From 57124b0b574e6a558d9cf7025ac1d39db2741ffb Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Fri, 9 Feb 2024 18:36:43 -0300 Subject: [PATCH 01/29] add initial gh actions pipeline --- .github/workflows/pipeline.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/pipeline.yml diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml new file mode 100644 index 0000000..6ed8bdd --- /dev/null +++ b/.github/workflows/pipeline.yml @@ -0,0 +1,29 @@ +name: Build And Push +on: + push: + tags: + - 'v*' +jobs: + build: + name: Build and Push + runs-on: ubuntu-latest + steps: + - name: Docker Hub Login + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: build + run: TAG=${GITHUB_REF_NAME} make + - name: push + run: TAG=${GITHUB_REF_NAME} make image-push + manifest: + name: Docker manifest + runs-on: ubuntu-latest + steps: + - name: Docker Hub Login + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + From f163984318db4cbff1cc03ee5132ad7f7d83bfe7 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 16:15:04 -0300 Subject: [PATCH 02/29] add create and push manifest --- .github/workflows/pipeline.yml | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 6ed8bdd..7f754d6 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -4,9 +4,11 @@ on: tags: - 'v*' jobs: - build: - name: Build and Push + build-amd64: + name: Build and Push amd64 runs-on: ubuntu-latest + env: + TAG: ${GITHUB_REF_NAME} steps: - name: Docker Hub Login uses: docker/login-action@v2 @@ -14,16 +16,27 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: build - run: TAG=${GITHUB_REF_NAME} make + run: TAG=${TAG} make - name: push - run: TAG=${GITHUB_REF_NAME} make image-push + run: TAG=${TAG} make image-push manifest: name: Docker manifest runs-on: ubuntu-latest + needs: build-amd64 steps: - name: Docker Hub Login uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Create and Push manifest + env: + TAG: ${GITHUB_REF_NAME} + REPOSITORY_OWNER: ${{github.repository_owner}} + REPOSITORY: ${{github.repository}} + run: | + docker manifest create ${REPOSITORY_OWNER}/${REPOSITORY}:${TAG} \ + ${REPOSITORY_OWNER}/${REPOSITORY}:${TAG} + + docker manifest push ${REPOSITORY_OWNER}/${REPOSITORY}:${GITHUB_REF_NAME} From 52c2dae64ec83f1f6627f78c6e00742ca8cafe44 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 16:32:10 -0300 Subject: [PATCH 03/29] update login action and clone repo --- .github/workflows/pipeline.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 7f754d6..952bbb6 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -11,10 +11,14 @@ jobs: TAG: ${GITHUB_REF_NAME} steps: - name: Docker Hub Login - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Checkout + uses: actions/checkout@v4 + with: + ref: refs/tags/${TAG} - name: build run: TAG=${TAG} make - name: push @@ -25,7 +29,7 @@ jobs: needs: build-amd64 steps: - name: Docker Hub Login - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} From e264a7240926b771092d5d8fd32a7a4d80a097e5 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 16:43:20 -0300 Subject: [PATCH 04/29] use github env --- .github/workflows/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 952bbb6..829bd5e 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -18,7 +18,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - ref: refs/tags/${TAG} + ref: refs/tags/${{env.GITHUB_REF_NAME}} - name: build run: TAG=${TAG} make - name: push From 128045a6892f20e132610bf14e720755098da520 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 16:46:57 -0300 Subject: [PATCH 05/29] update ref --- .github/workflows/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 829bd5e..cfba286 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -18,7 +18,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - ref: refs/tags/${{env.GITHUB_REF_NAME}} + ref: ${{github.ref}} - name: build run: TAG=${TAG} make - name: push From 30a7fc8772d1f3577af9392a2db91f5c28e6d9c2 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 16:50:24 -0300 Subject: [PATCH 06/29] fix repo org --- .github/workflows/pipeline.yml | 12 ++++----- ] | 47 ++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 6 deletions(-) create mode 100644 ] diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index cfba286..dd641da 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -9,6 +9,7 @@ jobs: runs-on: ubuntu-latest env: TAG: ${GITHUB_REF_NAME} + REPOSITORY_OWNER: ${{github.repository_owner}} steps: - name: Docker Hub Login uses: docker/login-action@v3 @@ -20,9 +21,9 @@ jobs: with: ref: ${{github.ref}} - name: build - run: TAG=${TAG} make + run: TAG=${TAG} ORG=${REPOSITORY_OWNER} make - name: push - run: TAG=${TAG} make image-push + run: TAG=${TAG} ORG=${REPOSITORY_OWNER} make image-push manifest: name: Docker manifest runs-on: ubuntu-latest @@ -37,10 +38,9 @@ jobs: env: TAG: ${GITHUB_REF_NAME} REPOSITORY_OWNER: ${{github.repository_owner}} - REPOSITORY: ${{github.repository}} run: | - docker manifest create ${REPOSITORY_OWNER}/${REPOSITORY}:${TAG} \ - ${REPOSITORY_OWNER}/${REPOSITORY}:${TAG} + docker manifest create ${REPOSITORY_OWNER}/hardened-build-base:${TAG} \ + ${REPOSITORY_OWNER}/hardened-build-base:${TAG} - docker manifest push ${REPOSITORY_OWNER}/${REPOSITORY}:${GITHUB_REF_NAME} + docker manifest push ${REPOSITORY_OWNER}/hardened-build-base:${GITHUB_REF_NAME} diff --git a/] b/] new file mode 100644 index 0000000..91ab985 --- /dev/null +++ b/] @@ -0,0 +1,47 @@ +name: Build And Push +on: + push: + tags: + - 'v*' +jobs: + build-amd64: + name: Build and Push amd64 + runs-on: ubuntu-latest + env: + TAG: ${GITHUB_REF_NAME} + REPOSITORY_OWNER: ${{github.repository_owner}} + steps: + - name: Docker Hub Login + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{github.ref}} + - name: build + run: TAG=${TAG} make + - name: push + run: TAG=${TAG} ORG=${} make image-push + manifest: + name: Docker manifest + runs-on: ubuntu-latest + needs: build-amd64 + steps: + - name: Docker Hub Login + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Create and Push manifest + env: + TAG: ${GITHUB_REF_NAME} + REPOSITORY_OWNER: ${{github.repository_owner}} + REPOSITORY: ${{github.repository}} + run: | + docker manifest create ${REPOSITORY_OWNER}/${REPOSITORY}:${TAG} \ + ${REPOSITORY_OWNER}/${REPOSITORY}:${TAG} + + docker manifest push ${REPOSITORY_OWNER}/${REPOSITORY}:${GITHUB_REF_NAME} + From fbe0587edea08cdd2b0a81491d246e6b5c983654 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 17:07:24 -0300 Subject: [PATCH 07/29] update to use github vars --- .github/workflows/pipeline.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index dd641da..19d77f1 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -39,8 +39,8 @@ jobs: TAG: ${GITHUB_REF_NAME} REPOSITORY_OWNER: ${{github.repository_owner}} run: | - docker manifest create ${REPOSITORY_OWNER}/hardened-build-base:${TAG} \ - ${REPOSITORY_OWNER}/hardened-build-base:${TAG} + docker manifest create ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} \ + ${{github.repository_owner}}/hardened-build-base:${TAG} - docker manifest push ${REPOSITORY_OWNER}/hardened-build-base:${GITHUB_REF_NAME} + docker manifest push ${{github.repository_owner}}/hardened-build-base${{github.ref_name}} From 4c6eeb1c8870eea5c8ea44b3898cae4f948ae1a0 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 17:09:48 -0300 Subject: [PATCH 08/29] fix missing : in docker manifest push --- .github/workflows/pipeline.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 19d77f1..944c9f3 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -41,6 +41,5 @@ jobs: run: | docker manifest create ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} \ ${{github.repository_owner}}/hardened-build-base:${TAG} - - docker manifest push ${{github.repository_owner}}/hardened-build-base${{github.ref_name}} + docker manifest push ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} From e3db9089df5c41afab3b0fa656d9dd048f1a37da Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 17:12:43 -0300 Subject: [PATCH 09/29] separate create and push steps --- .github/workflows/pipeline.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 944c9f3..d0fb886 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -34,12 +34,11 @@ jobs: with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Create and Push manifest - env: - TAG: ${GITHUB_REF_NAME} - REPOSITORY_OWNER: ${{github.repository_owner}} + - name: Create manifest run: | docker manifest create ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} \ - ${{github.repository_owner}}/hardened-build-base:${TAG} + ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} + - name: Push manifest + run: | docker manifest push ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} From b74bcc7e68943eb371bd11f8723f62b2f7677925 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 17:17:24 -0300 Subject: [PATCH 10/29] add amend to mainfest create --- .github/workflows/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index d0fb886..9a27450 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -37,7 +37,7 @@ jobs: - name: Create manifest run: | docker manifest create ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} \ - ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} + --amend ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} - name: Push manifest run: | docker manifest push ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} From e717fcce5d8ea07dd12f249c4f273053213f1d86 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 17:34:25 -0300 Subject: [PATCH 11/29] add arch suffix to manifest --- .github/workflows/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 9a27450..dd881c7 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -37,7 +37,7 @@ jobs: - name: Create manifest run: | docker manifest create ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} \ - --amend ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} + ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}}-amd64 - name: Push manifest run: | docker manifest push ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} From a4d4c8215b41e486898e018a88fa842656a2f0c4 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 17:37:20 -0300 Subject: [PATCH 12/29] remove file --- ] | 47 ----------------------------------------------- 1 file changed, 47 deletions(-) delete mode 100644 ] diff --git a/] b/] deleted file mode 100644 index 91ab985..0000000 --- a/] +++ /dev/null @@ -1,47 +0,0 @@ -name: Build And Push -on: - push: - tags: - - 'v*' -jobs: - build-amd64: - name: Build and Push amd64 - runs-on: ubuntu-latest - env: - TAG: ${GITHUB_REF_NAME} - REPOSITORY_OWNER: ${{github.repository_owner}} - steps: - - name: Docker Hub Login - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Checkout - uses: actions/checkout@v4 - with: - ref: ${{github.ref}} - - name: build - run: TAG=${TAG} make - - name: push - run: TAG=${TAG} ORG=${} make image-push - manifest: - name: Docker manifest - runs-on: ubuntu-latest - needs: build-amd64 - steps: - - name: Docker Hub Login - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Create and Push manifest - env: - TAG: ${GITHUB_REF_NAME} - REPOSITORY_OWNER: ${{github.repository_owner}} - REPOSITORY: ${{github.repository}} - run: | - docker manifest create ${REPOSITORY_OWNER}/${REPOSITORY}:${TAG} \ - ${REPOSITORY_OWNER}/${REPOSITORY}:${TAG} - - docker manifest push ${REPOSITORY_OWNER}/${REPOSITORY}:${GITHUB_REF_NAME} - From 8c57095453d9f1bb223fd7cc29cbc8eac8d0bac3 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 17:38:15 -0300 Subject: [PATCH 13/29] use single line to run --- .github/workflows/pipeline.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index dd881c7..29f65fd 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -39,6 +39,5 @@ jobs: docker manifest create ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} \ ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}}-amd64 - name: Push manifest - run: | - docker manifest push ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} + run: docker manifest push ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} From 0d67f2b1762ed4d88f80d1cbdde2d536687d0de9 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 12 Feb 2024 17:46:26 -0300 Subject: [PATCH 14/29] rename to linux-amd64 --- .github/workflows/pipeline.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 29f65fd..7be82e4 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -4,8 +4,8 @@ on: tags: - 'v*' jobs: - build-amd64: - name: Build and Push amd64 + linux-amd64: + name: Build and Push linux amd64 runs-on: ubuntu-latest env: TAG: ${GITHUB_REF_NAME} @@ -27,7 +27,7 @@ jobs: manifest: name: Docker manifest runs-on: ubuntu-latest - needs: build-amd64 + needs: linux-amd64 steps: - name: Docker Hub Login uses: docker/login-action@v3 From 1b7805b0a3133e5d9690b123b989986cec512715 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Tue, 13 Feb 2024 22:21:45 -0300 Subject: [PATCH 15/29] implement hybrid build and push --- .drone.yml | 51 ---------------------------------- .github/workflows/pipeline.yml | 16 ----------- 2 files changed, 67 deletions(-) diff --git a/.drone.yml b/.drone.yml index 61f0aac..af8b7b0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -1,55 +1,5 @@ --- kind: pipeline -name: linux-amd64 -platform: - os: linux - arch: amd64 - -steps: -- name: build - image: docker:dind - volumes: - - name: dockersock - path: /var/run - commands: - - sleep 20 - - apk add make - - TAG=${DRONE_TAG} make - when: - event: - - tag - -- name: push - image: docker:dind - volumes: - - name: dockersock - path: /var/run - commands: - - apk add make - - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD - - TAG=${DRONE_TAG} make image-push - environment: - DOCKER_USERNAME: - from_secret: docker_username - DOCKER_PASSWORD: - from_secret: docker_password - when: - event: - - tag - -services: -- name: docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run - -volumes: -- name: dockersock - temp: {} ---- -kind: pipeline name: linux-arm64 platform: os: linux @@ -119,5 +69,4 @@ steps: - tag depends_on: - - linux-amd64 - linux-arm64 diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 7be82e4..9ea39e8 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -24,20 +24,4 @@ jobs: run: TAG=${TAG} ORG=${REPOSITORY_OWNER} make - name: push run: TAG=${TAG} ORG=${REPOSITORY_OWNER} make image-push - manifest: - name: Docker manifest - runs-on: ubuntu-latest - needs: linux-amd64 - steps: - - name: Docker Hub Login - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Create manifest - run: | - docker manifest create ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} \ - ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}}-amd64 - - name: Push manifest - run: docker manifest push ${{github.repository_owner}}/hardened-build-base:${{github.ref_name}} From c28fc5b7da6e1ee9137cec83d8deedebe58a27ad Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 09:52:22 -0300 Subject: [PATCH 16/29] add multiarch build and trivy image scan --- .github/workflows/build.yml | 70 ++++++++++++++++++++++++++++++++ .github/workflows/image-push.yml | 39 ++++++++++++++++++ .github/workflows/pipeline.yml | 27 ------------ Dockerfile.amd64 => Dockerfile | 10 ++++- Dockerfile.arm64 | 35 ---------------- Dockerfile.s390x | 23 ----------- README.md | 3 +- updatecli/updatecli.d/trivy.yml | 10 ++--- 8 files changed, 123 insertions(+), 94 deletions(-) create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/image-push.yml delete mode 100644 .github/workflows/pipeline.yml rename Dockerfile.amd64 => Dockerfile (69%) delete mode 100644 Dockerfile.arm64 delete mode 100644 Dockerfile.s390x diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..1a8e05d --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,70 @@ +on: + push: + branches: + - master + pull_request: + +name: Build +jobs: + build-amd64: + runs-on: ubuntu-latest + env: + TAG: ${GITHUB_REF_NAME} + REPOSITORY_OWNER: ${{ github.repository_owner }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build container image + uses: docker/build-push-action@v5 + with: + context: . + push: false + tags: ${{env.REPOSITORY_OWNER}}/hardened-build-base:${{env.TAG}}-amd64 + file: Dockerfile + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.18.0 + with: + image-ref: ${{env.REPOSITORY_OWNER}}/hardened-build-base:${{ env.TAG }}-amd64 + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + build-arm64: + runs-on: ubuntu-latest + env: + TAG: ${GITHUB_REF_NAME} + REPOSITORY_OWNER: ${{ github.repository_owner }} + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build container image + uses: docker/build-push-action@v5 + with: + context: . + push: false + tags: ${{env.REPOSITORY_OWNER}}/hardened-build-base:${{env.TAG}}-arm64 + file: Dockerfile + outputs: type=docker + platforms: linux/arm64 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.18.0 + with: + image-ref: ${{env.REPOSITORY_OWNER}}/hardened-build-base:${{env.TAG}}-arm64 + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml new file mode 100644 index 0000000..f60dad7 --- /dev/null +++ b/.github/workflows/image-push.yml @@ -0,0 +1,39 @@ +name: Build And Push +on: + push: + tags: + - 'v*' +jobs: + push-multiarch: + name: Build and Push amd64 and arm64 + runs-on: ubuntu-latest + env: + TAG: ${GITHUB_REF_NAME} + REPOSITORY_OWNER: ${{ github.repository_owner }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{github.ref}} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Docker Registry Login + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build Container Image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: ${{ env.REPOSITORY_OWNER }}/hardened-build-base:${{ env.TAG }} + file: Dockerfile + platforms: linux/amd64, linux/arm64 + diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml deleted file mode 100644 index 9ea39e8..0000000 --- a/.github/workflows/pipeline.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Build And Push -on: - push: - tags: - - 'v*' -jobs: - linux-amd64: - name: Build and Push linux amd64 - runs-on: ubuntu-latest - env: - TAG: ${GITHUB_REF_NAME} - REPOSITORY_OWNER: ${{github.repository_owner}} - steps: - - name: Docker Hub Login - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Checkout - uses: actions/checkout@v4 - with: - ref: ${{github.ref}} - - name: build - run: TAG=${TAG} ORG=${REPOSITORY_OWNER} make - - name: push - run: TAG=${TAG} ORG=${REPOSITORY_OWNER} make image-push - diff --git a/Dockerfile.amd64 b/Dockerfile similarity index 69% rename from Dockerfile.amd64 rename to Dockerfile index 6567403..e47c840 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile @@ -3,11 +3,19 @@ ARG ALPINE_VERSION=3.18 FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS trivy ARG TRIVY_VERSION=0.42.0 + +FROM trivy as trivy-amd64 RUN set -ex; \ wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"; \ tar -xzf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz; \ mv trivy /usr/local/bin +FROM trivy as trivy-arm64 +RUN set -ex; \ + wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz"; \ + tar -xzf trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz; \ + mv trivy /usr/local/bin + FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} RUN apk --no-cache add \ bash \ @@ -25,7 +33,7 @@ RUN apk --no-cache add \ wget \ yq COPY scripts/ /usr/local/go/bin/ -COPY --from=trivy /usr/local/bin/ /usr/bin/ +COPY --from=trivy-${TARGETARCH} /usr/local/bin/ /usr/bin/ RUN set -x && \ chmod -v +x /usr/local/go/bin/go-*.sh && \ go version && \ diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 deleted file mode 100644 index ef6e651..0000000 --- a/Dockerfile.arm64 +++ /dev/null @@ -1,35 +0,0 @@ -ARG GOLANG_VERSION=1.19.0 -ARG ALPINE_VERSION=3.18 - -FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS trivy -ARG TRIVY_VERSION=0.42.0 -RUN set -ex; \ - wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz"; \ - tar -xzf trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz; \ - mv trivy /usr/local/bin - -FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} -RUN apk --no-cache add \ - bash \ - binutils-gold \ - libc6-compat \ - coreutils \ - curl \ - docker \ - file \ - g++ \ - gcc \ - git \ - gcompat \ - make \ - mercurial \ - rsync \ - subversion \ - wget \ - yq -COPY scripts/ /usr/local/go/bin/ -COPY --from=trivy /usr/local/bin/ /usr/bin/ -RUN set -x && \ - chmod -v +x /usr/local/go/bin/go-*.sh && \ - go version && \ - trivy image --download-db-only --quiet diff --git a/Dockerfile.s390x b/Dockerfile.s390x deleted file mode 100644 index bcbfe8f..0000000 --- a/Dockerfile.s390x +++ /dev/null @@ -1,23 +0,0 @@ -ARG GOLANG_VERSION=1.19.0-alpine3.15 -ARG ALPINE_VERSION=3.18 - -FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} -RUN apk --no-cache add \ - bash \ - coreutils \ - curl \ - docker \ - file \ - g++ \ - gcc \ - git \ - make \ - mercurial \ - rsync \ - subversion \ - wget \ - yq -COPY scripts/ /usr/local/go/bin/ -RUN set -x \ - && chmod -v +x /usr/local/go/bin/go-*.sh \ - && go version diff --git a/README.md b/README.md index 1f58219..47b9087 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,7 @@ This repository holds the Dockerfiles and builds scripts for [rancher/hardened-b Supported architectures -- [x86_64/amd64](Dockerfile.amd64) -- [arm64](Dockerfile.arm64) +- [x86_64/amd64, arm64](Dockerfile) ## Build diff --git a/updatecli/updatecli.d/trivy.yml b/updatecli/updatecli.d/trivy.yml index b3fc460..c152e52 100644 --- a/updatecli/updatecli.d/trivy.yml +++ b/updatecli/updatecli.d/trivy.yml @@ -29,27 +29,25 @@ sources: conditions: trivy-version: - name: "Check Trivy version in Dockerfile.amd64" + name: "Check Trivy version in Dockerfile" kind: "file" scmid: "image-build-base" disablesourceinput: true spec: files: - - "Dockerfile.amd64" - - "Dockerfile.arm64" + - "Dockerfile" matchpattern: 'TRIVY_VERSION={{ source `trivy-release` }}' failwhen: true targets: trivy-version: - name: "Update Trivy version in Dockerfile.amd64" + name: "Update Trivy version in Dockerfile" kind: "file" scmid: "image-build-base" disablesourceinput: true spec: files: - - "Dockerfile.amd64" - - "Dockerfile.arm64" + - "Dockerfile" matchpattern: 'TRIVY_VERSION=\d+\.\d+.\d+' replacepattern: 'TRIVY_VERSION={{ source `trivy-release` }}' From bb15be44bb32134ebcc95c6213f40b7869856555 Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 09:55:05 -0300 Subject: [PATCH 17/29] remove build workflow and drone file --- .drone.yml | 72 ------------------------------------- .github/workflows/build.yml | 70 ------------------------------------ 2 files changed, 142 deletions(-) delete mode 100644 .drone.yml delete mode 100644 .github/workflows/build.yml diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index af8b7b0..0000000 --- a/.drone.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -kind: pipeline -name: linux-arm64 -platform: - os: linux - arch: arm64 - -steps: -- name: build - image: docker:dind - volumes: - - name: dockersock - path: /var/run - commands: - - sleep 20 - - apk add make - - TAG=${DRONE_TAG} make - when: - event: - - tag - -- name: push - image: docker:dind - volumes: - - name: dockersock - path: /var/run - commands: - - apk add make - - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD - - TAG=${DRONE_TAG} make image-push - environment: - DOCKER_USERNAME: - from_secret: docker_username - DOCKER_PASSWORD: - from_secret: docker_password - when: - event: - - tag - -services: -- name: docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run - -volumes: -- name: dockersock - temp: {} ---- -kind: pipeline -type: docker -name: manifest -platform: - os: linux - arch: amd64 -steps: - - name: push - image: plugins/manifest:1.2.3 - settings: - password: - from_secret: docker_password - username: - from_secret: docker_username - spec: manifest.tmpl - when: - event: - - tag - -depends_on: - - linux-arm64 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 1a8e05d..0000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,70 +0,0 @@ -on: - push: - branches: - - master - pull_request: - -name: Build -jobs: - build-amd64: - runs-on: ubuntu-latest - env: - TAG: ${GITHUB_REF_NAME} - REPOSITORY_OWNER: ${{ github.repository_owner }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Build container image - uses: docker/build-push-action@v5 - with: - context: . - push: false - tags: ${{env.REPOSITORY_OWNER}}/hardened-build-base:${{env.TAG}}-amd64 - file: Dockerfile - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.18.0 - with: - image-ref: ${{env.REPOSITORY_OWNER}}/hardened-build-base:${{ env.TAG }}-amd64 - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - - build-arm64: - runs-on: ubuntu-latest - env: - TAG: ${GITHUB_REF_NAME} - REPOSITORY_OWNER: ${{ github.repository_owner }} - steps: - - name: Check out code - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build container image - uses: docker/build-push-action@v5 - with: - context: . - push: false - tags: ${{env.REPOSITORY_OWNER}}/hardened-build-base:${{env.TAG}}-arm64 - file: Dockerfile - outputs: type=docker - platforms: linux/arm64 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.18.0 - with: - image-ref: ${{env.REPOSITORY_OWNER}}/hardened-build-base:${{env.TAG}}-arm64 - format: 'table' - exit-code: '1' - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' - From df2137a240c2318bc080d46e00e6d54d65008bf5 Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 09:58:20 -0300 Subject: [PATCH 18/29] fix github ref tag --- .github/workflows/image-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index f60dad7..da2f254 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -8,7 +8,7 @@ jobs: name: Build and Push amd64 and arm64 runs-on: ubuntu-latest env: - TAG: ${GITHUB_REF_NAME} + TAG: ${{github.ref}} REPOSITORY_OWNER: ${{ github.repository_owner }} steps: - name: Checkout From 57c8b64e8e38fb03d57585a66e4c4b4ad5f76f27 Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 10:01:07 -0300 Subject: [PATCH 19/29] fix ref name --- .github/workflows/image-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index da2f254..18e7410 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -8,7 +8,7 @@ jobs: name: Build and Push amd64 and arm64 runs-on: ubuntu-latest env: - TAG: ${{github.ref}} + TAG: ${{github.ref_name}} REPOSITORY_OWNER: ${{ github.repository_owner }} steps: - name: Checkout From 50aea5cb4b880b2925459dd7bdc92617ce118a78 Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 10:06:57 -0300 Subject: [PATCH 20/29] add targetarch arg --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index e47c840..5a05a14 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ ARG GOLANG_VERSION=1.19.0 ARG ALPINE_VERSION=3.18 +ARG TARGETARCH FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS trivy ARG TRIVY_VERSION=0.42.0 From de4c44cc635764e57d6b938f068f2b06ac94b5ea Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 10:13:24 -0300 Subject: [PATCH 21/29] fix trivy base name --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5a05a14..2f29f01 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,8 @@ RUN set -ex; \ tar -xzf trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz; \ mv trivy /usr/local/bin +FROM trivy-${TARGETARCH} as trivy-base + FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} RUN apk --no-cache add \ bash \ @@ -34,7 +36,7 @@ RUN apk --no-cache add \ wget \ yq COPY scripts/ /usr/local/go/bin/ -COPY --from=trivy-${TARGETARCH} /usr/local/bin/ /usr/bin/ +COPY --from=trivy-base /usr/local/bin/ /usr/bin/ RUN set -x && \ chmod -v +x /usr/local/go/bin/go-*.sh && \ go version && \ From 9fd52ad6de3f5bbe7c6646b05915fa3fed5fb217 Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 10:17:02 -0300 Subject: [PATCH 22/29] remove targetarch arg --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2f29f01..d8966d2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,5 @@ ARG GOLANG_VERSION=1.19.0 ARG ALPINE_VERSION=3.18 -ARG TARGETARCH FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS trivy ARG TRIVY_VERSION=0.42.0 From d01de0b300988b8711ac680c9b0f8de8379c3a1f Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 10:24:35 -0300 Subject: [PATCH 23/29] remove build steps and add log --- Makefile | 36 +++++++----------------------------- 1 file changed, 7 insertions(+), 29 deletions(-) diff --git a/Makefile b/Makefile index 1e5a3a0..80595ca 100644 --- a/Makefile +++ b/Makefile @@ -1,34 +1,12 @@ -UNAME_M = $(shell uname -m) -ARCH= -ifeq ($(UNAME_M), x86_64) - ARCH=amd64 -else ifeq ($(UNAME_M), aarch64) - ARCH=arm64 -else - ARCH=$(UNAME_M) -endif - ORG ?= rancher -TAG ?= v1.19.0 +TAG ?= v1.22.0b1 GO_VERSION ?= $(shell echo $(TAG) | sed -e "s/v\(.*\)b.*/\1/g") -.PHONY: image-build -image-build: - docker build \ - --build-arg GOLANG_VERSION=$(GO_VERSION) \ - --tag $(ORG)/hardened-build-base:$(TAG) \ - --tag $(ORG)/hardened-build-base:$(TAG)-$(ARCH) \ - . \ - -f Dockerfile.$(ARCH) -.PHONY: image-push -image-push: - docker push $(ORG)/hardened-build-base:$(TAG)-$(ARCH) +.PHONY: log +log: + @echo "TAG=$(TAG)" + @echo "ORG=$(ORG)" + @echo "GO_VERSION=$(GO_VERSION)" + -.PHONY: image-manifest -image-manifest: - DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create --amend \ - $(ORG)/hardened-build-base:$(TAG) \ - $(ORG)/hardened-build-base:$(TAG)-$(ARCH) - DOCKER_CLI_EXPERIMENTAL=enabled docker manifest push \ - $(ORG)/hardened-build-base:$(TAG) From 23bb4aa649df534956c7e41f99a3d7a51bb195a6 Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 10:27:28 -0300 Subject: [PATCH 24/29] add golang version env --- .github/workflows/image-push.yml | 5 +++++ Makefile | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index 18e7410..f5d3f23 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -28,6 +28,11 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Set the GOLANG_VERSION value + id: get-GOLANG_VERSION + run: | + echo "$(make -s log | grep GOLANG_VERSION)" >> "$GITHUB_ENV" + - name: Build Container Image uses: docker/build-push-action@v5 with: diff --git a/Makefile b/Makefile index 80595ca..8d7529f 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,12 @@ ORG ?= rancher TAG ?= v1.22.0b1 -GO_VERSION ?= $(shell echo $(TAG) | sed -e "s/v\(.*\)b.*/\1/g") +GOLANG_VERSION ?= $(shell echo $(TAG) | sed -e "s/v\(.*\)b.*/\1/g") .PHONY: log log: @echo "TAG=$(TAG)" @echo "ORG=$(ORG)" - @echo "GO_VERSION=$(GO_VERSION)" + @echo "GOLANG_VERSION=$(GOLANG_VERSION)" From 7fffb35ccfb3efb794b38617a57afdaa6289b8fe Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 10:32:51 -0300 Subject: [PATCH 25/29] remove manifest template --- manifest.tmpl | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 manifest.tmpl diff --git a/manifest.tmpl b/manifest.tmpl deleted file mode 100644 index 3102e49..0000000 --- a/manifest.tmpl +++ /dev/null @@ -1,12 +0,0 @@ -image: rancher/hardened-build-base:{{build.tag}} -manifests: - - - image: rancher/hardened-build-base:{{build.tag}}-amd64 - platform: - architecture: amd64 - os: linux - - - image: rancher/hardened-build-base:{{build.tag}}-arm64 - platform: - architecture: arm64 - os: linux From 95615de7ea95040d66c58d1dcb6094af498bc479 Mon Sep 17 00:00:00 2001 From: tashima42 Date: Wed, 13 Mar 2024 10:38:39 -0300 Subject: [PATCH 26/29] add build arg golang --- .github/workflows/image-push.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index f5d3f23..f458868 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -38,6 +38,8 @@ jobs: with: context: . push: true + build-args: | + "GOLANG_VERSION=${{env.GOLANG_VERSION}}" tags: ${{ env.REPOSITORY_OWNER }}/hardened-build-base:${{ env.TAG }} file: Dockerfile platforms: linux/amd64, linux/arm64 From 886621ceac4ebef51ecfba69f23b9fafc0470461 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 15 Apr 2024 18:14:26 -0300 Subject: [PATCH 27/29] add permissions and secrets --- .github/workflows/image-push.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index f458868..1f2093d 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -3,21 +3,31 @@ on: push: tags: - 'v*' +permissions: + contents: read + jobs: push-multiarch: name: Build and Push amd64 and arm64 runs-on: ubuntu-latest env: - TAG: ${{github.ref_name}} + TAG: ${{ github.ref_name }} REPOSITORY_OWNER: ${{ github.repository_owner }} steps: - name: Checkout uses: actions/checkout@v4 with: - ref: ${{github.ref}} + ref: ${{ github.ref }} - name: Set up QEMU uses: docker/setup-qemu-action@v3 + + - name: "Read secrets" + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -25,8 +35,8 @@ jobs: - name: Docker Registry Login uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + username: ${{ env.DOCKER_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} - name: Set the GOLANG_VERSION value id: get-GOLANG_VERSION @@ -39,7 +49,7 @@ jobs: context: . push: true build-args: | - "GOLANG_VERSION=${{env.GOLANG_VERSION}}" + "GOLANG_VERSION=${{ env.GOLANG_VERSION }}" tags: ${{ env.REPOSITORY_OWNER }}/hardened-build-base:${{ env.TAG }} file: Dockerfile platforms: linux/amd64, linux/arm64 From 2ba4ad14792168bb792bb33ef49599c3fb3f8833 Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 15 Apr 2024 18:15:46 -0300 Subject: [PATCH 28/29] add permissions --- .github/workflows/image-push.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index 1f2093d..5a63d09 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -8,6 +8,9 @@ permissions: jobs: push-multiarch: + permissions: + contents: read + id-token: write name: Build and Push amd64 and arm64 runs-on: ubuntu-latest env: From ebd7351f1177f2671090c17b8b7994f48d8c0aed Mon Sep 17 00:00:00 2001 From: Pedro Tashima Date: Mon, 15 Apr 2024 19:16:03 -0300 Subject: [PATCH 29/29] add makefile --- Dockerfile | 3 ++- Makefile | 39 +++++++++++++++++++++++++++++++-------- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index d8966d2..150dc05 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,15 +2,16 @@ ARG GOLANG_VERSION=1.19.0 ARG ALPINE_VERSION=3.18 FROM library/golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION} AS trivy -ARG TRIVY_VERSION=0.42.0 FROM trivy as trivy-amd64 +ARG TRIVY_VERSION=0.42.0 RUN set -ex; \ wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"; \ tar -xzf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz; \ mv trivy /usr/local/bin FROM trivy as trivy-arm64 +ARG TRIVY_VERSION=0.42.0 RUN set -ex; \ wget -q "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz"; \ tar -xzf trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz; \ diff --git a/Makefile b/Makefile index 8d7529f..42ee7ad 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,35 @@ -ORG ?= rancher -TAG ?= v1.22.0b1 -GOLANG_VERSION ?= $(shell echo $(TAG) | sed -e "s/v\(.*\)b.*/\1/g") +UNAME_M = $(shell uname -m) +ARCH= +ifeq ($(UNAME_M), x86_64) + ARCH=amd64 +else ifeq ($(UNAME_M), aarch64) + ARCH=arm64 +else + ARCH=$(UNAME_M) +endif +ORG ?= rancher +TAG ?= v1.19.0 +GO_VERSION ?= $(shell echo $(TAG) | sed -e "s/v\(.*\)b.*/\1/g") -.PHONY: log -log: - @echo "TAG=$(TAG)" - @echo "ORG=$(ORG)" - @echo "GOLANG_VERSION=$(GOLANG_VERSION)" +.PHONY: image-build +image-build: + docker build \ + --pull \ + --build-arg GOLANG_VERSION=$(GO_VERSION) \ + --tag $(ORG)/hardened-build-base:$(TAG) \ + --tag $(ORG)/hardened-build-base:$(TAG)-$(ARCH) \ + . \ + -f Dockerfile \ +.PHONY: image-push +image-push: + docker push $(ORG)/hardened-build-base:$(TAG)-$(ARCH) +.PHONY: image-manifest +image-manifest: + DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create --amend \ + $(ORG)/hardened-build-base:$(TAG) \ + $(ORG)/hardened-build-base:$(TAG)-$(ARCH) + DOCKER_CLI_EXPERIMENTAL=enabled docker manifest push \ + $(ORG)/hardened-build-base:$(TAG)