diff --git a/.circleci/config.yml b/.circleci/config.yml index 65b574499..b52f1145c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -901,7 +901,6 @@ workflows: - build: name: build-teleport-node container-image: teleport-node - scan: true - build: name: build-tempo container-image: tempo diff --git a/.github/actions/build_push/action.yaml b/.github/actions/build_push/action.yaml index 567492134..05f6cf6de 100644 --- a/.github/actions/build_push/action.yaml +++ b/.github/actions/build_push/action.yaml @@ -24,9 +24,9 @@ inputs: required: false default: "false" scan: - description: "Enable image scanning" + description: "Enable image scanning (true, false, or auto)" required: false - default: "false" + default: "auto" target: description: "Target stage to build" required: false @@ -43,6 +43,8 @@ runs: with: dir: ${{ inputs.dir }} container-image: ${{ inputs.container-image }} + target: ${{ inputs.target }} + scan: ${{ inputs.scan }} github_token: ${{ inputs.github_token }} - name: Set container build platform if: ${{ steps.extract.outputs.build }} @@ -72,12 +74,12 @@ runs: ${{ steps.extract.outputs.branch }} target: ${{ inputs.target }} - name: Install Trivy - if: ${{ inputs.scan == 'true' && steps.extract.outputs.push }} + if: ${{ steps.extract.outputs.scan }} shell: bash run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin - name: Scan images - if: ${{ inputs.scan == 'true' && steps.extract.outputs.push }} + if: ${{ steps.extract.outputs.scan }} shell: bash env: YAMORY_ACCESS_TOKEN: ${{ inputs.yamory_token }} diff --git a/.github/actions/extract_tags/action.yaml b/.github/actions/extract_tags/action.yaml index 312ca1481..506568755 100644 --- a/.github/actions/extract_tags/action.yaml +++ b/.github/actions/extract_tags/action.yaml @@ -8,6 +8,14 @@ inputs: container-image: description: "container image" required: true + target: + description: "target name" + required: false + default: "" + scan: + description: "Enable image scanning (true, false, or auto)" + required: false + default: "auto" github_token: description: "GitHub Token" required: true @@ -28,16 +36,27 @@ outputs: docker_push: description: "push is needed (true or false)" value: ${{ steps.flags.outputs.docker_push }} + scan: + description: "scan is needed (true or '')" + value: ${{ steps.scan.outputs.scan }} runs: using: composite steps: + - id: dir + name: Decide directory + shell: bash + run: | + if [ -z "${{ inputs.dir }}" ]; then + echo "dir=${{ inputs.container-image }}" >> $GITHUB_OUTPUT + else + echo "dir=${{ inputs.dir }}" >> $GITHUB_OUTPUT + fi - id: extract name: Extract targets shell: bash run: | - DIR=${{ inputs.dir }} - if [ "${DIR}" = "" ]; then DIR=${{ inputs.container-image }}; fi + DIR=${{ steps.dir.outputs.dir }} IMAGE=${{ inputs.container-image }} TAG=$(cat ${DIR}/TAG) FOUND=$(container-tag-exists ghcr.io/cybozu/${IMAGE} ${TAG}) @@ -73,11 +92,61 @@ runs: fi env: EVENT_NAME: ${{ github.event_name }} + - id: scan-pre + name: Decide scan flag + shell: bash + working-directory: ${{ steps.dir.outputs.dir }} + run: | + # Check if scan-mode is manually overridden + echo "inputs.scan is: ${{ inputs.scan }}" + if [ -z "${{ inputs.scan }}" ]; then + echo "Calculating scanning mode..." + elif [ "${{ inputs.scan }}" = "auto" ]; then + echo "Calculating scanning mode..." + elif [ "${{ inputs.scan }}" = "true" ]; then + echo "Scanning is enabled manually." + echo "scan=true" >> $GITHUB_OUTPUT + exit 0 + elif [ "${{ inputs.scan }}" = "false" ]; then + echo "Scanning is disabled manually." + exit 0 + else + echo "inputs.scan has an invalid value" + exit 1 + fi + + # If base image is substituted by a variable, automatic detection is disabled + # It instructs users to set scan-flag manually if missing + if grep FROM Dockerfile | grep -F '$'; then + echo "!! FROM command may use a base image substituted by a variable." + echo "!! Please set scan requirement manually." + exit 1 + fi + + # Skip Trivy scan if scratch-based image + if [ -z "${{ inputs.target }}" ]; then + if grep FROM Dockerfile | tail -n 1 | grep scratch; then + echo "Scanning is disabled for scratch-based images." + exit 0 + fi + elif grep FROM Dockerfile | grep AS | grep "${{ inputs.target }}" | grep scratch; then + echo "Scanning is disabled for scratch-based images." + exit 0 + fi + echo "Scanning is enabled at image uploading." + echo "scan=true" >> $GITHUB_OUTPUT + - id: scan + name: Enable scan for upload-time only + if: ${{ steps.flags.outputs.push }} + shell: bash + run: | + if [ "${{ steps.flags.scan-pre.scan }}" = "true" ]; then + echo "scan=true" >> $GITHUB_OUTPUT + fi - name: Validate consistency between BRANCH and TAG shell: bash run: | - DIR=${{ inputs.dir }} - if [ "${DIR}" = "" ]; then DIR=${{ inputs.container-image }}; fi + DIR=${{ steps.dir.outputs.dir }} if [ -e "${DIR}/NO_TAG_BRANCH_CONSISTENCY" ]; then exit 0; fi ./tag_branch_consistency ${DIR} - name: Echo output @@ -92,5 +161,6 @@ runs: echo " build: ${{ steps.flags.outputs.build }}" echo " push: ${{ steps.flags.outputs.push }}" echo " docker_push: ${{ steps.flags.outputs.docker_push }}" + echo " scan: ${{ steps.scan.outputs.scan }}" echo ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ echo diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 9bec092ca..e3df44788 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -11,19 +11,14 @@ jobs: job: - dir: "./alertmanager" container-image: "alertmanager" - scan: "true" - dir: "./argocd" container-image: "argocd" - scan: "true" - dir: "./argocd-image-updater" container-image: "argocd-image-updater" - scan: "true" - dir: "./bird" container-image: "bird" - scan: "true" - dir: "./blackbox_exporter" container-image: "blackbox_exporter" - scan: "true" - dir: "./bmc-reverse-proxy" container-image: "bmc-reverse-proxy" - dir: "./bpf-map-pressure-exporter" @@ -33,35 +28,28 @@ jobs: container-image: "cadvisor" - dir: "./cert-manager" container-image: "cert-manager" - scan: "true" - dir: "./chrony" container-image: "chrony" - scan: "true" - dir: "./cilium-certgen" container-image: "cilium-certgen" - scan: "true" + scan: "false" - dir: "./cilium-operator-generic" container-image: "cilium-operator-generic" - scan: "true" + scan: "false" - dir: "./configmap-reload" container-image: "configmap-reload" - dir: "./contour" container-image: "contour" - dir: "./coredns" container-image: "coredns" - scan: "true" - dir: "./dex" container-image: "dex" - scan: "true" - dir: "./etcd" container-image: "etcd" - scan: "true" - dir: "./external-dns" container-image: "external-dns" - scan: "true" - dir: "./fluent-bit" container-image: "fluent-bit" - scan: "true" - dir: "./golang-all/golang-1.20-focal" container-image: "golang" enable_arm64: true @@ -80,45 +68,38 @@ jobs: scan: "true" - dir: "./grafana-operator" container-image: "grafana-operator" - scan: "true" - dir: "./haproxy" container-image: "haproxy" - scan: "true" - dir: "./kube-metrics-adapter" container-image: "kube-metrics-adapter" - dir: "./kube-state-metrics" container-image: "kube-state-metrics" - dir: "./kubernetes" container-image: "kubernetes" - scan: "true" - dir: "./loki" container-image: "loki" - scan: "true" - dir: "./machines-endpoints" container-image: "machines-endpoints" - dir: "./memcached" container-image: "memcached" - scan: "true" - dir: "./memcached-exporter" container-image: "memcached-exporter" - dir: "./moco-switchover-downtime-monitor" container-image: "moco-switchover-downtime-monitor" - dir: "./opentelemetry-collector" container-image: "opentelemetry-collector" - scan: "true" - dir: "./hubble" container-image: "hubble" - scan: "true" - dir: "./hubble-relay" container-image: "hubble-relay" - scan: "true" + scan: "false" - dir: "./hubble-ui" container-image: "hubble-ui-frontend" - scan: "true" + scan: "false" target: "frontend" - dir: "./hubble-ui" container-image: "hubble-ui-backend" - scan: "true" + scan: "false" target: "backend" - dir: "./pause" container-image: "pause" @@ -127,44 +108,37 @@ jobs: make_test: true - dir: "./pomerium" container-image: "pomerium" - scan: "true" - dir: "./prometheus-adapter" container-image: "prometheus-adapter" - dir: "./prometheus-config-reloader" container-image: "prometheus-config-reloader" - scan: "true" - dir: "./promtail" container-image: "promtail" - scan: "true" - dir: "./pushgateway" container-image: "pushgateway" - dir: "./redis" container-image: "redis" - scan: "true" - dir: "./registry" container-image: "registry" - scan: "true" - dir: "./sealed-secrets" container-image: "sealed-secrets" - dir: "./s3gw" container-image: "s3gw" - dir: "./serf" container-image: "serf" - scan: "true" - dir: "./stakater-reloader" container-image: "stakater-reloader" - dir: "./spegel" container-image: "spegel" - dir: "./squid" container-image: "squid" - scan: "true" - dir: "./squid-exporter" container-image: "squid-exporter" - scan: "true" make_test: true + - dir: "./teleport-node" + container-image: "teleport-node" - dir: "./tempo" container-image: "tempo" - scan: "true" - dir: "./testhttpd" container-image: "testhttpd" - dir: "./trust-manager" @@ -173,47 +147,36 @@ jobs: container-image: "trust-packages" - dir: "./unbound" container-image: "unbound" - scan: "true" - dir: "./unbound_exporter" container-image: "unbound_exporter" - dir: "./vault" container-image: "vault" - scan: "true" - dir: "./victoriametrics" container-image: "victoriametrics-vmagent" - scan: "true" target: "vmagent" - dir: "./victoriametrics" container-image: "victoriametrics-vmalert" - scan: "true" target: "vmalert" - dir: "./victoriametrics" container-image: "victoriametrics-vmbackup" - scan: "true" target: "vmbackup" - dir: "./victoriametrics" container-image: "victoriametrics-vmctl" - scan: "true" target: "vmctl" - dir: "./victoriametrics" container-image: "victoriametrics-vminsert" - scan: "true" target: "vminsert" - dir: "./victoriametrics" container-image: "victoriametrics-vmrestore" - scan: "true" target: "vmrestore" - dir: "./victoriametrics" container-image: "victoriametrics-vmselect" - scan: "true" target: "vmselect" - dir: "./victoriametrics" container-image: "victoriametrics-vmsingle" - scan: "true" target: "vmsingle" - dir: "./victoriametrics" container-image: "victoriametrics-vmstorage" - scan: "true" target: "vmstorage" - dir: "./victoriametrics-operator" container-image: "victoriametrics-operator" diff --git a/teleport-node/Dockerfile b/teleport-node/Dockerfile index 86509122d..efe4be060 100644 --- a/teleport-node/Dockerfile +++ b/teleport-node/Dockerfile @@ -1,5 +1,5 @@ # Stage1: build from source -FROM quay.io/cybozu/golang:1.21-jammy AS build +FROM ghcr.io/cybozu/golang:1.21-jammy AS build ARG TELEPORT_VERSION=14.3.0 # Install Nodejs @@ -17,7 +17,8 @@ RUN git clone --depth 1 --branch v${TELEPORT_VERSION} https://github.com/gravita make build/teleport OS=linux # Stage2: setup runtime container -FROM quay.io/cybozu/ubuntu-debug:22.04 +FROM ghcr.io/cybozu/ubuntu-debug:22.04 +LABEL org.opencontainers.image.source="https://github.com/cybozu/neco-containers" COPY --from=build /work/teleport/build/teleport /usr/local/teleport/bin/ COPY --from=build /work/teleport/LICENSE /usr/local/teleport/ diff --git a/teleport-node/README.md b/teleport-node/README.md index b74a5acf1..7189f5f3a 100644 --- a/teleport-node/README.md +++ b/teleport-node/README.md @@ -8,4 +8,4 @@ This container image is for running a [Teleport](https://goteleport.com/) node a Docker images ------------- -Docker images are available on [Quay.io](https://quay.io/repository/cybozu/teleport-node) +Docker images are available on [ghcr.io](https://github.com/cybozu/neco-containers/pkgs/container/teleport-node) diff --git a/teleport-node/TAG b/teleport-node/TAG index 1372c06d6..84850db10 100644 --- a/teleport-node/TAG +++ b/teleport-node/TAG @@ -1 +1 @@ -14.3.0.1 +14.3.0.2