Merge pull request #1538 from GoogleContainerTools/image_diff_pipe

ci: implement image diff pipeline

.github/workflows/buildifier.yaml

@@ -2,31 +2,28 @@ name: Buildifier
 
 on:
   pull_request:
-    branches: [ 'main' ]
+    branches: ["main"]
 
 permissions:
   contents: read
 
 jobs:
-
   autoformat:
     name: Auto-format and Check
     runs-on: ubuntu-latest
 
     steps:
-      - name: Set up Go 1.15.x
+      - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.15.x
-        id: go
+          go-version: "1.21"
 
       - name: Check out code
         uses: actions/checkout@v4
 
       - name: Install Dependencies
         run: |
-          cd $(mktemp -d)
-          GO111MODULE=on go get github.com/bazelbuild/buildtools/[email protected]
+          go install github.com/bazelbuild/buildtools/[email protected]
 
       - name: Run buildifier
         shell: bash

.github/workflows/image-check.yaml

@@ -0,0 +1,97 @@
+name: Image Check
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: ["main"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  diff:
+    runs-on: distroless-ci-large-ubuntu-20.04 # custom runner most compatible with debian 11
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.21"
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/bazel-repo
+          key: bazel-cache-deps-ci2-${{ github.sha }}
+          restore-keys: |
+            bazel-cache-deps-ci2-${{ github.sha }}
+            bazel-cache-deps-ci2-
+
+      - name: Build all images
+        run: bazel build //:sign_and_push
+
+      - name: Install Deps
+        run: |
+          go install github.com/google/go-containerregistry/cmd/crane@main
+          go install github.com/reproducible-containers/diffoci/cmd/diffoci@master
+          go install filippo.io/mkcert@master
+          sudo curl -fsSL "https://github.com/project-zot/zot/releases/download/v2.0.2-rc2/zot-linux-amd64-minimal" > /usr/local/bin/zot
+          sudo chmod +x /usr/local/bin/zot
+
+      - name: Diff All Images
+        id: diff
+        run: |
+          ./private/tools/diff.bash \
+            --query-bazel --registry-spawn-https \
+            --head-ref ${{ github.head_ref }} \
+            --base-ref ${{ github.event.pull_request.base.ref }} \
+            --set-github-output-on-diff \
+            --skip-image-index \
+            --jobs $(($(nproc --all) * 2)) \
+            --logs ./verbose.log \
+            --report ./report.log
+
+      - uses: actions/upload-artifact@v4
+        id: report
+        with:
+          name: "Report"
+          path: |
+            ./verbose.log
+            ./report.log
+
+      - uses: peter-evans/find-comment@v3
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: "github-actions[bot]"
+          body-includes: 🌳 🔄 Image Check
+
+      - name: Report diff
+        if: ${{ steps.diff.outputs.changed_targets }}
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            🌳 🔄 Image Check
+
+            This pull request has modified the following images:
+
+            ```starlark
+            ${{steps.diff.outputs.changed_targets}}
+            ```
+
+            You can check the details in the report [here](${{steps.report.outputs.artifact-url}})
+          edit-mode: replace
+
+      - name: Report no diff
+        if: ${{ !steps.diff.outputs.changed_targets }}
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            🌳 🔄 Image Check
+            This pull request doesn't make any changes to the images. 👍
+            You can check the details in the report [here](${{steps.report.outputs.artifact-url}})
+          edit-mode: replace

private/oci/sign_and_push.bzl

@@ -1,5 +1,8 @@
-load("@rules_oci//oci:defs.bzl", "oci_push")
+"rules for signing, attesting and pushing images"
+
+load("@bazel_skylib//rules:write_file.bzl", "write_file")
 load("@rules_oci//cosign:defs.bzl", "cosign_attest", "cosign_sign")
+load("@rules_oci//oci:defs.bzl", "oci_push")
 load("//private/pkg:oci_image_spdx.bzl", "oci_image_spdx")
 
 PUSH_AND_SIGN_CMD = """\
@@ -69,6 +72,7 @@ def sign_and_push_all(name, images):
         images: a dict where keys are fully qualified image url and values are image labels
     """
     image_dict = dict()
+    query_dict = dict()
     for (idx, (url, image)) in enumerate(images.items()):
         oci_push(
             name = "{}_{}_push".format(name, idx),
@@ -101,6 +105,21 @@ def sign_and_push_all(name, images):
         )
 
         image_dict[":{}_{}".format(name, idx)] = url
+        query_dict[image] = url.split(":") + [":{}_{}_push".format(name, idx)]
+
+    write_file(
+        name = name + ".query",
+        content = [
+            "{repo} {tag} {push_label} {image_label}".format(
+                repo = ref[0],
+                tag = ref[1],
+                push_label = ref[2],
+                image_label = image,
+            )
+            for (image, ref) in query_dict.items()
+        ],
+        out = name + "_query",
+    )
 
     sign_and_push(
         name = name,

private/tools/BUILD.bazel

@@ -0,0 +1,15 @@
+sh_binary(
+    name = "diff",
+    srcs = ["diff.bash"],
+    args = [
+        "--head-ref",
+        "test",
+        "--base-ref",
+        "test",
+        "--report",
+        "./report.log",
+        "--query-bazel",
+        "--registry-spawn-https",
+        "--cd-into-workspace",
+    ],
+)