Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to github actions #50

Closed
wants to merge 1 commit into from
Closed

Migrate to github actions #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
143 changes: 0 additions & 143 deletions .drone.yml
View file
Open in desktop

This file was deleted.

70 changes: 70 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
on:
push:
branches:
- master
pull_request:

pjbgf marked this conversation as resolved.
Show resolved Hide resolved
permissions:
contents: read
security-events: write # upload Sarif results

name: Build
jobs:
build-amd64:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set the TAG value
id: get-TAG
run: |
echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
- name: Build container image
uses: docker/build-push-action@v5
with:
context: .
push: false
tags: rancher/hardened-coredns:${{ env.TAG }}-amd64
file: Dockerfile

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.18.0
with:
image-ref: rancher/hardened-coredns:${{ env.TAG }}-amd64
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
thomasferrandiz marked this conversation as resolved.
Show resolved Hide resolved
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'

build-arm64:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Set the TAG value
id: get-TAG
run: |
echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
- name: Build container image
uses: docker/build-push-action@v5
with:
Comment on lines +62 to +64
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any specific reason to break the builds per platform? One of the key benefits of docker buildx is optimised cross-compilation builds.

Copy link

@tashima42 tashima42 Mar 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pjbgf I think it might be because of this issue: docker/buildx#59

The default image store in Docker Engine doesn't support loading multi-platform images. You can enable the containerd image store, or push multi-platform images is to directly push to a registry

using --load and --platform at the same time in docker buildx is not supported

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes exactly @manuelbuil did some tests for this PR: rancher/image-build-flannel#76 and concluded the build per platform was needed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are solely testing the build (e.g. confirm whether it works for all target platforms), you can remove both --load and --push and set --platform. That effectively means you will build to all target platforms. Like we did here.

context: .
push: false
tags: rancher/hardened-coredns:${{ env.TAG }}-arm64
file: Dockerfile
outputs: type=docker
platforms: linux/arm64
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it makes sense to also run trivy here, maybe there are extra stuff when using arm64 code?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if it's necessary or not.
I remember that we didn't do it for s390x but maybe for arm64 it's more useful.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure there is much value on per-arch Trivy scan, I would assume the majority of times you will get the same (or very similar results).

For reference, atm all our internal scans are solely on amd64.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, if the packages in the final images per arch are the same, you could only do the scan in amd64. Although, it shouldn't be a big issue if you scan all of them, it's more a way of saving time in the pipeline.

34 changes: 34 additions & 0 deletions .github/workflows/image-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
on:
release:
types: [published]

permissions:
contents: read

jobs:
push-multiarch:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to Container Registry
uses: docker/login-action@v3
with:
username: ${{ secrets.docker_username }}
password: ${{ secrets.docker_password }}

- name: Build container image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: rancher/hardened-coredns:${{ github.event.release.tag_name }}
file: Dockerfile
platforms: linux/amd64, linux/arm64
30 changes: 15 additions & 15 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,39 +17,39 @@ SRC ?= github.com/coredns/coredns
TAG ?= v1.11.1$(BUILD_META)
export DOCKER_BUILDKIT?=1

ifneq ($(DRONE_TAG),)
TAG := $(DRONE_TAG)
endif

ifeq (,$(filter %$(BUILD_META),$(TAG)))
$(error TAG needs to end with build metadata: $(BUILD_META))
$(error TAG ${TAG} needs to end with build metadata: $(BUILD_META))
endif

.PHONY: image-build
image-build:
docker build \
--pull \
docker buildx build \
--platform=$(ARCH) \
--build-arg PKG=$(PKG) \
--build-arg SRC=$(SRC) \
--build-arg TAG=$(TAG:$(BUILD_META)=) \
--build-arg ARCH=$(ARCH) \
--target coredns \
--tag $(ORG)/hardened-coredns:$(TAG) \
--tag $(ORG)/hardened-coredns:$(TAG)-$(ARCH) \
--load \
.

.PHONY: image-push
image-push:
docker push $(ORG)/hardened-coredns:$(TAG)-$(ARCH)

.PHONY: image-manifest
image-manifest:
DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create --amend \
$(ORG)/hardened-coredns:$(TAG) \
$(ORG)/hardened-coredns:$(TAG)-$(ARCH)
DOCKER_CLI_EXPERIMENTAL=enabled docker manifest push \
$(ORG)/hardened-coredns:$(TAG)

.PHONY: image-scan
image-scan:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this target also be removed?

trivy image --severity $(SEVERITIES) --no-progress --ignore-unfixed $(ORG)/hardened-coredns:$(TAG)

PHONY: log
log:
@echo "ARCH=$(ARCH)"
@echo "TAG=$(TAG)"
@echo "ORG=$(ORG)"
@echo "PKG=$(PKG)"
@echo "SRC=$(SRC)"
@echo "BUILD_META=$(BUILD_META)"
@echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)"
@echo "UNAME_M=$(UNAME_M)"
12 changes: 0 additions & 12 deletions manifest-coredns.tmpl
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions updatecli/updatecli.d/updatebuildbase.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,16 +42,6 @@ targets:
transformers:
- addprefix: "rancher/hardened-build-base:"

drone:
name: "Bump to latest build base version in Dockerfile"
kind: file
scmid: default
disablesourceinput: true
spec:
file: .drone.yml
matchpattern: '(?m)^ image: rancher/hardened-build-base:(.*)'
replacepattern: ' image: rancher/hardened-build-base:{{ source "buildbase" }}'

scms:
default:
kind: github
Expand Down