Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to github actions #50

Closed
wants to merge 1 commit into from
Closed

Migrate to github actions #50

wants to merge 1 commit into from

Conversation

thomasferrandiz
Copy link
Contributor

@thomasferrandiz thomasferrandiz commented Mar 13, 2024
edited
Loading

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

manuelbuil
manuelbuil reviewed Mar 13, 2024
View reviewed changes
.github/workflows/build.yml
tags: rancher/hardened-coredns:${{ env.TAG }}-arm64
file: Dockerfile
outputs: type=docker
platforms: linux/arm64
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it makes sense to also run trivy here, maybe there are extra stuff when using arm64 code?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if it's necessary or not.
I remember that we didn't do it for s390x but maybe for arm64 it's more useful.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure there is much value on per-arch Trivy scan, I would assume the majority of times you will get the same (or very similar results).

For reference, atm all our internal scans are solely on amd64.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, if the packages in the final images per arch are the same, you could only do the scan in amd64. Although, it shouldn't be a big issue if you scan all of them, it's more a way of saving time in the pipeline.

pjbgf
pjbgf reviewed Mar 13, 2024
View reviewed changes
.github/workflows/build.yml
Comment on lines +58 to +64
- name: Build container image
uses: docker/build-push-action@v5
with:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any specific reason to break the builds per platform? One of the key benefits of docker buildx is optimised cross-compilation builds.

Copy link

@tashima42 tashima42 Mar 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pjbgf I think it might be because of this issue: docker/buildx#59

The default image store in Docker Engine doesn't support loading multi-platform images. You can enable the containerd image store, or push multi-platform images is to directly push to a registry

using --load and --platform at the same time in docker buildx is not supported

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes exactly @manuelbuil did some tests for this PR: rancher/image-build-flannel#76 and concluded the build per platform was needed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are solely testing the build (e.g. confirm whether it works for all target platforms), you can remove both --load and --push and set --platform. That effectively means you will build to all target platforms. Like we did here.

@briandowns
Copy link
Member

@galal-hussein is doing this for a lot of the other, non networking related repositories. Let's make sure we're doing all of them as similar as possible.

@galal-hussein
Copy link
Contributor

lets also remove the .drone part from updatecli as well https://github.com/rancher/image-build-coredns/blob/master/updatecli/updatecli.d/updatebuildbase.yaml#L45-L53

@pjbgf
Copy link
Member

pjbgf commented Mar 13, 2024

The drone webhooks should also be removed - probably one for EIO.

macedogm
macedogm reviewed Mar 14, 2024
View reviewed changes
Copy link
Member

@macedogm macedogm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice PR! Everything looks good. The main recommendation is to follow the least privilege when generating the token, as Paulo suggested.

.github/workflows/build.yml
tags: rancher/hardened-coredns:${{ env.TAG }}-arm64
file: Dockerfile
outputs: type=docker
platforms: linux/arm64
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, if the packages in the final images per arch are the same, you could only do the scan in amd64. Although, it shouldn't be a big issue if you scan all of them, it's more a way of saving time in the pipeline.

macedogm
macedogm reviewed Mar 14, 2024
View reviewed changes
Makefile
@@ -53,3 +49,14 @@ image-manifest:
.PHONY: image-scan
image-scan:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this target also be removed?

@pjbgf
Copy link
Member

pjbgf commented Mar 14, 2024

Please note that the host-arch is taking 2min while the cross arch is taking 14min. We could get this optimised by letting the heavy lifting be done at the build arch instead of cross emulating network operations. However that could be dealt with on a follow-up PR.

@thomasferrandiz thomasferrandiz force-pushed the migrateToGHA branch 2 times, most recently from d3d163f to 7bb2cbc Compare March 14, 2024 16:59
@manuelbuil
Copy link
Contributor

@pjbgf @macedogm Insisting on Hussein's question: do you think it is a good idea to upload the output: 'trivy-results.sarif' in all the repos?

@macedogm
Copy link
Member

@pjbgf @macedogm Insisting on Hussein's question: do you think it is a good idea to upload the output: 'trivy-results.sarif' in all the repos?

Yes, although we already have such info in our internal image-scanning, having it per repo can speed up specific analysis and visibility by the teams themselves.

@manuelbuil
Copy link
Contributor

@pjbgf @macedogm Insisting on Hussein's question: do you think it is a good idea to upload the output: 'trivy-results.sarif' in all the repos?

Yes, although we already have such info in our internal image-scanning, having it per repo can speed up specific analysis and visibility by the teams themselves.

Thanks! I'm trying to write down all taken decisions in this migration so that we can replicate them in other repos :)

@macedogm
Copy link
Member

Thanks! I'm trying to write down all taken decisions in this migration so that we can replicate them in other repos :)

@manuelbuil Nice! We can help review the doc and add specific guidance if needed.

@manuelbuil
Copy link
Contributor

Thanks! I'm trying to write down all taken decisions in this migration so that we can replicate them in other repos :)

@manuelbuil Nice! We can help review the doc and add specific guidance if needed.

It's in the description of this EPIC: rancher/ecm-distro-tools#375

@thomasferrandiz
Migrate to github actions
2adc200 
Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
@thomasferrandiz thomasferrandiz mentioned this pull request Apr 2, 2024
Merged
@thomasferrandiz
Copy link
Contributor Author

replaced by #52

@thomasferrandiz
Copy link
Contributor Author

reference issue: rancher/ecm-distro-tools#382

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@galal-hussein galal-hussein galal-hussein left review comments

@manuelbuil manuelbuil manuelbuil left review comments

@pjbgf pjbgf pjbgf approved these changes

@macedogm macedogm macedogm approved these changes

@tashima42 tashima42 Awaiting requested review from tashima42

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@thomasferrandiz @briandowns @galal-hussein @pjbgf @manuelbuil @macedogm @tashima42