forked from vmware-archive/eventrouter
-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from kube-logging/ci
chore(ci): multi-platform docker build, ci build and go dep up
- Loading branch information
Showing
6 changed files
with
717 additions
and
184 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,138 @@ | ||
name: Artifacts | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
publish: | ||
description: Publish artifacts to the artifact store | ||
default: false | ||
required: false | ||
type: boolean | ||
release: | ||
description: Whether this is a release build | ||
default: false | ||
required: false | ||
type: boolean | ||
outputs: | ||
container-image-name: | ||
description: Container image name | ||
value: ${{ jobs.container-image.outputs.name }} | ||
container-image-digest: | ||
description: Container image digest | ||
value: ${{ jobs.container-image.outputs.digest }} | ||
container-image-tag: | ||
description: Container image tag | ||
value: ${{ jobs.container-image.outputs.tag }} | ||
container-image-ref: | ||
description: Container image ref | ||
value: ${{ jobs.container-image.outputs.ref }} | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
container-image: | ||
name: Container image | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
security-events: write | ||
|
||
outputs: | ||
name: ${{ steps.image-name.outputs.value }} | ||
digest: ${{ steps.build.outputs.digest }} | ||
tag: ${{ steps.meta.outputs.version }} | ||
ref: ${{ steps.image-ref.outputs.value }} | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 | ||
|
||
- name: Set image name | ||
id: image-name | ||
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Gather build metadata | ||
id: meta | ||
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 | ||
with: | ||
images: ${{ steps.image-name.outputs.value }} | ||
flavor: | | ||
latest = false | ||
tags: | | ||
type=ref,event=branch | ||
type=ref,event=pr,prefix=pr- | ||
type=semver,pattern={{raw}} | ||
type=raw,value=latest,enable={{is_default_branch}} | ||
# Multiple exporters are not supported yet | ||
# See https://github.com/moby/buildkit/pull/2760 | ||
- name: Determine build output | ||
uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 | ||
id: build-output | ||
with: | ||
cond: ${{ inputs.publish }} | ||
if_true: type=image,push=true | ||
if_false: type=oci,dest=image.tar | ||
|
||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ github.token }} | ||
if: inputs.publish | ||
|
||
- name: Build and push image | ||
id: build | ||
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 | ||
with: | ||
context: . | ||
platforms: linux/amd64,linux/arm64,linux/arm/v7 | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
cache-from: type=gha | ||
cache-to: type=gha,mode=max | ||
outputs: ${{ steps.build-output.outputs.value }} | ||
# push: ${{ inputs.publish }} | ||
|
||
- name: Set image ref | ||
id: image-ref | ||
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Fetch image | ||
run: skopeo --insecure-policy copy docker://${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} oci-archive:image.tar | ||
if: inputs.publish | ||
|
||
- name: Extract OCI tarball | ||
run: | | ||
mkdir -p image | ||
tar -xf image.tar -C image | ||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 | ||
with: | ||
input: image | ||
format: sarif | ||
output: trivy-results.sarif | ||
|
||
- name: Upload Trivy scan results as artifact | ||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
with: | ||
name: "[${{ github.job }}] Trivy scan results" | ||
path: trivy-results.sarif | ||
retention-days: 5 | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0 | ||
with: | ||
sarif_file: trivy-results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
name: CI | ||
|
||
on: | ||
push: | ||
branches: | ||
- master | ||
- "release-[0-9]+.[0-9]+*" | ||
pull_request: | ||
|
||
jobs: | ||
build: | ||
name: Test | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Set up Go | ||
uses: actions/setup-go@v4 | ||
with: | ||
go-version: '1.20' | ||
|
||
- name: Test | ||
run: make | ||
|
||
artifacts: | ||
name: Artifacts | ||
uses: ./.github/workflows/artifacts.yaml | ||
with: | ||
publish: ${{ github.event_name == 'push' }} | ||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
security-events: write |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,12 +12,31 @@ | |
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
FROM alpine:3.9 | ||
MAINTAINER Timothy St. Clair "[email protected]" | ||
FROM --platform=$BUILDPLATFORM golang:1.20-alpine3.18@sha256:7839c9f01b5502d7cb5198b2c032857023424470b3e31ae46a8261ffca72912a AS builder | ||
|
||
RUN apk add --update --no-cache ca-certificates make git curl | ||
|
||
ARG TARGETOS | ||
ARG TARGETARCH | ||
ARG TARGETPLATFORM | ||
|
||
WORKDIR /app | ||
RUN apk update --no-cache && apk add ca-certificates | ||
ADD eventrouter /app/ | ||
USER nobody:nobody | ||
|
||
CMD ["/bin/sh", "-c", "/app/eventrouter -v 3 -logtostderr"] | ||
ARG GOPROXY | ||
|
||
COPY go.mod go.mod | ||
COPY go.sum go.sum | ||
|
||
RUN go mod download | ||
|
||
COPY *.go /app/ | ||
COPY sinks/ /app/sinks/ | ||
COPY Makefile /app/Makefile | ||
|
||
RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH make build | ||
|
||
FROM gcr.io/distroless/static:latest@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e | ||
|
||
COPY --from=builder /app/eventrouter /app/eventrouter | ||
|
||
CMD ["/app/eventrouter", "-v=3", "-logtostderr"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.