Fix container validation script to use --entrypoint #16
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Container | |
| on: | |
| push: | |
| tags: | |
| # Match SemVer tags without 'v' prefix (e.g., 1.0.0, 2.1.3) | |
| - '[0-9]+.[0-9]+.[0-9]+' | |
| # Allow manual triggering for testing | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Version to use for tagging (for testing only)' | |
| required: true | |
| default: 'test' | |
| jobs: | |
| build-and-publish: | |
| name: Build and Publish Container | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # Podman is pre-installed on the GitHub Ubuntu runner | |
| - name: Check Podman version | |
| run: podman --version | |
| - name: Extract version from tag | |
| id: get-version | |
| run: | | |
| if [[ "${{ github.event_name }}" == "push" ]]; then | |
| # For tag push events, use the tag name | |
| VERSION=${GITHUB_REF#refs/tags/} | |
| else | |
| # For workflow_dispatch, use the input version | |
| VERSION=${{ github.event.inputs.version }} | |
| fi | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "Using version: $VERSION" | |
| - name: Log in to GitHub Container Registry | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | podman login ghcr.io -u ${{ github.actor }} --password-stdin | |
| - name: Prepare image name | |
| id: prep | |
| run: | | |
| REPO_NAME=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]') | |
| IMAGE_NAME="ghcr.io/${REPO_NAME}/troubleshoot-mcp-server" | |
| echo "image=${IMAGE_NAME}" >> $GITHUB_OUTPUT | |
| echo "Image name: ${IMAGE_NAME}" | |
| - name: Set file permissions | |
| run: | | |
| chmod +x scripts/build.sh | |
| chmod +x scripts/run.sh | |
| chmod +x scripts/run_tests.sh | |
| chmod +x scripts/setup_env.sh | |
| chmod +x scripts/generate_test_keys.sh | |
| - name: Verify melange/apko availability via containers | |
| run: | | |
| # Test that melange and apko work via containers (as used in our build system) | |
| # We run them in containers rather than installing binaries directly | |
| podman run --rm cgr.dev/chainguard/melange:latest version | |
| podman run --rm cgr.dev/chainguard/apko:latest version | |
| - name: Verify melange and apko configs exist | |
| run: | | |
| if [ ! -f .melange.yaml ]; then | |
| echo "ERROR: .melange.yaml not found" | |
| exit 1 | |
| fi | |
| if [ ! -f apko.yaml ]; then | |
| echo "ERROR: apko.yaml not found" | |
| exit 1 | |
| fi | |
| echo "Configuration files found:" | |
| ls -la .melange.yaml apko.yaml | |
| - name: Setup melange signing key | |
| run: | | |
| # Create temporary signing key from secret | |
| echo "${{ secrets.MELANGE_RSA }}" > melange.rsa | |
| chmod 600 melange.rsa | |
| - name: Build with melange and apko | |
| env: | |
| IMAGE_NAME: ${{ steps.prep.outputs.image }} | |
| VERSION: ${{ steps.get-version.outputs.version }} | |
| run: | | |
| # Build melange package with signing key using containerized melange | |
| podman run --rm --privileged --cap-add=SYS_ADMIN -v "$PWD":/work cgr.dev/chainguard/melange build .melange.yaml --arch=amd64 --signing-key=melange.rsa | |
| # Build apko image using containerized apko | |
| podman run --rm --privileged --cap-add=SYS_ADMIN -v "$PWD":/work cgr.dev/chainguard/apko build apko.yaml ${IMAGE_NAME}:${VERSION} troubleshoot-mcp-server.tar --arch=amd64 | |
| # Load into podman | |
| podman load < troubleshoot-mcp-server.tar | |
| # Remove architecture suffix from loaded image | |
| podman tag ${IMAGE_NAME}:${VERSION}-amd64 ${IMAGE_NAME}:${VERSION} | |
| # Tag with "latest" if this is not a test run | |
| if [[ "${{ github.event_name }}" == "push" ]]; then | |
| podman tag ${IMAGE_NAME}:${VERSION} ${IMAGE_NAME}:latest | |
| fi | |
| - name: Validate built container before publishing | |
| env: | |
| IMAGE_NAME: ${{ steps.prep.outputs.image }} | |
| VERSION: ${{ steps.get-version.outputs.version }} | |
| run: | | |
| # CRITICAL: Test that required tools are actually in the container | |
| # This prevents publishing broken images that are missing essential tools | |
| echo "Validating container image ${IMAGE_NAME}:${VERSION}..." | |
| # Test 1: sbctl must be present and executable | |
| echo "Checking sbctl..." | |
| podman run --rm --entrypoint which ${IMAGE_NAME}:${VERSION} sbctl | |
| podman run --rm --entrypoint sbctl ${IMAGE_NAME}:${VERSION} --help | head -5 | |
| # Test 2: kubectl must be present | |
| echo "Checking kubectl..." | |
| podman run --rm --entrypoint which ${IMAGE_NAME}:${VERSION} kubectl | |
| podman run --rm --entrypoint kubectl ${IMAGE_NAME}:${VERSION} version --client=true --output=yaml | head -5 | |
| # Test 3: MCP server must be able to start | |
| echo "Testing MCP server startup..." | |
| timeout 10 podman run --rm --entrypoint python3 ${IMAGE_NAME}:${VERSION} -m mcp_server_troubleshoot --help | head -5 | |
| echo "✅ Container validation passed - safe to publish" | |
| - name: Cleanup signing key | |
| if: always() | |
| run: | | |
| # Remove temporary signing key | |
| rm -f melange.rsa | |
| - name: Push container to GitHub Container Registry | |
| env: | |
| IMAGE_NAME: ${{ steps.prep.outputs.image }} | |
| VERSION: ${{ steps.get-version.outputs.version }} | |
| run: | | |
| podman push ${IMAGE_NAME}:${VERSION} | |
| # Push "latest" tag if this is not a test run | |
| if [[ "${{ github.event_name }}" == "push" ]]; then | |
| podman push ${IMAGE_NAME}:latest | |
| fi | |
| - name: Output image details | |
| run: | | |
| echo "::notice::Published image: ghcr.io/${{ github.repository }}/troubleshoot-mcp-server:${{ steps.get-version.outputs.version }}" |