diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 0197ee8..0000000 --- a/.drone.yml +++ /dev/null @@ -1,144 +0,0 @@ ---- -kind: pipeline -type: docker -name: linux-amd64 - -platform: - os: linux - arch: amd64 - -steps: -- name: build - pull: always - image: rancher/hardened-build-base:v1.20.4b11 - commands: - - make DRONE_TAG=${DRONE_TAG} - volumes: - - name: docker - path: /var/run/docker.sock - when: - ref: - include: - - refs/heads/master - - refs/pull/** - - refs/tags/* - -- name: publish - image: rancher/hardened-build-base:v1.20.4b11 - commands: - - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD - - make DRONE_TAG=${DRONE_TAG} image-push - environment: - DOCKER_PASSWORD: - from_secret: docker_password - DOCKER_USERNAME: - from_secret: docker_username - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - tag - -- name: scan - image: rancher/hardened-build-base:v1.20.4b11 - commands: - - make DRONE_TAG=${DRONE_TAG} image-scan - volumes: - - name: docker - path: /var/run/docker.sock - when: - ref: - include: - - refs/heads/master - - refs/pull/** - - refs/tags/* - -volumes: -- name: docker - host: - path: /var/run/docker.sock ---- -kind: pipeline -type: docker -name: linux-arm64 - -platform: - os: linux - arch: arm64 - -steps: -- name: build - pull: always - image: rancher/hardened-build-base:v1.20.4b11 - commands: - - make DRONE_TAG=${DRONE_TAG} - volumes: - - name: docker - path: /var/run/docker.sock - when: - ref: - include: - - refs/heads/master - - refs/pull/** - - refs/tags/* - -- name: publish - image: rancher/hardened-build-base:v1.20.4b11 - commands: - - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD - - make DRONE_TAG=${DRONE_TAG} image-push - environment: - DOCKER_PASSWORD: - from_secret: docker_password - DOCKER_USERNAME: - from_secret: docker_username - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - tag - -- name: scan - image: rancher/hardened-build-base:v1.20.4b11 - commands: - - make DRONE_TAG=${DRONE_TAG} image-scan - volumes: - - name: docker - path: /var/run/docker.sock - when: - ref: - include: - - refs/heads/master - - refs/pull/** - - refs/tags/* - -volumes: -- name: docker - host: - path: /var/run/docker.sock - ---- -kind: pipeline -type: docker -name: manifest -platform: - os: linux - arch: amd64 -steps: -- name: push - image: plugins/manifest:1.2.3 - settings: - password: - from_secret: docker_password - username: - from_secret: docker_username - spec: manifest.tmpl - when: - event: - - tag -depends_on: -- linux-amd64 -- linux-arm64 -... diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..2348f31 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,70 @@ +on: + push: + branches: + - master + pull_request: + +permissions: + contents: read + security-events: write # upload Sarif results + +name: Build +jobs: + build-amd64: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set the TAG value + id: get-TAG + run: | + echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" + - name: Build container image + uses: docker/build-push-action@v5 + with: + context: . + push: false + tags: rancher/hardened-crictl:${{ env.TAG }}-amd64 + file: Dockerfile + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.18.0 + with: + image-ref: rancher/hardened-crictl:${{ env.TAG }}-amd64 + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + format: 'sarif' + output: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + build-arm64: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Set the TAG value + id: get-TAG + run: | + echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" + - name: Build container image + uses: docker/build-push-action@v5 + with: + context: . + push: false + tags: rancher/hardened-crictl:${{ env.TAG }}-arm64 + file: Dockerfile + outputs: type=docker + platforms: linux/arm64 diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml new file mode 100644 index 0000000..72752ce --- /dev/null +++ b/.github/workflows/image-push.yml @@ -0,0 +1,44 @@ +on: + release: + types: [published] + +permissions: + contents: read + +jobs: + push-multiarch: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: "Read secrets" + uses: rancher-eio/read-vault-secrets@main + with: + secrets: | + secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; + secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Container Registry + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKER_USERNAME }} + password: ${{ env.DOCKER_PASSWORD }} + + - name: Build container image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: rancher/hardened-crictl:${{ github.event.release.tag_name }} + file: Dockerfile + platforms: linux/amd64, linux/arm64 diff --git a/Dockerfile b/Dockerfile index 596bdaf..499f6ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ ARG BCI_IMAGE=registry.suse.com/bci/bci-base -ARG GO_IMAGE=rancher/hardened-build-base:1.20.4b11 +ARG GO_IMAGE=rancher/hardened-build-base:v1.20.4b11 FROM ${BCI_IMAGE} as bci FROM ${GO_IMAGE} as builder # setup required packages diff --git a/Makefile b/Makefile index d76eee5..8edb7e7 100644 --- a/Makefile +++ b/Makefile @@ -16,41 +16,40 @@ PKG ?= github.com/kubernetes-sigs/cri-tools SRC ?= github.com/kubernetes-sigs/cri-tools TAG ?= v1.26.1$(BUILD_META) -ifneq ($(DRONE_TAG),) - TAG := $(DRONE_TAG) -endif - ifeq (,$(filter %$(BUILD_META),$(TAG))) - $(error TAG needs to end with build metadata: $(BUILD_META)) +$(error TAG needs to end with build metadata: $(BUILD_META)) endif GOLANG_VERSION := $(shell ./scripts/golang-version.sh $(TAG)) .PHONY: image-build image-build: - docker build \ + docker buildx build \ + --platform=$(ARCH) \ --pull \ --build-arg PKG=$(PKG) \ --build-arg SRC=$(SRC) \ --build-arg TAG=$(TAG:$(BUILD_META)=) \ --build-arg ARCH=$(ARCH) \ - --build-arg GO_IMAGE=rancher/hardened-build-base:$(GOLANG_VERSION) \ --tag $(ORG)/hardened-crictl:$(TAG) \ --tag $(ORG)/hardened-crictl:$(TAG)-$(ARCH) \ + --load \ . .PHONY: image-push image-push: docker push $(ORG)/hardened-crictl:$(TAG)-$(ARCH) -.PHONY: image-manifest -image-manifest: - DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create --amend \ - $(ORG)/hardened-crictl:$(TAG) \ - $(ORG)/hardened-crictl:$(TAG)-$(ARCH) - DOCKER_CLI_EXPERIMENTAL=enabled docker manifest push \ - $(ORG)/hardened-crictl:$(TAG) - .PHONY: image-scan image-scan: trivy --severity $(SEVERITIES) --no-progress --ignore-unfixed $(ORG)/hardened-crictl:$(TAG) + +PHONY: log +log: + @echo "ARCH=$(ARCH)" + @echo "TAG=$(TAG)" + @echo "ORG=$(ORG)" + @echo "PKG=$(PKG)" + @echo "SRC=$(SRC)" + @echo "BUILD_META=$(BUILD_META)" + @echo "UNAME_M=$(UNAME_M)" diff --git a/manifest.tmpl b/manifest.tmpl deleted file mode 100644 index 4e72760..0000000 --- a/manifest.tmpl +++ /dev/null @@ -1,12 +0,0 @@ -image: rancher/hardened-crictl:{{build.tag}} -manifests: - - - image: rancher/hardened-crictl:{{build.tag}}-amd64 - platform: - architecture: amd64 - os: linux - - - image: rancher/hardened-crictl:{{build.tag}}-arm64 - platform: - architecture: arm64 - os: linux