Migrate to Github Actions

.github/workflows/build.yml

@@ -0,0 +1,71 @@
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+
+
+permissions:
+  contents: read
+  security-events: write # upload Sarif results
+
+name: Build
+jobs:
+  build-amd64:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-multus-cni:${{ env.TAG }}-amd64
+        file: Dockerfile
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.18.0
+      with:
+        image-ref: rancher/hardened-multus-cni:${{ env.TAG }}-amd64
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+  build-arm64:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-multus-cni:${{ env.TAG }}-arm64
+        file: Dockerfile
+        outputs: type=docker
+        platforms: linux/arm64

.github/workflows/image-push.yml

@@ -0,0 +1,44 @@
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read  
+
+jobs:
+  push-multiarch:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+
+    - name: Login to Container Registry
+      uses: docker/login-action@v3
+      with:
+        username: ${{ env.DOCKER_USERNAME }}
+        password: ${{ env.DOCKER_PASSWORD }}
+
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        tags: rancher/hardened-multus-cni:${{ github.event.release.tag_name }}
+        file: Dockerfile
+        platforms: linux/amd64, linux/arm64

Dockerfile

@@ -21,7 +21,7 @@ RUN git clone --depth=1 https://github.com/k8snetworkplumbingwg/multus-cni && \
     ./hack/build-go.sh
 
 # Create the multus image
-FROM scratch
+FROM scratch as multus-cni
 COPY --from=builder  /go/multus-cni/bin/multus /usr/src/multus-cni/bin/multus
 COPY --from=builder  /go/multus-cni/LICENSE /usr/src/multus-cni/LICENSE
 COPY --from=builder  /go/multus-cni/bin/thin_entrypoint /

Makefile

@@ -14,36 +14,39 @@ BUILD_META=-build$(shell date +%Y%m%d)
 ORG ?= rancher
 TAG ?= v4.0.2$(BUILD_META)
 
-ifneq ($(DRONE_TAG),)
-	TAG := $(DRONE_TAG)
-endif
-
 ifeq (,$(filter %$(BUILD_META),$(TAG)))
-	$(error TAG needs to end with build metadata: $(BUILD_META))
+	$(error TAG $(TAG) needs to end with build metadata: $(BUILD_META))
 endif
 
 .PHONY: image-build
 image-build:
-	docker build \
-		--pull \
-		--build-arg ARCH=$(ARCH) \
+	docker buildx build \
+		--platform=$(ARCH) \
+		--build-arg PKG=$(PKG) \
+		--build-arg SRC=$(SRC) \
 		--build-arg TAG=$(TAG:$(BUILD_META)=) \
+		--build-arg ARCH=$(ARCH) \
+		--target multus-cni \
 		--tag $(ORG)/hardened-multus-cni:$(TAG) \
 		--tag $(ORG)/hardened-multus-cni:$(TAG)-$(ARCH) \
+		--load \
 	.
 
 .PHONY: image-push
 image-push:
 	docker push $(ORG)/hardened-multus-cni:$(TAG)-$(ARCH)
 
-.PHONY: image-manifest
-image-manifest:
-	DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create --amend \
-		$(ORG)/hardened-multus-cni:$(TAG) \
-		$(ORG)/hardened-multus-cni:$(TAG)-$(ARCH)
-	DOCKER_CLI_EXPERIMENTAL=enabled docker manifest push \
-		$(ORG)/hardened-multus-cni:$(TAG)
-
 .PHONY: image-scan
 image-scan:
 	trivy image --severity $(SEVERITIES) --no-progress --ignore-unfixed $(ORG)/hardened-multus-cni:$(TAG)
+
+PHONY: log
+log:
+	@echo "ARCH=$(ARCH)"
+	@echo "TAG=$(TAG)"
+	@echo "ORG=$(ORG)"
+	@echo "PKG=$(PKG)"
+	@echo "SRC=$(SRC)"
+	@echo "BUILD_META=$(BUILD_META)"
+	@echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)"
+	@echo "UNAME_M=$(UNAME_M)"

updatecli/updatecli.d/updatebuildbase.yaml

@@ -42,16 +42,6 @@ targets:
     transformers:
       - addprefix: "rancher/hardened-build-base:"
 
-  drone:
-    name: "Bump to latest build base version in Dockerfile"
-    kind: file
-    scmid: default
-    disablesourceinput: true
-    spec:
-      file: .drone.yml
-      matchpattern: '(?m)^  image: rancher/hardened-build-base:(.*)'
-      replacepattern: '  image: rancher/hardened-build-base:{{ source "buildbase" }}'
-
 scms:
   default:
     kind: github