy:
-    uses: ./.github/workflows/gate/trivy.yml
-  devos:
-    uses: ./.github/workflows/gate/devos.yml
+    uses: ./.github/workflows/trivy.yml
+  # devos:
+  #   uses: ./.github/workflows/devos.yml
 
   scorecard:
-    uses: ./.github/workflows/ondemand/scorecard.yml
+    uses: ./.github/workflows/scorecard.yml
     permissions:
       contents: write
       id-token: write

@@ -1,4 +1,4 @@
-name: Cleanup
+name: Cleanup OnDemand
 
 on:
   pull_request:

@@ -1,14 +1,16 @@
-name: DevOS
+name: DevOS Gate
 
 on:
   - workflow_call
 
 permissions: read-all
 
 jobs:
-  airskiff:
+  devos:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - run: hack/run
+      # - run: |
+      #     cd hack
+      #     ./run
@@ -36,10 +36,10 @@ jobs:
           VALIDATE_DOCKERFILE_HADOLINT: false # fixme: superlinter not using .hadolint.yaml
           VALIDATE_KUBERNETES_KUBECONFORM: false # fixme: enable kubeconform
           VALIDATE_YAML_PRETTIER: false # fixme: ignore symlink
-      - name: Trunk Check
-        uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 https://github.com/trunk-io/trunk-action/commit/86b68ffae610a05105e90b1f52ad8c549ef482c2
-        with:
-          post-annotations: true
+      # - name: Trunk Check
+      #   uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 https://github.com/trunk-io/trunk-action/commit/86b68ffae610a05105e90b1f52ad8c549ef482c2
+      #   with:
+      #     post-annotations: true
 
   scanning:
     runs-on: ubuntu-latest
@@ -49,14 +49,14 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
-      - name: GitGuardian Scan
-        uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
-          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+      # - name: GitGuardian Scan
+      #   uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be
+      #   env:
+      #     GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      #     GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+      #     GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+      #     GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
+      #     GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
       # - name: SonarQube Scan
       #   uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # v3.0.0 https://github.com/SonarSource/sonarqube-scan-action/commit/aecaf43ae57e412bd97d70ef9ce6076e672fe0a9
       #   env:
@@ -83,11 +83,11 @@ jobs:
         uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 https://github.com/actions/dependency-review-action/commit/5a2ce3f5b92ee19cbb1541a4984c76d921601d7c
         with:
           allow-ghsas: none
-          allow-licenses: Apache-2.0,BSD-2-Clause,BSD-3-Clause,CC0-1.0,GPL-2.0,GPL-3.0,ISC,MIT
-          deny-packages: empty
+          allow-licenses: Apache-2.0,BSD-2-Clause,BSD-3-Clause,CC0-1.0,GPL-2.0,GPL-3.0,ISC,MIT,LGPL-3.0
+          # deny-packages: empty
           fail-on-severity: low
-          retry-on-snapshot-warnings-timeout: 120
-          retry-on-snapshot-warnings: true
+          # retry-on-snapshot-warnings-timeout: 120
+          # retry-on-snapshot-warnings: true
 
   assign:
     runs-on: ubuntu-latest

@@ -16,6 +16,6 @@ jobs:
           persist-credentials: false
       - name: Trivy Scan
         uses: ./.github/actions/trivy
-        # with:
-        #   generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
-        #   upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+        with:
+          generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+          upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
@@ -6,3 +6,4 @@
 plugins
 user_trunk.yaml
 user.yaml
+tmp
@@ -19,18 +19,18 @@ runtimes:
 lint:
   enabled:
     - [email protected]
-    - [email protected].0
+    - [email protected].1
     - [email protected]
-    - trivy@0.55.2
+    - trivy@0.56.1
     - [email protected]
-    - [email protected].256
+    - [email protected].257
     - git-diff-check
     - [email protected]
     - [email protected]
     - [email protected]
     - [email protected]
     - [email protected]
-    - [email protected].6
+    - [email protected].7
     - [email protected]
 actions:
   disabled:

@@ -1,20 +1,17 @@
-# DevOS
+# devOS
 
 ---
 
 [![OpenSSF Scorecard][ossf-score-badge]][ossf-score-link]
 [![Contiuos Integration][ci-badge]][ci-link]
 [![Review][review-badge]][review-link]
-[![Releases][releases-badge]][releases-link]
 
 [ossf-score-badge]: https://api.securityscorecards.dev/projects/github.com/anselmes/devos/badge
 [ossf-score-link]: https://securityscorecards.dev/viewer/?uri=github.com/anselmes/devos
 [ci-badge]: https://github.com/anselmes/devos/actions/workflows/cicd.yml/badge.svg
 [ci-link]: https://github.com/anselmes/devos/actions/workflows/cicd.yml
 [review-badge]: https://github.com/anselmes/devos/actions/workflows/review.yml/badge.svg
 [review-link]: https://github.com/anselmes/devos/actions/workflows/review.yml
-[releases-badge]: https://github.com/anselmes/devos/actions/workflows/release.yml/badge.svg
-[releases-link]: https://github.com/anselmes/devos/actions/workflows/release.yml
 
 ---
 

@@ -0,0 +1,37 @@
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV X11VNC_SKIP_DISPLAY==""
+
+COPY config/systemd/journal-to-tty.service /lib/systemd/system/journal-to-tty.service
+RUN apt-get update -y && \
+  apt-get install --no-install-recommends -y \
+  ca-certificates \
+  cron \
+  curl \
+  dbus \
+  file \
+  iproute2 \
+  libvirt-daemon \
+  libvirt-daemon-system \
+  openssl \
+  software-properties-common \
+  ssh \
+  systemd && \
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/*
+
+# todo: checksum downloaded binaries
+# COPY scripts/init-devos.sh /tmp/init-devos.sh
+# COPY scripts/install-docker.sh /tmp/install-docker.sh
+# RUN chmod +x \
+#   /tmp/init-devos.sh \
+#   /tmp/install-docker.sh && \
+#   /tmp/init-devos.sh && \
+#   echo "devos ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/devos && \
+#   systemctl enable journal-to-tty.service && \
+#   useradd -m devos
+
+CMD ["/sbin/init"]
+USER devos
+HEALTHCHECK NONE
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,3 +6,4 @@ @@
     plugins
     user_trunk.yaml
     user.yaml
+    tmp