diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml new file mode 100644 index 0000000..bd624ae --- /dev/null +++ b/.github/workflows/build-trigger.yml @@ -0,0 +1,63 @@ +name: 🍜 Build/publish go runners + +on: + pull_request: + branches: ["main"] + push: + branches: ["main"] + workflow_dispatch: # build on demand + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + get-changed-files: + runs-on: ubuntu-latest + outputs: + version_files: ${{ steps.filter.outputs.version_files}} + version: ${{ steps.filter.outputs.version }} + dockerfile_files: ${{ steps.filter.outputs.dockerfile_files}} + dockerfile: ${{ steps.filter.outputs.dockerfile }} + go_files: ${{ steps.filter.outputs.go_files}} + go: ${{ steps.filter.outputs.go }} + steps: + - name: Check out code + uses: actions/checkout@v3 + + - name: Get Changed Files + id: filter + uses: dorny/paths-filter@v3 + with: + list-files: 'json' + base: 'main' + filters: | + version: + - 'VERSION' + dockerfile: + - 'Dockerfile' + go: + - '*.go' + - 'Makefile' + - '*.mod' + + - name: Show Changed Files + run: | + echo "Files in dockerfile: ${{ steps.filter.outputs.dockerfile_files }}" + echo "Files for version: ${{ steps.filter.outputs.version_files }}" + echo "Files in go: ${{ steps.filter.outputs.go_files }}" + echo "dockerfile: ${{ steps.filter.outputs.dockerfile}}" + echo "go: ${{ steps.filter.outputs.go}}" + echo "version: ${{ steps.filter.outputs.version}}" + + build-pun: + needs: [get-changed-files] + name: Pun + if: ${{ needs.get-changed-files.outputs.go == 'true' || needs.get-changed-files.outputs.dockerfile == 'true' || needs.get-changed-files.outputs.version == 'true' }} + uses: ./.github/workflows/build.yml + secrets: inherit + with: + runner: '["gcc", "dind", "2204"]' + runner-archs: '["amd64"]' + dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} + version-tag: ${{ needs.get-changed-files.outputs.version == 'true' }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..946d9d6 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,194 @@ +name: 🍜 Build/publish runners + +on: + workflow_call: + inputs: + runner: + type: string + default: '["go", "2204"]' + runner-archs: + type: string + default: '["amd64", "aarch64"]' + dockerfiles: + type: string + default: '["Dockerfile"]' + runner-arch-map: + type: string + default: '[{"amd64":"x86_64", "aarch64":"aarch64", "armv7l":"armv7l"}]' + registry: + type: string + default: 'harbor.nbfc.io' + version-tag: + type: boolean + default: false + secrets: + GIT_CLONE_PAT: + required: false + AWS_ACCESS_KEY: + required: false + AWS_SECRET_ACCESS_KEY: + required: false + harbor_user: + required: false + harbor_secret: + required: false + +jobs: + build-all: + runs-on: ${{ format('{0}-{1}', join(fromJSON(inputs.runner), '-'), matrix.arch) }} + #timeout-minutes: 600 + permissions: + contents: write # for uploading the SBOM to the release + packages: write # for uploading the finished container + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs + strategy: + matrix: + dockerfile: ["${{ fromJSON(inputs.dockerfiles) }}"] + arch: ["${{ fromJSON(inputs.runner-archs) }}"] + continue-on-error: true + + env: + REGISTRY: ${{ inputs.registry }} + IMAGE_NAME: ${{ inputs.registry }}/${{ github.repository }} + ARCH: ${{ matrix.arch }} + + steps: + - name: Checkout the repo + uses: actions/checkout@v4 + + - name: Set short SHA + run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.harbor_user }} + password: ${{ secrets.harbor_secret }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.IMAGE_NAME }} + tags: | + type=sha,prefix=${{ env.ARCH }}- + + - name: Build and push ${{ matrix.dockerfile }}-${{ matrix.arch}} + id: build-and-push + uses: docker/build-push-action@master + with: + context: . + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + push: true + file: ${{ matrix.dockerfile }} + #build-contexts: | + # ${{ steps.base-image-calculator.outputs.base_image }} + provenance: false + + - name: Get image digest + run: | + echo "IMAGE_DIGEST=$(docker inspect \ + ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.ARCH }}-${{ env.SHA_SHORT }} | \ + jq -r '.[0].Id')" >> $GITHUB_ENV + + - name: Install cosign + uses: sigstore/cosign-installer@main + + - name: Sign the published Docker image + env: + COSIGN_EXPERIMENTAL: "true" + DIGEST: ${{steps.build-and-push.outputs.digest}} + run: | + cosign sign --yes ${{ env.REGISTRY }}/${{ github.repository }}@$DIGEST \ + -a "repo=${{github.repository}}" \ + -a "workflow=${{github.workflow}}" \ + -a "ref=${{github.sha}}" \ + -a "author=Nubificus LTD" + + manifest: + needs: [build-all] + runs-on: gcc-dind-2204-amd64 # use the GitHub-hosted runner to build the image + permissions: + contents: write # for uploading the SBOM to the release + packages: write # for uploading the finished container + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs + strategy: + matrix: + dockerfile: ["${{ fromJSON(inputs.dockerfiles) }}"] + env: + REGISTRY: ${{ inputs.registry }} + #TAG: generic + + steps: + - name: Checkout the repo + uses: actions/checkout@v4 + + - name: Set short SHA + run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV + + - name: Log into registry ${{ inputs.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.harbor_user }} + password: ${{ secrets.harbor_secret }} + + - name: Set Docker tag based on branch or PR + id: tag + run: | + if [[ ${{ inputs.version-tag }} == true ]]; then + echo "Version change detected. Using version: $( cat VERSION )." + echo "TAG=$( cat VERSION ) " >> $GITHUB_ENV + elif [[ "${GITHUB_REF##*/}" == "main" ]]; then + echo "Change in main branch detected. Using latest tag." + echo "TAG=latest" >> $GITHUB_ENV + else + SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7) + echo "Using tag: ${SHORT_SHA}." + echo "TAG=${SHORT_SHA}" >> $GITHUB_ENV + fi + + - name: Process runner architectures and create docker manifest + id: create-manifest + run: | + runner_archs='${{ inputs.runner-archs }}' # Using the input string array + amend_command="" + + # Loop over the architectures and build the amend command + for arch in $(echo $runner_archs | jq -r '.[]'); do + amend_command+=" --amend ${{ env.REGISTRY }}/${{ github.repository }}:$arch-${{ env.SHA_SHORT }}" + done + + echo "-------------------- Amend command constructed -------------------" + echo "$amend_command" + + # Create the docker manifest with the amend command + docker manifest create ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.TAG }} $amend_command + + # Optionally push the manifest (comment out if not needed) + # docker manifest push ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.dockerfile }}:${{ env.TAG }} + VAR=`docker manifest push ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.TAG }} | tail -1` + echo "manifest_sha=$VAR" >> "$GITHUB_OUTPUT" + + - name: Install cosign + uses: sigstore/cosign-installer@main + + - name: Sign the published Docker image + env: + COSIGN_EXPERIMENTAL: "true" + DIGEST: ${{steps.create-manifest.outputs.manifest_sha }} + # run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: | + #cosign sign --yes harbor.nbfc.io/nubificus/${{ github.repository }}/${{ matrix.dockerfile }}:${{ env.ARCH }}-${{ env.SHA_SHORT }}@$DIGEST \ + cosign sign --yes ${{ env.REGISTRY }}/${{ github.repository }}@$DIGEST \ + -a "repo=${{github.repository}}" \ + -a "workflow=${{github.workflow}}" \ + -a "ref=${{github.sha}}" \ + -a "author=Nubificus LTD" diff --git a/Dockerfile b/Dockerfile index d6afaf1..6dbd675 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,10 @@ FROM golang:1.22 AS builder -COPY go.mod /pun/ -COPY go.sum /pun/ -COPY Makefile /pun/ -COPY main.go /pun/ +COPY . /pun + WORKDIR /pun RUN make FROM scratch -COPY --from=builder /pun/pun /bin/pun +COPY --from=builder /pun/dist/pun /bin/pun ENTRYPOINT ["/bin/pun"]