Merge pull request #67 from tashima42/replace-drone-gh-actions

* Migrate to GHA
rancher · May 14, 2024 · 2604538 · 2604538
2 parents c363e41 + ebd7351
commit 2604538
Show file tree

Hide file tree

Showing 9 changed files with 78 additions and 203 deletions.
diff --git a/.drone.yml b/.drone.yml
diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml
@@ -0,0 +1,59 @@
+name: Build And Push
+on:
+  push:
+    tags:
+      - 'v*'
+permissions:
+  contents: read
+
+jobs:
+  push-multiarch:
+    permissions:
+      contents: read
+      id-token: write
+    name: Build and Push amd64 and arm64
+    runs-on: ubuntu-latest
+    env:
+      TAG: ${{ github.ref_name }}
+      REPOSITORY_OWNER: ${{ github.repository_owner }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: "Read secrets"
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker Registry Login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+
+      - name: Set the GOLANG_VERSION value
+        id: get-GOLANG_VERSION
+        run: |
+          echo "$(make -s log | grep GOLANG_VERSION)" >> "$GITHUB_ENV"
+
+      - name: Build Container Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          build-args: |
+            "GOLANG_VERSION=${{ env.GOLANG_VERSION }}"
+          tags: ${{ env.REPOSITORY_OWNER }}/hardened-build-base:${{ env.TAG }}
+          file: Dockerfile
+          platforms: linux/amd64, linux/arm64
+
diff --git a/Dockerfile.amd64 → Dockerfile b/Dockerfile.amd64 → Dockerfile
@@ -2,12 +2,23 @@ ARG GOLANG_VERSION=1.19.0
 ARG ALPINE_VERSION=3.18
 
 FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS trivy
+
+FROM trivy as trivy-amd64
 ARG TRIVY_VERSION=0.42.0
 RUN set -ex; \
     wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"; \
     tar -xzf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz; \
     mv trivy /usr/local/bin
 
+FROM trivy as trivy-arm64
+ARG TRIVY_VERSION=0.42.0
+RUN set -ex; \
+    wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz"; \
+    tar -xzf trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz; \
+    mv trivy /usr/local/bin
+
+FROM trivy-${TARGETARCH} as trivy-base
+
 FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION}
 RUN apk --no-cache add \
     bash \
@@ -25,7 +36,7 @@ RUN apk --no-cache add \
     wget \
     yq
 COPY scripts/ /usr/local/go/bin/
-COPY --from=trivy /usr/local/bin/ /usr/bin/
+COPY --from=trivy-base /usr/local/bin/ /usr/bin/
 RUN set -x && \
     chmod -v +x /usr/local/go/bin/go-*.sh && \
     go version && \

diff --git a/Dockerfile.arm64 b/Dockerfile.arm64
diff --git a/Dockerfile.s390x b/Dockerfile.s390x
diff --git a/Makefile b/Makefile
@@ -15,11 +15,12 @@ GO_VERSION ?= $(shell echo $(TAG) | sed -e "s/v\(.*\)b.*/\1/g")
 .PHONY: image-build
 image-build:
 	docker build \
+		--pull \
 		--build-arg GOLANG_VERSION=$(GO_VERSION) \
 		--tag $(ORG)/hardened-build-base:$(TAG) \
 		--tag $(ORG)/hardened-build-base:$(TAG)-$(ARCH) \
 		. \
-		-f Dockerfile.$(ARCH)
+		-f Dockerfile \
 
 .PHONY: image-push
 image-push:

diff --git a/README.md b/README.md
@@ -4,8 +4,7 @@ This repository holds the Dockerfiles and builds scripts for [rancher/hardened-b
 
 Supported architectures
 
-- [x86_64/amd64](Dockerfile.amd64)
-- [arm64](Dockerfile.arm64)
+- [x86_64/amd64, arm64](Dockerfile)
 
 ## Build
 

diff --git a/manifest.tmpl b/manifest.tmpl
diff --git a/updatecli/updatecli.d/trivy.yml b/updatecli/updatecli.d/trivy.yml
@@ -29,27 +29,25 @@ sources:
 
 conditions:
   trivy-version:
-    name: "Check Trivy version in Dockerfile.amd64"
+    name: "Check Trivy version in Dockerfile"
     kind: "file"
     scmid: "image-build-base"
     disablesourceinput: true
     spec:
       files:
-        - "Dockerfile.amd64"
-        - "Dockerfile.arm64"
+        - "Dockerfile"
       matchpattern: 'TRIVY_VERSION={{ source `trivy-release` }}'
     failwhen: true
 
 targets:
   trivy-version:
-    name: "Update Trivy version in Dockerfile.amd64"
+    name: "Update Trivy version in Dockerfile"
     kind: "file"
     scmid: "image-build-base"
     disablesourceinput: true
     spec:
       files:
-        - "Dockerfile.amd64"
-        - "Dockerfile.arm64"
+        - "Dockerfile"
       matchpattern: 'TRIVY_VERSION=\d+\.\d+.\d+'
       replacepattern: 'TRIVY_VERSION={{ source `trivy-release` }}'