From fd7511c44fb6abcb0c141d20185010824d59ea53 Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Thu, 13 Jul 2023 14:34:31 -0400 Subject: [PATCH 01/12] chore: [VIO-3010] Transition from jenkins to Github Actions This commit removes the `.jenkins` file, disabling builds through Jenkins, in favor of Github Actions. --- .github/workflows/build.yaml | 38 ++++++++++++++++++++++++++++++++++++ .jenkins | 18 ----------------- 2 files changed, 38 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/build.yaml delete mode 100644 .jenkins diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 00000000..0db51884 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,38 @@ +name: build +on: + pull_request: + branches: + - develop + workflow_dispatch: + +jobs: + image_build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Checkout vapor-ware workflows + uses: actions/checkout@v3 + with: + repository: vapor-ware/workflows + token: ${{ secrets.GITHUB_TOKEN }} + ref: main + path: vapor-ware-workflows + + - uses: ./vapor-ware-workflows/.github/actions/build-pr-image + id: build-env + with: + REGISTRY: docker.io + BUILDERIMAGE: docker.io/library/python:3.9 + SLIMIMAGE: docker.io/library/python:3.9-slim + DOCKERFILE: Dockerfile + USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} + IMAGENAME: synse-server + + - uses: ./vapor-ware-workflows/.github/actions/scan-image + id: scan-image + with: + image: ${{ steps.build-env.outputs.image-archive }} + fail-build: false + severity-cutoff: high diff --git a/.jenkins b/.jenkins deleted file mode 100644 index 159aa27f..00000000 --- a/.jenkins +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env groovy - -// Include this shared CI repository to load script helpers and libraries. -library identifier: 'vapor@1.21.19', retriever: modernSCM([ - $class: 'GitSCMSource', - remote: 'https://github.com/vapor-ware/ci-shared.git', - credentialsId: 'vio-bot-gh', -]) - -pythonPipeline([ - 'image': 'docker.io/vaporio/synse-server', - 'pythonVersion': '3.9', - 'mainBranch': 'develop', - 'skipIntegrationTest': true, - 'skipClair': true, - 'releaseToPypi': false, - 'publishToGitHub': true, -]) From dcfb99fa4241d9a2e47e88ca7646eb79f6e89251 Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Thu, 13 Jul 2023 15:29:00 -0400 Subject: [PATCH 02/12] fix: [VIO-3010] Add and use build action --- .github/actions/build-pr-image/README.md | 47 +++++++++++ .github/actions/build-pr-image/action.yml | 99 +++++++++++++++++++++++ .github/workflows/build.yaml | 28 +++---- 3 files changed, 160 insertions(+), 14 deletions(-) create mode 100644 .github/actions/build-pr-image/README.md create mode 100644 .github/actions/build-pr-image/action.yml diff --git a/.github/actions/build-pr-image/README.md b/.github/actions/build-pr-image/README.md new file mode 100644 index 00000000..04c5fbef --- /dev/null +++ b/.github/actions/build-pr-image/README.md @@ -0,0 +1,47 @@ +## Build PR Image Action + +This Action provides automation for a Docker builder for a PR. An image is then pushed to a given registry. + +## Parameters + +### Inputs + + * `REGISTRY`: The image registry where the action is pulling from. Images can be found in https://hub.docker.com/?namespace=vaporio + * `BUILDERIMAGE`: A base image containing the build tool chain + * `SLIMIMAGE`: A smaller image for deploys + * `DOCKERFILE`: Name of the Dockerfile. Usually just `Dockerfile` + * `USERNAME`: Login user for the image registry + * `PASSWORD`: Password for image registry + * `IMAGENAME`: Name of the image to push into the registry + +### Usage + +Since this Action is located in a private repo, a step will checkout this repo with a token so then it can be used +in the next step. + +``` +# .github/workflows/deploy.yml +name: build +on: ['build'] + +jobs: + image_build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + repository: vapor-ware/workflows + token: ${{ secrets.VIO_REPO_READ }} + ref: main + path: vapor-ware-workflows # Checkouts directory path name for the next step + + - uses: ./vapor-ware-workflows/.github/actions/build-pr-image + with: + REGISTRY: docker.io + BUILDERIMAGE: ubuntu:22.04 + SLIMIMAGE: ubuntu:22.04 + DOCKERFILE: Dockerfile + USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} + IMAGENAME: my_image +``` diff --git a/.github/actions/build-pr-image/action.yml b/.github/actions/build-pr-image/action.yml new file mode 100644 index 00000000..f4c7d302 --- /dev/null +++ b/.github/actions/build-pr-image/action.yml @@ -0,0 +1,99 @@ +name: build pr image +description: build an image for current pr +inputs: + REGISTRY: + required: true + default: "docker.io" + description: registry to use, defaults to docker.io + ORGANIZATION: + required: true + default: "vaporio" + description: organization name used in image + USERNAME: + required: true + PASSWORD: + required: true + BUILDERIMAGE: + required: true + SLIMIMAGE: + required: false + DOCKERFILE: + required: true + IMAGENAME: + required: true + IMAGETAG: + required: false + +outputs: + timestamp: + value: ${{ steps.generate-timestamp.outputs.current-timestamp }} + description: timestamp for use in other actions + tag: + value: ${{ steps.generate-tag.outputs.tag }} + description: image tag for use in other actions, defaults to github.event.number + image-archive: + value: ${{ steps.image-archive.outputs.image-archive }} + description: docker image archive of built image + image: + value: ${{ steps.generate-image.outputs.image }} + description: full base image name + +runs: + using: composite + steps: + - name: Log in to docker.io + uses: redhat-actions/podman-login@v1.5 + with: + registry: ${{ inputs.REGISTRY }} + username: ${{ inputs.USERNAME }} + password: ${{ inputs.PASSWORD }} + + - id: generate-image + run: echo "image=$(echo ${{ inputs.REGISTRY }}/${{ inputs.ORGANIZATION }}/${{ inputs.IMAGENAME }})" >> $GITHUB_OUTPUT + shell: bash + + - id: generate-timestamp + run: echo "current-timestamp=$(date +%Y-%m-%dT%H:%M:%S)" >> $GITHUB_OUTPUT + shell: bash + + - id: generate-tag + run: echo "tag=$(echo pr.${{ inputs.IMAGETAG || github.event.number }})" >> $GITHUB_OUTPUT + shell: bash + + - name: Pull builder image + run: podman pull ${{ inputs.BUILDERIMAGE }} + shell: bash + + - name: Pull slim image + run: podman pull ${{ inputs.SLIMIMAGE }} + if: ${{ inputs.SLIMIMAGE }} + shell: bash + + - name: build image + run: | + podman build . \ + -f ${{ inputs.DOCKERFILE }} \ + --format docker \ + --label org.opencontainers.image.created=${{ steps.generate-timestamp.outputs.timestamp }} \ + --label org.opencontainers.image.revision=${{ github.sha }} \ + --label org.opencontainers.image.version=${{ github.ref_name }} \ + --label io.vapor.image.build.number=${{ github.run_id }} \ + --label io.vapor.image.build.ref=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} \ + --label io.vapor.image.build.id=${{ github.base_ref }} \ + --label io.vapor.image.build.branch=${{ github.event.pull_request.head.ref }} \ + -t ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }} + shell: bash + + - name: save image + run: | + podman save --quiet -o ${{ inputs.IMAGENAME }}.tar ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }} + shell: bash + + - id: image-archive + run: echo "image-archive=$(echo docker-archive:${{ inputs.IMAGENAME }}.tar)" >> $GITHUB_OUTPUT + shell: bash + + - name: push image + run: | + podman push ${{ steps.generate-image.outputs.image }}:${{ steps.generate-tag.outputs.tag }} + shell: bash diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0db51884..f499493d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -11,15 +11,15 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Checkout vapor-ware workflows - uses: actions/checkout@v3 - with: - repository: vapor-ware/workflows - token: ${{ secrets.GITHUB_TOKEN }} - ref: main - path: vapor-ware-workflows + # - name: Checkout vapor-ware workflows + # uses: actions/checkout@v3 + # with: + # repository: vapor-ware/workflows + # token: ${{ secrets.GITHUB_TOKEN }} + # ref: main + # path: vapor-ware-workflows - - uses: ./vapor-ware-workflows/.github/actions/build-pr-image + - uses: ./.github/actions/build-pr-image id: build-env with: REGISTRY: docker.io @@ -30,9 +30,9 @@ jobs: PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} IMAGENAME: synse-server - - uses: ./vapor-ware-workflows/.github/actions/scan-image - id: scan-image - with: - image: ${{ steps.build-env.outputs.image-archive }} - fail-build: false - severity-cutoff: high + # - uses: ./vapor-ware-workflows/.github/actions/scan-image + # id: scan-image + # with: + # image: ${{ steps.build-env.outputs.image-archive }} + # fail-build: false + # severity-cutoff: high From d046ecdc352b1bdf9e31abe600539ab86393b8fd Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Thu, 13 Jul 2023 15:46:34 -0400 Subject: [PATCH 03/12] [vio-3010] Enable image scan --- .github/actions/scan-image/README.md | 0 .github/actions/scan-image/action.yml | 37 +++++++++++++++++++++++++++ .github/workflows/build.yaml | 30 +++++++++++----------- 3 files changed, 52 insertions(+), 15 deletions(-) create mode 100644 .github/actions/scan-image/README.md create mode 100644 .github/actions/scan-image/action.yml diff --git a/.github/actions/scan-image/README.md b/.github/actions/scan-image/README.md new file mode 100644 index 00000000..e69de29b diff --git a/.github/actions/scan-image/action.yml b/.github/actions/scan-image/action.yml new file mode 100644 index 00000000..2167191d --- /dev/null +++ b/.github/actions/scan-image/action.yml @@ -0,0 +1,37 @@ +name: scan image +description: scan a container image for vulnerabilities +inputs: + image: + required: true + description: container image to scan + +outputs: + sarif: + value: ${{ steps.output-sarif.outputs.sarif }} + description: results of the container scan in SARIF format + +runs: + using: composite + steps: + - name: scan container image + uses: anchore/scan-action@v3 + id: scan + with: + image: ${{ inputs.image }} + acs-report-enable: true + fail-build: false + severity-cutoff: high + + - id: output-sarif + run: echo "sarif=${{ steps.scan.outputs.sarif }}" >> $GITHUB_OUTPUT + shell: bash + + - name: inspect action SARIF report + run: cat ${{ steps.scan.outputs.sarif }} + shell: bash + + # TODO: submit sarif report to an API endpoint + # PAT auth to an API that stores sarif reports. + - name: submit SARIF report + run: echo "submitting SARIF report" + shell: bash diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f499493d..c6c3fea7 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -9,15 +9,15 @@ jobs: image_build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + # - uses: actions/checkout@v3 - # - name: Checkout vapor-ware workflows - # uses: actions/checkout@v3 - # with: - # repository: vapor-ware/workflows - # token: ${{ secrets.GITHUB_TOKEN }} - # ref: main - # path: vapor-ware-workflows + # - name: Checkout vapor-ware workflows + # uses: actions/checkout@v3 + # with: + # repository: vapor-ware/workflows + # token: ${{ secrets.GITHUB_TOKEN }} + # ref: main + # path: vapor-ware-workflows - uses: ./.github/actions/build-pr-image id: build-env @@ -28,11 +28,11 @@ jobs: DOCKERFILE: Dockerfile USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} - IMAGENAME: synse-server + IMAGENAME: edge-events - # - uses: ./vapor-ware-workflows/.github/actions/scan-image - # id: scan-image - # with: - # image: ${{ steps.build-env.outputs.image-archive }} - # fail-build: false - # severity-cutoff: high + - uses: ./.github/actions/scan-image + id: scan-image + with: + image: ${{ steps.build-env.outputs.image-archive }} + fail-build: false + severity-cutoff: high From c2309302972df9e459e2822519f9274b219af3f8 Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Thu, 13 Jul 2023 15:54:39 -0400 Subject: [PATCH 04/12] fix: [VIO-3010] Fix image name --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c6c3fea7..bcc241b6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -28,7 +28,7 @@ jobs: DOCKERFILE: Dockerfile USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} - IMAGENAME: edge-events + IMAGENAME: synse-server - uses: ./.github/actions/scan-image id: scan-image From 76168e0ee7aa4fbe49a92b96948456bbdbe6332f Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Thu, 13 Jul 2023 15:58:10 -0400 Subject: [PATCH 05/12] fix: [VIO-3010] Re-add checkout action --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index bcc241b6..943fc81a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -9,7 +9,7 @@ jobs: image_build: runs-on: ubuntu-latest steps: - # - uses: actions/checkout@v3 + - uses: actions/checkout@v3 # - name: Checkout vapor-ware workflows # uses: actions/checkout@v3 From 6cb1dd03b6917afa1eb5adc3dd64cfd4115d881e Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Thu, 13 Jul 2023 16:32:36 -0400 Subject: [PATCH 06/12] chore: [VIO-3010] Remove commented-out code --- .github/workflows/build.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 943fc81a..ff5e981d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -11,14 +11,6 @@ jobs: steps: - uses: actions/checkout@v3 - # - name: Checkout vapor-ware workflows - # uses: actions/checkout@v3 - # with: - # repository: vapor-ware/workflows - # token: ${{ secrets.GITHUB_TOKEN }} - # ref: main - # path: vapor-ware-workflows - - uses: ./.github/actions/build-pr-image id: build-env with: From 52fcc042857e03ad15139f7730a34d88f1ba45b9 Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Fri, 14 Jul 2023 11:05:36 -0400 Subject: [PATCH 07/12] chore: [VIO-3010] First pass at release.yaml This is a first pass at implementing a release workflow. --- .github/workflows/release.yaml | 41 ++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 00000000..ef702e42 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,41 @@ +name: release +on: + workflow_run: + workflows: [build] + types: + - completed + push: + tags: + - 'v*' + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - + name: Login to Docker Hub + uses: docker/login-action@v2 + with: + registry: docker.io + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + # - + # name: Tagged Release + # uses: goreleaser/goreleaser-action@v3 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # distribution: goreleaser + # version: latest + # args: release --rm-dist + + - + name: Update Helm Chart + uses: vapor-ware/chart-releaser-action@v1 + env: + GITHUB_TOKEN: ${{ secrets.VIO_PUBLIC_REPO }} + with: + args: update --diff --debug --dry-run From 2442be673eca9d1fbf0de9ce3ff115ffed449289 Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Fri, 14 Jul 2023 11:11:18 -0400 Subject: [PATCH 08/12] chore: [VIO-3010] Update release.yaml --- .github/workflows/release.yaml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ef702e42..f1d67dc8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,23 +15,6 @@ jobs: - uses: actions/checkout@v3 with: fetch-depth: 0 - - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - registry: docker.io - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - # - - # name: Tagged Release - # uses: goreleaser/goreleaser-action@v3 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # distribution: goreleaser - # version: latest - # args: release --rm-dist - - name: Update Helm Chart uses: vapor-ware/chart-releaser-action@v1 From 79acd7871df721764250ed4ccc9da3e70fbc9fdc Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Fri, 14 Jul 2023 14:34:53 -0400 Subject: [PATCH 09/12] Attempt to test release workflow --- .github/workflows/release.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f1d67dc8..48bd54e4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,8 +5,10 @@ on: types: - completed push: - tags: - - 'v*' + branches: + - vio-3010-github-actions + # tags: + # - 'v*' jobs: release: From e004c201c0e02f4def48dbe5982945bcc902f0bc Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Mon, 17 Jul 2023 09:13:49 -0400 Subject: [PATCH 10/12] fix: [VIO-3010] Attempt to use private workflows This is an attempt to enable the use of private workflows. --- .github/workflows/build.yaml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ff5e981d..faaf5885 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -11,7 +11,17 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: ./.github/actions/build-pr-image + - name: Checkout vapor-ware workflows + uses: actions/checkout@v3 + with: + repository: vapor-ware/workflows + # token: ${{ secrets.VIO_REPO_READ }} + token: ${{ secrets.VIO_PUBLIC_REPO }} + ref: main + path: vapor-ware-workflows + + # - uses: ./.github/actions/build-pr-image + - uses: ./vapor-ware-workflows/.github/actions/build-pr-image id: build-env with: REGISTRY: docker.io @@ -22,7 +32,8 @@ jobs: PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} IMAGENAME: synse-server - - uses: ./.github/actions/scan-image + # - uses: ./.github/actions/scan-image + - uses: ./vapor-ware-workflows/.github/actions/scan-image id: scan-image with: image: ${{ steps.build-env.outputs.image-archive }} From 348e74f5c75f5cc148a06b638b00c6067809a2bb Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Mon, 17 Jul 2023 09:49:53 -0400 Subject: [PATCH 11/12] Revert "fix: [VIO-3010] Attempt to use private workflows" This reverts commit e004c201c0e02f4def48dbe5982945bcc902f0bc. --- .github/workflows/build.yaml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index faaf5885..ff5e981d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -11,17 +11,7 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Checkout vapor-ware workflows - uses: actions/checkout@v3 - with: - repository: vapor-ware/workflows - # token: ${{ secrets.VIO_REPO_READ }} - token: ${{ secrets.VIO_PUBLIC_REPO }} - ref: main - path: vapor-ware-workflows - - # - uses: ./.github/actions/build-pr-image - - uses: ./vapor-ware-workflows/.github/actions/build-pr-image + - uses: ./.github/actions/build-pr-image id: build-env with: REGISTRY: docker.io @@ -32,8 +22,7 @@ jobs: PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} IMAGENAME: synse-server - # - uses: ./.github/actions/scan-image - - uses: ./vapor-ware-workflows/.github/actions/scan-image + - uses: ./.github/actions/scan-image id: scan-image with: image: ${{ steps.build-env.outputs.image-archive }} From 4d4fe5ff4d67a7fe167f12595a58dca33d442e27 Mon Sep 17 00:00:00 2001 From: Adam Israel Date: Mon, 17 Jul 2023 10:19:58 -0400 Subject: [PATCH 12/12] chore: [VIO-3010] Update release CI --- .github/workflows/release.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 48bd54e4..75917b00 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,10 +5,8 @@ on: types: - completed push: - branches: - - vio-3010-github-actions - # tags: - # - 'v*' + tags: + - 'v*' jobs: release: @@ -23,4 +21,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.VIO_PUBLIC_REPO }} with: - args: update --diff --debug --dry-run + args: update --diff --debug