From 29468406ca21cfae8ab498a9f3779349985e45b3 Mon Sep 17 00:00:00 2001 From: Anastassios Nanos Date: Tue, 22 Oct 2024 14:32:54 +0100 Subject: [PATCH 1/3] ci: Introduce github actions workflow Signed-off-by: Anastassios Nanos --- .github/workflows/build-trigger.yml | 58 +++++++++ .github/workflows/build.yml | 192 ++++++++++++++++++++++++++++ 2 files changed, 250 insertions(+) create mode 100644 .github/workflows/build-trigger.yml create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml new file mode 100644 index 0000000..756c30a --- /dev/null +++ b/.github/workflows/build-trigger.yml @@ -0,0 +1,58 @@ +name: 🍜 Build/publish go runners + +on: + pull_request: + branches: ["main"] + push: + branches: ["main", "staging"] + workflow_dispatch: # build on demand + #schedule: + # - cron: "43 6 * * 0" # build every Sunday at 6:43 AM UTC + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + get-changed-files: + runs-on: ubuntu-latest + outputs: + dockerfile_files: ${{ steps.filter.outputs.dockerfile_files}} + dockerfile: ${{ steps.filter.outputs.dockerfile }} + go_files: ${{ steps.filter.outputs.go_files}} + go: ${{ steps.filter.outputs.go }} + steps: + - name: Check out code + uses: actions/checkout@v3 + + - name: Get Changed Files + id: filter + uses: dorny/paths-filter@v3 + with: + list-files: 'json' + base: 'main' + filters: | + dockerfile: + - '*Dockerfile' + go: + - '*.go' + - 'Makefile' + - '*.mod' + + - name: Show Changed Files + run: | + echo "Files in dockerfile: ${{ steps.filter.outputs.dockerfile_files }}" + echo "Files in go: ${{ steps.filter.outputs.go_files }}" + echo "dockerfile: ${{ steps.filter.outputs.dockerfile}}" + echo "go: ${{ steps.filter.outputs.go}}" + + build-pun: + needs: [get-changed-files] + name: Pun + if: ${{ needs.get-changed-files.outputs.go == 'true' || needs.get-changed-files.outputs.dockerfile == 'true' }} + uses: ./.github/workflows/build.yml + secrets: inherit + with: + runner: '["gcc", "dind", "2204"]' + runner-archs: '["amd64", "arm64"]' + dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..dc79643 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,192 @@ +name: 🍜 Build/publish runners + +on: + workflow_call: + inputs: + runner: + type: string + default: '["go", "2204"]' + runner-archs: + type: string + default: '["amd64", "aarch64"]' + dockerfiles: + type: string + default: '["Dockerfile"]' + runner-arch-map: + type: string + default: '[{"amd64":"x86_64", "aarch64":"aarch64", "armv7l":"armv7l"}]' + registry: + type: string + default: 'harbor.nbfc.io' + secrets: + GIT_CLONE_PAT: + required: false + AWS_ACCESS_KEY: + required: false + AWS_SECRET_ACCESS_KEY: + required: false + harbor_user: + required: false + harbor_secret: + required: false + +jobs: + build-all: + runs-on: ${{ format('{0}-{1}', join(fromJSON(inputs.runner), '-'), matrix.arch) }} + #timeout-minutes: 600 + permissions: + contents: write # for uploading the SBOM to the release + packages: write # for uploading the finished container + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs + strategy: + matrix: + dockerfile: ["${{ fromJSON(inputs.dockerfiles) }}"] + arch: ["${{ fromJSON(inputs.runner-archs) }}"] + continue-on-error: true + + env: + REGISTRY: ${{ inputs.registry }} + IMAGE_NAME: ${{ inputs.registry }}/${{ github.repository }} + ARCH: ${{ matrix.arch }} + + steps: + - name: Checkout the repo + uses: actions/checkout@v4 + + - name: Set short SHA + run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.harbor_user }} + password: ${{ secrets.harbor_secret }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.IMAGE_NAME }} + tags: | + type=sha,prefix=${{ env.ARCH }}- + + - name: Build and push ${{ matrix.dockerfile }}-${{ matrix.arch}} + id: build-and-push + uses: docker/build-push-action@master + with: + context: . + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + push: true + file: ${{ matrix.dockerfile }} + #build-contexts: | + # ${{ steps.base-image-calculator.outputs.base_image }} + provenance: false + + - name: Get image digest + run: | + echo "IMAGE_DIGEST=$(docker inspect \ + ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.ARCH }}-${{ env.SHA_SHORT }} | \ + jq -r '.[0].Id')" >> $GITHUB_ENV + + - name: Install cosign + uses: sigstore/cosign-installer@main + + - name: Sign the published Docker image + env: + COSIGN_EXPERIMENTAL: "true" + DIGEST: ${{steps.build-and-push.outputs.digest}} + run: | + cosign sign --yes ${{ env.REGISTRY }}/${{ github.repository }}@$DIGEST \ + -a "repo=${{github.repository}}" \ + -a "workflow=${{github.workflow}}" \ + -a "ref=${{github.sha}}" \ + -a "author=Nubificus LTD" + + manifest: + needs: [build-all] + runs-on: gcc-dind-2204-amd64 # use the GitHub-hosted runner to build the image + permissions: + contents: write # for uploading the SBOM to the release + packages: write # for uploading the finished container + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs + strategy: + matrix: + dockerfile: ["${{ fromJSON(inputs.dockerfiles) }}"] + env: + REGISTRY: ${{ inputs.registry }} + #TAG: generic + + steps: + - name: Checkout the repo + uses: actions/checkout@v4 + + - name: Set short SHA + run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV + + - name: Log into registry ${{ inputs.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.harbor_user }} + password: ${{ secrets.harbor_secret }} + + - name: Set Docker tag based on branch or PR + id: tag + run: | + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + echo "PR detected. Using branch name: ${{ github.head_ref }}." + #SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7) + echo "TAG=${{ github.head_ref }}" >> $GITHUB_ENV + elif [[ "${GITHUB_REF##*/}" == "main" ]]; then + echo "TAG=main" >> $GITHUB_ENV + elif [[ "${GITHUB_REF##*/}" == "staging" ]]; then + echo "TAG=staging" >> $GITHUB_ENV + else + SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7) + echo "TAG=${SHORT_SHA}" >> $GITHUB_ENV + fi + + - name: Process runner architectures and create docker manifest + id: create-manifest + run: | + runner_archs='${{ inputs.runner-archs }}' # Using the input string array + amend_command="" + + # Loop over the architectures and build the amend command + for arch in $(echo $runner_archs | jq -r '.[]'); do + amend_command+=" --amend ${{ env.REGISTRY }}/${{ github.repository }}:$arch-${{ env.SHA_SHORT }}" + done + + echo "-------------------- Amend command constructed -------------------" + echo "$amend_command" + + # Create the docker manifest with the amend command + docker manifest create ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.TAG }} $amend_command + + # Optionally push the manifest (comment out if not needed) + # docker manifest push ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.dockerfile }}:${{ env.TAG }} + VAR=`docker manifest push ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.TAG }} | tail -1` + echo "manifest_sha=$VAR" >> "$GITHUB_OUTPUT" + + - name: Install cosign + uses: sigstore/cosign-installer@main + + - name: Sign the published Docker image + env: + COSIGN_EXPERIMENTAL: "true" + DIGEST: ${{steps.create-manifest.outputs.manifest_sha }} + # run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: | + #cosign sign --yes harbor.nbfc.io/nubificus/${{ github.repository }}/${{ matrix.dockerfile }}:${{ env.ARCH }}-${{ env.SHA_SHORT }}@$DIGEST \ + cosign sign --yes ${{ env.REGISTRY }}/${{ github.repository }}@$DIGEST \ + -a "repo=${{github.repository}}" \ + -a "workflow=${{github.workflow}}" \ + -a "ref=${{github.sha}}" \ + -a "author=Nubificus LTD" From f491e5995ec53d76fd494d8f44673f1ce1b4dbba Mon Sep 17 00:00:00 2001 From: Anastassios Nanos Date: Tue, 22 Oct 2024 14:53:15 +0100 Subject: [PATCH 2/3] feat: Update Dockerfile Signed-off-by: Anastassios Nanos --- .github/workflows/build-trigger.yml | 2 +- Dockerfile | 8 +++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml index 756c30a..0b8bc08 100644 --- a/.github/workflows/build-trigger.yml +++ b/.github/workflows/build-trigger.yml @@ -33,7 +33,7 @@ jobs: base: 'main' filters: | dockerfile: - - '*Dockerfile' + - 'Dockerfile' go: - '*.go' - 'Makefile' diff --git a/Dockerfile b/Dockerfile index d6afaf1..6dbd675 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,10 @@ FROM golang:1.22 AS builder -COPY go.mod /pun/ -COPY go.sum /pun/ -COPY Makefile /pun/ -COPY main.go /pun/ +COPY . /pun + WORKDIR /pun RUN make FROM scratch -COPY --from=builder /pun/pun /bin/pun +COPY --from=builder /pun/dist/pun /bin/pun ENTRYPOINT ["/bin/pun"] From 12ddc42763da3d06f86acbdffb4ab08205e63882 Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 11 Dec 2024 12:03:27 +0200 Subject: [PATCH 3/3] Change the way to tag images Tag the images based on the VERSION file if the file was changed, or as latest if the referenced branch is the main branch. Otherwise just use the commit's hash. Signed-off-by: Charalampos Mainas --- .github/workflows/build-trigger.yml | 15 ++++++++++----- .github/workflows/build.yml | 16 +++++++++------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml index 0b8bc08..bd624ae 100644 --- a/.github/workflows/build-trigger.yml +++ b/.github/workflows/build-trigger.yml @@ -4,10 +4,8 @@ on: pull_request: branches: ["main"] push: - branches: ["main", "staging"] + branches: ["main"] workflow_dispatch: # build on demand - #schedule: - # - cron: "43 6 * * 0" # build every Sunday at 6:43 AM UTC concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -17,6 +15,8 @@ jobs: get-changed-files: runs-on: ubuntu-latest outputs: + version_files: ${{ steps.filter.outputs.version_files}} + version: ${{ steps.filter.outputs.version }} dockerfile_files: ${{ steps.filter.outputs.dockerfile_files}} dockerfile: ${{ steps.filter.outputs.dockerfile }} go_files: ${{ steps.filter.outputs.go_files}} @@ -32,6 +32,8 @@ jobs: list-files: 'json' base: 'main' filters: | + version: + - 'VERSION' dockerfile: - 'Dockerfile' go: @@ -42,17 +44,20 @@ jobs: - name: Show Changed Files run: | echo "Files in dockerfile: ${{ steps.filter.outputs.dockerfile_files }}" + echo "Files for version: ${{ steps.filter.outputs.version_files }}" echo "Files in go: ${{ steps.filter.outputs.go_files }}" echo "dockerfile: ${{ steps.filter.outputs.dockerfile}}" echo "go: ${{ steps.filter.outputs.go}}" + echo "version: ${{ steps.filter.outputs.version}}" build-pun: needs: [get-changed-files] name: Pun - if: ${{ needs.get-changed-files.outputs.go == 'true' || needs.get-changed-files.outputs.dockerfile == 'true' }} + if: ${{ needs.get-changed-files.outputs.go == 'true' || needs.get-changed-files.outputs.dockerfile == 'true' || needs.get-changed-files.outputs.version == 'true' }} uses: ./.github/workflows/build.yml secrets: inherit with: runner: '["gcc", "dind", "2204"]' - runner-archs: '["amd64", "arm64"]' + runner-archs: '["amd64"]' dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} + version-tag: ${{ needs.get-changed-files.outputs.version == 'true' }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dc79643..946d9d6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,9 @@ on: registry: type: string default: 'harbor.nbfc.io' + version-tag: + type: boolean + default: false secrets: GIT_CLONE_PAT: required: false @@ -140,16 +143,15 @@ jobs: - name: Set Docker tag based on branch or PR id: tag run: | - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "PR detected. Using branch name: ${{ github.head_ref }}." - #SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7) - echo "TAG=${{ github.head_ref }}" >> $GITHUB_ENV + if [[ ${{ inputs.version-tag }} == true ]]; then + echo "Version change detected. Using version: $( cat VERSION )." + echo "TAG=$( cat VERSION ) " >> $GITHUB_ENV elif [[ "${GITHUB_REF##*/}" == "main" ]]; then - echo "TAG=main" >> $GITHUB_ENV - elif [[ "${GITHUB_REF##*/}" == "staging" ]]; then - echo "TAG=staging" >> $GITHUB_ENV + echo "Change in main branch detected. Using latest tag." + echo "TAG=latest" >> $GITHUB_ENV else SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7) + echo "Using tag: ${SHORT_SHA}." echo "TAG=${SHORT_SHA}" >> $GITHUB_ENV fi