From 42082dcaa095c2ebf49ab70c831e0c7f7232565e Mon Sep 17 00:00:00 2001 From: Daichi Sakaue Date: Mon, 18 Dec 2023 20:28:16 +0900 Subject: [PATCH] Migrate neco-admission to ghcr.io Signed-off-by: Daichi Sakaue --- .github/actions/build_admission/action.yaml | 52 +++++++++++ .github/actions/build_push/action.yaml | 64 +++++--------- .github/actions/extract_tags/action.yaml | 96 +++++++++++++++++++++ .github/workflows/main.yaml | 9 ++ admission/.dockerignore | 4 +- admission/Dockerfile | 11 ++- admission/TAG | 2 +- bmc-reverse-proxy/TAG | 2 +- 8 files changed, 189 insertions(+), 51 deletions(-) create mode 100644 .github/actions/build_admission/action.yaml create mode 100644 .github/actions/extract_tags/action.yaml diff --git a/.github/actions/build_admission/action.yaml b/.github/actions/build_admission/action.yaml new file mode 100644 index 000000000..d9b4143d6 --- /dev/null +++ b/.github/actions/build_admission/action.yaml @@ -0,0 +1,52 @@ +name: "Build admission" +description: "Build admission" +inputs: + github_token: + description: "GitHub Token" + required: true +runs: + using: composite + steps: + - name: Setup build environment + uses: ./.github/actions/setup + with: + github_token: ${{ inputs.github_token }} + go-version-file: admission/go.mod + - id: extract + name: Extract targets + uses: ./.github/actions/extract_tags + with: + container-image: admission + github_token: ${{ inputs.github_token }} + # - name: Run check-generate + # if: ${{ steps.extract.outputs.build }} + # shell: bash + # run: make check-generate + # working-directory: admission + # - name: Test + # if: ${{ steps.extract.outputs.build }} + # uses: docker/build-push-action@v5 + # with: + # context: admission + # platforms: "linux/amd64" + # target: test + # provenance: false + # push: false + - name: Test + if: ${{ steps.extract.outputs.build }} + shell: bash + run: | + make check-generate + make test + working-directory: admission + - name: Build and push + if: ${{ steps.extract.outputs.build }} + uses: docker/build-push-action@v5 + with: + context: admission + platforms: "linux/amd64" + provenance: false + push: ${{ steps.extract.outputs.docker_push }} + tags: | + ${{ steps.extract.outputs.tag }} + ${{ steps.extract.outputs.branch }} diff --git a/.github/actions/build_push/action.yaml b/.github/actions/build_push/action.yaml index 9a5583f52..5b6462a89 100644 --- a/.github/actions/build_push/action.yaml +++ b/.github/actions/build_push/action.yaml @@ -18,13 +18,11 @@ inputs: enable_arm64: description: "Add arm64 to container image platform" required: false - type: boolean - default: false + default: "false" make_test: description: "Run make test before building docker image" required: false - type: boolean - default: false + default: "false" scan: description: "Enable image scanning" required: false @@ -39,37 +37,15 @@ runs: steps: - name: Checkout uses: actions/checkout@v4 - - name: Extract targets - shell: bash - run: | - dir=${{ inputs.dir }} - if [ "$dir" = "" ]; then dir=${{ inputs.container-image }} ; fi - image=${{ inputs.container-image }} - TAG=$(cat ${dir}/TAG) - c=$(container-tag-exists ghcr.io/cybozu/$image $TAG) - # The stdout should be either "" or "found". - if [ "$c" = "" ]; then - echo "BUILDS_TAG=ghcr.io/cybozu/$image:$TAG" >> $GITHUB_ENV - - if [ -f $dir/BRANCH ]; then - if echo $TAG | grep -q -e - ; then - echo ===== Skip pushing branch tags for pre-release $TAG ===== - else - BRANCH=$(cat $dir/BRANCH) - echo "BUILDS_BRANCH=ghcr.io/cybozu/$image:$BRANCH" >> $GITHUB_ENV - fi - fi - fi - env: - GITHUB_TOKEN: ${{ inputs.github_token }} - - name: Validate consistency between BRANCH and TAG - shell: bash - run: | - dir=${{ inputs.dir }} - if [ "$dir" = "" ]; then dir=${{ inputs.container-image }} ; fi - if [ -e "$dir/NO_TAG_BRANCH_CONSISTENCY" ]; then exit 0; fi - ./tag_branch_consistency $dir + - id: extract + name: Extract targets + uses: ./.github/actions/extract_tags + with: + dir: ${{ inputs.dir }} + container-image: ${{ inputs.container-image }} + github_token: ${{ inputs.github_token }} - name: Set container build platform + if: ${{ steps.extract.outputs.build }} shell: bash run: | enable_arm64=${{ inputs.enable_arm64 }} @@ -79,40 +55,40 @@ runs: echo "PLATFORM=linux/amd64" >> $GITHUB_ENV fi - name: Make test - if: inputs.make_test && env.BUILDS_TAG != null + if: ${{ inputs.make_test == 'true' && steps.extract.outputs.build }} shell: bash run: | make -C ${{ inputs.dir }} test - name: Build and push - if: env.BUILDS_TAG != null + if: ${{ steps.extract.outputs.build }} uses: docker/build-push-action@v5 with: context: ${{ inputs.dir }} platforms: ${{ env.PLATFORM }} provenance: false - push: ${{ github.event_name != 'pull_request' }} + push: ${{ steps.extract.outputs.docker_push }} tags: | - ${{ env.BUILDS_TAG }} - ${{ env.BUILDS_BRANCH }} + ${{ steps.extract.outputs.tag }} + ${{ steps.extract.outputs.branch }} target: ${{ inputs.target }} - name: Install Trivy - if: inputs.scan == 'true' && env.BUILDS_TAG != null && github.event_name != 'pull_request' + if: ${{ inputs.scan == 'true' && steps.extract.outputs.push }} shell: bash run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin - name: Scan images - if: inputs.scan == 'true' && env.BUILDS_TAG != null && github.event_name != 'pull_request' + if: ${{ inputs.scan == 'true' && steps.extract.outputs.push }} shell: bash env: YAMORY_ACCESS_TOKEN: ${{ inputs.yamory_token }} run: | echo - echo "scanning $BUILDS_TAG ..." - if [[ $BUILDS_TAG == "ghcr.io/cybozu/golang:"* ]]; then + echo "scanning $${{ steps.extract.outputs.tag }} ..." + if [[ $${{ steps.extract.outputs.tag }} == "ghcr.io/cybozu/golang:"* ]]; then dir=${{ inputs.dir }} BRANCH=$(cat $dir/BRANCH) image=${{ inputs.container-image }}:$BRANCH else image=${{ inputs.container-image }} fi - YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/$image" YAMORY_IMAGE_NAME="$BUILDS_TAG" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)" + YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/$image" YAMORY_IMAGE_NAME="$${{ steps.extract.outputs.tag }}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)" diff --git a/.github/actions/extract_tags/action.yaml b/.github/actions/extract_tags/action.yaml new file mode 100644 index 000000000..312ca1481 --- /dev/null +++ b/.github/actions/extract_tags/action.yaml @@ -0,0 +1,96 @@ +name: "Extract tags" +description: "Extract tags to use for the new image" +inputs: + dir: + description: "working directory" + required: false + default: "" + container-image: + description: "container image" + required: true + github_token: + description: "GitHub Token" + required: true +outputs: + branch: + description: "branch" + value: ${{ steps.extract.outputs.branch }} + tag: + description: "tag" + value: ${{ steps.extract.outputs.tag }} + build: + description: "build is needed (true or '')" + value: ${{ steps.flags.outputs.build }} + push: + description: "push is needed (true or '')" + value: ${{ steps.flags.outputs.push }} + # docker/build-push-action does not accept '' as its push flag + docker_push: + description: "push is needed (true or false)" + value: ${{ steps.flags.outputs.docker_push }} + +runs: + using: composite + steps: + - id: extract + name: Extract targets + shell: bash + run: | + DIR=${{ inputs.dir }} + if [ "${DIR}" = "" ]; then DIR=${{ inputs.container-image }}; fi + IMAGE=${{ inputs.container-image }} + TAG=$(cat ${DIR}/TAG) + FOUND=$(container-tag-exists ghcr.io/cybozu/${IMAGE} ${TAG}) + # The stdout should be either "" or "found". + if [ "${FOUND}" = "" ]; then + echo "tag=ghcr.io/cybozu/${IMAGE}:${TAG}" >> $GITHUB_OUTPUT + + if [ -f ${DIR}/BRANCH ]; then + if echo ${TAG} | grep -q -e - ; then + echo ===== Skip pushing branch tags for pre-release ${TAG} ===== + else + BRANCH=$(cat ${DIR}/BRANCH) + echo "branch=ghcr.io/cybozu/${IMAGE}:${BRANCH}" >> $GITHUB_OUTPUT + fi + fi + fi + env: + GITHUB_TOKEN: ${{ inputs.github_token }} + - id: flags + name: Decide build flags + shell: bash + run: | + if ! [ -z "${{ steps.extract.outputs.tag }}" ]; then + echo "build=true" >> $GITHUB_OUTPUT + if [ "${EVENT_NAME}" != "pull_request" ]; then + echo "push=true" >> $GITHUB_OUTPUT + echo "docker_push=true" >> $GITHUB_OUTPUT + else + echo "docker_push=false" >> $GITHUB_OUTPUT + fi + else + echo "docker_push=false" >> $GITHUB_OUTPUT + fi + env: + EVENT_NAME: ${{ github.event_name }} + - name: Validate consistency between BRANCH and TAG + shell: bash + run: | + DIR=${{ inputs.dir }} + if [ "${DIR}" = "" ]; then DIR=${{ inputs.container-image }}; fi + if [ -e "${DIR}/NO_TAG_BRANCH_CONSISTENCY" ]; then exit 0; fi + ./tag_branch_consistency ${DIR} + - name: Echo output + shell: bash + run: | + echo + echo "vvvvvvvvvv vvvvvvvvvv vvvvvvvvvv vvvvvvvvvv vvvvvvvvvv vvvvvvvvvv" + echo " Build Policy:" + echo + echo " branch: ${{ steps.extract.outputs.branch }}" + echo " tag: ${{ steps.extract.outputs.tag }}" + echo " build: ${{ steps.flags.outputs.build }}" + echo " push: ${{ steps.flags.outputs.push }}" + echo " docker_push: ${{ steps.flags.outputs.docker_push }}" + echo ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ + echo diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 6e1a31fcb..b2019b0f6 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -183,3 +183,12 @@ jobs: enable_arm64: ${{ matrix.job.enable_arm64 }} make_test: ${{ matrix.job.make_test }} scan: ${{ matrix.job.scan }} + + build_admission: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - name: Build container image + uses: ./.github/actions/build_admission + with: + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/admission/.dockerignore b/admission/.dockerignore index c1c4c64ec..417342d66 100644 --- a/admission/.dockerignore +++ b/admission/.dockerignore @@ -1,2 +1,2 @@ -* -!workspace +bin +*.md diff --git a/admission/Dockerfile b/admission/Dockerfile index bb652b19f..adfca7573 100644 --- a/admission/Dockerfile +++ b/admission/Dockerfile @@ -1,7 +1,12 @@ -FROM scratch +FROM quay.io/cybozu/golang:1.20-jammy AS test +COPY . /work +RUN make test -COPY workspace/neco-admission /neco-admission +FROM quay.io/cybozu/golang:1.20-jammy AS build +COPY . /work +RUN make build +FROM scratch +COPY --from=build /work/bin/neco-admission /neco-admission USER 10000:10000 - ENTRYPOINT ["/neco-admission"] diff --git a/admission/TAG b/admission/TAG index 8b95abd94..63082344e 100644 --- a/admission/TAG +++ b/admission/TAG @@ -1 +1 @@ -0.24.2 +0.24.3 diff --git a/bmc-reverse-proxy/TAG b/bmc-reverse-proxy/TAG index 5a48b6be2..0e7400f18 100644 --- a/bmc-reverse-proxy/TAG +++ b/bmc-reverse-proxy/TAG @@ -1 +1 @@ -0.1.24 +0.1.25