diff --git a/.github/actions/build-pr-image/README.md b/.github/actions/build-pr-image/README.md new file mode 100644 index 00000000..04c5fbef --- /dev/null +++ b/.github/actions/build-pr-image/README.md @@ -0,0 +1,47 @@ +## Build PR Image Action + +This Action provides automation for a Docker builder for a PR. An image is then pushed to a given registry. + +## Parameters + +### Inputs + + * `REGISTRY`: The image registry where the action is pulling from. Images can be found in https://hub.docker.com/?namespace=vaporio + * `BUILDERIMAGE`: A base image containing the build tool chain + * `SLIMIMAGE`: A smaller image for deploys + * `DOCKERFILE`: Name of the Dockerfile. Usually just `Dockerfile` + * `USERNAME`: Login user for the image registry + * `PASSWORD`: Password for image registry + * `IMAGENAME`: Name of the image to push into the registry + +### Usage + +Since this Action is located in a private repo, a step will checkout this repo with a token so then it can be used +in the next step. + +``` +# .github/workflows/deploy.yml +name: build +on: ['build'] + +jobs: + image_build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + repository: vapor-ware/workflows + token: ${{ secrets.VIO_REPO_READ }} + ref: main + path: vapor-ware-workflows # Checkouts directory path name for the next step + + - uses: ./vapor-ware-workflows/.github/actions/build-pr-image + with: + REGISTRY: docker.io + BUILDERIMAGE: ubuntu:22.04 + SLIMIMAGE: ubuntu:22.04 + DOCKERFILE: Dockerfile + USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} + IMAGENAME: my_image +``` diff --git a/.github/actions/build-pr-image/action.yml b/.github/actions/build-pr-image/action.yml new file mode 100644 index 00000000..f4c7d302 --- /dev/null +++ b/.github/actions/build-pr-image/action.yml @@ -0,0 +1,99 @@ +name: build pr image +description: build an image for current pr +inputs: + REGISTRY: + required: true + default: "docker.io" + description: registry to use, defaults to docker.io + ORGANIZATION: + required: true + default: "vaporio" + description: organization name used in image + USERNAME: + required: true + PASSWORD: + required: true + BUILDERIMAGE: + required: true + SLIMIMAGE: + required: false + DOCKERFILE: + required: true + IMAGENAME: + required: true + IMAGETAG: + required: false + +outputs: + timestamp: + value: ${{ steps.generate-timestamp.outputs.current-timestamp }} + description: timestamp for use in other actions + tag: + value: ${{ steps.generate-tag.outputs.tag }} + description: image tag for use in other actions, defaults to github.event.number + image-archive: + value: ${{ steps.image-archive.outputs.image-archive }} + description: docker image archive of built image + image: + value: ${{ steps.generate-image.outputs.image }} + description: full base image name + +runs: + using: composite + steps: + - name: Log in to docker.io + uses: redhat-actions/podman-login@v1.5 + with: + registry: ${{ inputs.REGISTRY }} + username: ${{ inputs.USERNAME }} + password: ${{ inputs.PASSWORD }} + + - id: generate-image + run: echo "image=$(echo ${{ inputs.REGISTRY }}/${{ inputs.ORGANIZATION }}/${{ inputs.IMAGENAME }})" >> $GITHUB_OUTPUT + shell: bash + + - id: generate-timestamp + run: echo "current-timestamp=$(date +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_OUTPUT + shell: bash + + - id: generate-tag + run: echo "tag=$(echo pr.${{ inputs.IMAGETAG || github.event.number }})" >> $GITHUB_OUTPUT + shell: bash + + - name: Pull builder image + run: podman pull ${{ inputs.BUILDERIMAGE }} + shell: bash + + - name: Pull slim image + run: podman pull ${{ inputs.SLIMIMAGE }} + if: ${{ inputs.SLIMIMAGE }} + shell: bash + + - name: build image + run: | + podman build . \ + -f ${{ inputs.DOCKERFILE }} \ + --format docker \ + --label org.opencontainers.image.created=${{ steps.generate-timestamp.outputs.timestamp }} \ + --label org.opencontainers.image.revision=${{ github.sha }} \ + --label org.opencontainers.image.version=${{ github.ref_name }} \ + --label io.vapor.image.build.number=${{ github.run_id }} \ + --label io.vapor.image.build.ref=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} \ + --label io.vapor.image.build.id=${{ github.base_ref }} \ + --label io.vapor.image.build.branch=${{ github.event.pull_request.head.ref }} \ + -t ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }} + shell: bash + + - name: save image + run: | + podman save --quiet -o ${{ inputs.IMAGENAME }}.tar ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }} + shell: bash + + - id: image-archive + run: echo "image-archive=$(echo docker-archive:${{ inputs.IMAGENAME }}.tar)" >> $GITHUB_OUTPUT + shell: bash + + - name: push image + run: | + podman push ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }} + shell: bash diff --git a/.github/actions/scan-image/README.md b/.github/actions/scan-image/README.md new file mode 100644 index 00000000..e69de29b diff --git a/.github/actions/scan-image/action.yml b/.github/actions/scan-image/action.yml new file mode 100644 index 00000000..2167191d --- /dev/null +++ b/.github/actions/scan-image/action.yml @@ -0,0 +1,37 @@ +name: scan image +description: scan a container image for vulnerabilities +inputs: + image: + required: true + description: container image to scan + +outputs: + sarif: + value: ${{ steps.output-sarif.outputs.sarif }} + description: results of the container scan in SARIF format + +runs: + using: composite + steps: + - name: scan container image + uses: anchore/scan-action@v3 + id: scan + with: + image: ${{ inputs.image }} + acs-report-enable: true + fail-build: false + severity-cutoff: high + + - id: output-sarif + run: echo "sarif=${{ steps.scan.outputs.sarif }}" >> $GITHUB_OUTPUT + shell: bash + + - name: inspect action SARIF report + run: cat ${{ steps.scan.outputs.sarif }} + shell: bash + + # TODO: submit sarif report to an API endpoint + # PAT auth to an API that stores sarif reports. + - name: submit SARIF report + run: echo "submitting SARIF report" + shell: bash diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 00000000..ff5e981d --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,30 @@ +name: build +on: + pull_request: + branches: + - develop + workflow_dispatch: + +jobs: + image_build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - uses: ./.github/actions/build-pr-image + id: build-env + with: + REGISTRY: docker.io + BUILDERIMAGE: docker.io/library/python:3.9 + SLIMIMAGE: docker.io/library/python:3.9-slim + DOCKERFILE: Dockerfile + USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} + IMAGENAME: synse-server + + - uses: ./.github/actions/scan-image + id: scan-image + with: + image: ${{ steps.build-env.outputs.image-archive }} + fail-build: false + severity-cutoff: high diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 00000000..75917b00 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,24 @@ +name: release +on: + workflow_run: + workflows: [build] + types: + - completed + push: + tags: + - 'v*' + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - + name: Update Helm Chart + uses: vapor-ware/chart-releaser-action@v1 + env: + GITHUB_TOKEN: ${{ secrets.VIO_PUBLIC_REPO }} + with: + args: update --diff --debug diff --git a/.jenkins b/.jenkins deleted file mode 100644 index 159aa27f..00000000 --- a/.jenkins +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env groovy - -// Include this shared CI repository to load script helpers and libraries. -library identifier: 'vapor@1.21.19', retriever: modernSCM([ - $class: 'GitSCMSource', - remote: 'https://github.com/vapor-ware/ci-shared.git', - credentialsId: 'vio-bot-gh', -]) - -pythonPipeline([ - 'image': 'docker.io/vaporio/synse-server', - 'pythonVersion': '3.9', - 'mainBranch': 'develop', - 'skipIntegrationTest': true, - 'skipClair': true, - 'releaseToPypi': false, - 'publishToGitHub': true, -])