stolostron patches

- Add OWNERS file
- Enable CGO explicitly
- Update to multi-arch Dockerfile
- Workflow to build/push to quay.io
- Workflow for Sonarcloud scanning

Signed-off-by: Dale Haiducek <[email protected]>

.github/workflows/build-push-stolostron.yaml

@@ -0,0 +1,28 @@
+name: build and push to quay
+
+on:
+  push:  
+    tags:
+      - 'v*' # tags matching v*, i.e. v0.0.1, v1.0.0-rc.0
+
+jobs:
+  build:
+    name: Image build and push
+    runs-on: ubuntu-latest  
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: docker/login-action@v2
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_USER }}
+        password: ${{ secrets.QUAY_PASSWORD }}
+
+    - name: build and push
+      run: |
+        REPOSITORY="quay.io/gatekeeper/gatekeeper" \
+        PLATFORM="linux/amd64,linux/arm64,linux/arm/v8" \
+        OUTPUT_TYPE=type=registry GENERATE_ATTESTATIONS=true \
+        make docker-buildx-release
+

.github/workflows/gosec.yaml

@@ -0,0 +1,27 @@
+name: GoSec scan
+
+on:
+  push:
+    branches:
+      - master
+      - release-[0-9]+.[0-9]+
+  pull_request:
+    branches:
+      - master
+      - release-[0-9]+.[0-9]+
+
+jobs:
+  gosec:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Gatekeeper
+        uses: actions/checkout@v4
+      - name: Run Gosec Security Scanner
+        uses: securego/[email protected]
+        with:
+          args: -no-fail -fmt sonarqube -out gosec.json -stdout -exclude-dir=.go -exclude-dir=test ./...
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: artifacts
+          path: gosec.json

.github/workflows/sonarcloud.yaml

@@ -0,0 +1,14 @@
+name: Sonarcloud scan
+
+on:
+  workflow_run:
+    workflows:
+      - GoSec scan
+    types:
+      - completed
+
+jobs:
+  sonarcloud:
+    uses: stolostron/governance-policy-framework/.github/workflows/sonarcloud.yml@main
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Dockerfile

@@ -14,15 +14,27 @@ ARG LDFLAGS
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+    CGO_ENABLED=1 \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT}
 
+RUN if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+        apt -y update && apt -y install gcc-aarch64-linux-gnu && apt -y clean all; \
+    elif [ "${TARGETPLATFORM}" = "linux/arm/v8" ]; then \
+        apt -y update && apt -y install gcc-arm-linux-gnueabihf && apt -y clean all; \
+    fi
+
 WORKDIR /go/src/github.com/open-policy-agent/gatekeeper
 COPY . .
 
-RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager
+RUN  if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+        export CC=aarch64-linux-gnu-gcc; \
+    elif [ "${TARGETPLATFORM}" = "linux/arm/v8" ]; then \
+        export CC=arm-linux-gnueabihf-gcc; \
+    fi; \
+    go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager
+
 
 FROM $BASEIMAGE
 

OWNERS

@@ -0,0 +1,12 @@
+approvers:
+- dhaiducek
+- gparvin
+- JustinKuli
+- mprahl
+- yiraeChristineKim
+reviewers:
+- dhaiducek
+- gparvin
+- JustinKuli
+- mprahl
+- yiraeChristineKim

Tiltfile

@@ -34,7 +34,7 @@ COPY bin/manager .
 def build_manager():
     cmd = [
         "make tilt-prepare",
-        "GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -a -o .tiltbuild/bin/manager",
+        "GO111MODULE=on CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -mod vendor -a -o .tiltbuild/bin/manager",
     ]
     local_resource(
         "manager",

gator.Dockerfile

@@ -13,7 +13,7 @@ ARG TARGETVARIANT=""
 ARG LDFLAGS
 
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+    CGO_ENABLED=1 \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT}

sonar-project.properties

@@ -0,0 +1,13 @@
+sonar.projectKey=open-cluster-management_gatekeeper
+sonar.projectName=gatekeeper
+sonar.organization=open-cluster-management
+sonar.sources=.
+sonar.exclusions=**/*_test.go,**/*_generated*.go,**/*_generated/**,**/vendor/**,/test/**,/build/**,/vbh/**,/version/**
+sonar.tests=.
+sonar.test.inclusions=**/*_test.go
+sonar.test.exclusions=**/*_generated*.go,**/*_generated/**,**/vendor/**,**/test/e2e/**
+sonar.go.tests.reportPaths=report.json,report_e2e.json,report_unit.json
+sonar.go.coverage.reportPaths=coverage.out,coverage_e2e.out,coverage_unit.out
+sonar.externalIssuesReportPaths=gosec.json
+sonar.qualitygate.wait=true
+sonar.qualitygate.timeout=450