From 51fe6852e8bb3b1e1f5ae84d4695c7146b6b0585 Mon Sep 17 00:00:00 2001 From: Anastassios Nanos Date: Tue, 22 Oct 2024 14:32:54 +0100 Subject: [PATCH 01/10] ci: Introduce github actions workflow Signed-off-by: Anastassios Nanos --- .github/workflows/build-trigger.yml | 74 +++++++++++ .github/workflows/build.yml | 189 ++++++++++++++++++++++++++++ 2 files changed, 263 insertions(+) create mode 100644 .github/workflows/build-trigger.yml create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml new file mode 100644 index 0000000..8f91705 --- /dev/null +++ b/.github/workflows/build-trigger.yml @@ -0,0 +1,74 @@ +name: 🍜 Build/publish go runners + +on: + pull_request: + branches: ["main"] + push: + branches: ["main", "staging"] + workflow_dispatch: # build on demand + #schedule: + # - cron: "43 6 * * 0" # build every Sunday at 6:43 AM UTC + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + get-changed-files: + runs-on: ubuntu-latest + outputs: + version_files: ${{ steps.filter.outputs.version_files}} + version: ${{ steps.filter.outputs.version }} + dockerfile_files: ${{ steps.filter.outputs.dockerfile_files}} + dockerfile: ${{ steps.filter.outputs.dockerfile }} + go_files: ${{ steps.filter.outputs.go_files}} + go: ${{ steps.filter.outputs.go }} + steps: + - name: Check out code + uses: actions/checkout@v3 + + - name: Get Changed Files + id: filter + uses: dorny/paths-filter@v3 + with: + list-files: 'json' + base: 'main' + filters: | + version: + - '*VERSION' + dockerfile: + - '*Dockerfile' + go: + - '*.go' + - 'Makefile' + - '*.mod' + + - name: Show Changed Files + run: | + echo "Files in dockerfile: ${{ steps.filter.outputs.dockerfile_files }}" + echo "Files in go: ${{ steps.filter.outputs.go_files }}" + echo "dockerfile: ${{ steps.filter.outputs.dockerfile}}" + echo "version: ${{ steps.filter.outputs.version}}" + echo "go: ${{ steps.filter.outputs.go}}" + + build-pun: + needs: [get-changed-files] + name: Pun + if: ${{ needs.get-changed-files.outputs.go == 'true' || needs.get-changed-files.outputs.dockerfile == 'true' }} + uses: ./.github/workflows/build.yml + secrets: inherit + with: + runner: '["gcc", "dind", "2204"]' + runner-archs: '["amd64", "arm64"]' + dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} + + release-pun: + needs: [get-changed-files] + name: Pun + if: ${{ needs.get-changed-files.outputs.version == 'true' }} + uses: ./.github/workflows/build.yml + secrets: inherit + with: + runner: '["gcc", "dind", "2204"]' + runner-archs: '["amd64", "arm64"]' + dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..a39b8b0 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,189 @@ +name: 🍜 Build/publish runners + +on: + workflow_call: + inputs: + runner: + type: string + default: '["go", "2204"]' + runner-archs: + type: string + default: '["amd64", "aarch64"]' + dockerfiles: + type: string + default: '["Dockerfile"]' + runner-arch-map: + type: string + default: '[{"amd64":"x86_64", "aarch64":"aarch64", "armv7l":"armv7l"}]' + registry: + type: string + default: 'harbor.nbfc.io' + secrets: + GIT_CLONE_PAT: + required: false + AWS_ACCESS_KEY: + required: false + AWS_SECRET_ACCESS_KEY: + required: false + harbor_user: + required: false + harbor_secret: + required: false + +jobs: + build-all: + runs-on: ${{ format('{0}-{1}', join(fromJSON(inputs.runner), '-'), matrix.arch) }} + #timeout-minutes: 600 + permissions: + contents: write # for uploading the SBOM to the release + packages: write # for uploading the finished container + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs + strategy: + matrix: + dockerfile: ["${{ fromJSON(inputs.dockerfiles) }}"] + arch: ["${{ fromJSON(inputs.runner-archs) }}"] + continue-on-error: true + + env: + REGISTRY: ${{ inputs.registry }} + IMAGE_NAME: ${{ inputs.registry }}/${{ github.repository }} + ARCH: ${{ matrix.arch }} + + steps: + - name: Checkout the repo + uses: actions/checkout@v4 + + - name: Set short SHA + run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.harbor_user }} + password: ${{ secrets.harbor_secret }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.IMAGE_NAME }} + tags: | + type=sha,prefix=${{ env.ARCH }}- + + - name: Build and push ${{ matrix.dockerfile }}-${{ matrix.arch}} + id: build-and-push + uses: docker/build-push-action@master + with: + context: . + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + push: true + file: ${{ matrix.dockerfile }} + #build-contexts: | + # ${{ steps.base-image-calculator.outputs.base_image }} + provenance: false + + - name: Get image digest + run: | + echo "IMAGE_DIGEST=$(docker inspect \ + ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.ARCH }}-${{ env.SHA_SHORT }} | \ + jq -r '.[0].Id')" >> $GITHUB_ENV + + - name: Install cosign + uses: sigstore/cosign-installer@main + + - name: Sign the published Docker image + env: + COSIGN_EXPERIMENTAL: "true" + DIGEST: ${{steps.build-and-push.outputs.digest}} + run: | + cosign sign --yes ${{ env.REGISTRY }}/${{ github.repository }}@$DIGEST \ + -a "repo=${{github.repository}}" \ + -a "workflow=${{github.workflow}}" \ + -a "ref=${{github.sha}}" \ + -a "author=Nubificus LTD" + + manifest: + needs: [build-all] + runs-on: gcc-dind-2204-amd64 # use the GitHub-hosted runner to build the image + permissions: + contents: write # for uploading the SBOM to the release + packages: write # for uploading the finished container + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + id-token: write # to complete the identity challenge with sigstore/fulcio when running outside of PRs + strategy: + matrix: + dockerfile: ["${{ fromJSON(inputs.dockerfiles) }}"] + env: + REGISTRY: ${{ inputs.registry }} + #TAG: generic + + steps: + - name: Checkout the repo + uses: actions/checkout@v4 + + - name: Set short SHA + run: echo "SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV + + - name: Log into registry ${{ inputs.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.harbor_user }} + password: ${{ secrets.harbor_secret }} + + - name: Set Docker tag based on branch, PR or version + id: tag + run: | + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + echo "PR detected. Using version: ${{ cat VERSION }}." + echo "TAG=${{ cat VERSION }}" >> $GITHUB_ENV + elif [[ "${GITHUB_REF##*/}" == "main" ]]; then + echo "TAG=staging" >> $GITHUB_ENV + else + SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7) + echo "TAG=${SHORT_SHA}" >> $GITHUB_ENV + fi + + - name: Process runner architectures and create docker manifest + id: create-manifest + run: | + runner_archs='${{ inputs.runner-archs }}' # Using the input string array + amend_command="" + + # Loop over the architectures and build the amend command + for arch in $(echo $runner_archs | jq -r '.[]'); do + amend_command+=" --amend ${{ env.REGISTRY }}/${{ github.repository }}:$arch-${{ env.SHA_SHORT }}" + done + + echo "-------------------- Amend command constructed -------------------" + echo "$amend_command" + + # Create the docker manifest with the amend command + docker manifest create ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.TAG }} $amend_command + + # Optionally push the manifest (comment out if not needed) + # docker manifest push ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.dockerfile }}:${{ env.TAG }} + VAR=`docker manifest push ${{ env.REGISTRY }}/${{ github.repository }}:${{ env.TAG }} | tail -1` + echo "manifest_sha=$VAR" >> "$GITHUB_OUTPUT" + + - name: Install cosign + uses: sigstore/cosign-installer@main + + - name: Sign the published Docker image + env: + COSIGN_EXPERIMENTAL: "true" + DIGEST: ${{steps.create-manifest.outputs.manifest_sha }} + # run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: | + #cosign sign --yes harbor.nbfc.io/nubificus/${{ github.repository }}/${{ matrix.dockerfile }}:${{ env.ARCH }}-${{ env.SHA_SHORT }}@$DIGEST \ + cosign sign --yes ${{ env.REGISTRY }}/${{ github.repository }}@$DIGEST \ + -a "repo=${{github.repository}}" \ + -a "workflow=${{github.workflow}}" \ + -a "ref=${{github.sha}}" \ + -a "author=Nubificus LTD" From 9a9c7042d9ce3dd1d869f4a278a524cc825f2627 Mon Sep 17 00:00:00 2001 From: Anastassios Nanos Date: Tue, 22 Oct 2024 14:38:11 +0100 Subject: [PATCH 02/10] feat: Add more options to Makefile Signed-off-by: Anastassios Nanos --- Makefile | 34 ++++++++++++++++++++++++++++------ VERSION | 1 + 2 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 VERSION diff --git a/Makefile b/Makefile index d4a8cde..8641ab6 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,34 @@ +COMMIT := $(shell git describe --dirty --long --always) +VERSION := $(shell cat ./VERSION) +VERSION := $(VERSION)-$(COMMIT) +ARCH := $(shell dpkg --print-architecture) -default: pun +default: build ; prepare: - go mod tidy - go mod vendor + @go mod tidy + @mkdir -p dist -pun: prepare - CGO_ENABLED=0 go build -o $@ --ldflags "-s -w" +build: prepare + @GOOS=linux CGO_ENABLED=0 go build -ldflags "-s -w" -ldflags "-w" -ldflags "-linkmode 'external' -extldflags '-static'" \ + -ldflags "-X main.version=${VERSION}" -o ./dist/pun_${ARCH} ./ + +install: + @mv ./dist/pun_${ARCH} /usr/local/bin/pun + +uninstall: + @rm -f /usr/local/bin/pun clean: - rm -rf pun + @rm -fr ./dist/ + @rm -f ./Tempfile + +build_aarch64: prepare + @GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags "-s -w" -ldflags "-w" -ldflags "-linkmode 'external' -extldflags '-static'" \ + -ldflags "-X main.version=${VERSION}" -o ./dist/pun_aarch64 ./ + +build_amd64: prepare + @GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" -ldflags "-w" -ldflags "-linkmode 'external' -extldflags '-static'" \ + -ldflags "-X main.version=${VERSION}" -o ./dist/pun_amd64 ./ + +all: build_aarch64 build_amd64 diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..6e8bf73 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.1.0 From 833ad84c8359df5001b54b75f538de1a8ff40851 Mon Sep 17 00:00:00 2001 From: Anastassios Nanos Date: Tue, 22 Oct 2024 14:53:15 +0100 Subject: [PATCH 03/10] feat: Update Dockerfile Signed-off-by: Anastassios Nanos --- .github/workflows/build-trigger.yml | 2 +- Dockerfile | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml index 8f91705..f6f75d6 100644 --- a/.github/workflows/build-trigger.yml +++ b/.github/workflows/build-trigger.yml @@ -37,7 +37,7 @@ jobs: version: - '*VERSION' dockerfile: - - '*Dockerfile' + - 'Dockerfile' go: - '*.go' - 'Makefile' diff --git a/Dockerfile b/Dockerfile index d6afaf1..c0bd9fb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ FROM golang:1.22 AS builder -COPY go.mod /pun/ -COPY go.sum /pun/ -COPY Makefile /pun/ -COPY main.go /pun/ +COPY . /pun + WORKDIR /pun RUN make FROM scratch -COPY --from=builder /pun/pun /bin/pun +ARG TARGETARCH +COPY --from=builder /pun/dist/pun_${TARGETARCH} /bin/pun ENTRYPOINT ["/bin/pun"] + From f2dc81b7cdf5db507f66a1e78d77e0628ab9c26d Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 23 Oct 2024 15:29:56 +0300 Subject: [PATCH 04/10] Invoke runners Signed-off-by: Charalampos Mainas --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 6e8bf73..17e51c3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.1.0 +0.1.1 From cabe7aa10a43bc162384d1167d1f6563548592ee Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 23 Oct 2024 15:35:28 +0300 Subject: [PATCH 05/10] Change cat command Signed-off-by: Charalampos Mainas --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a39b8b0..8a4586d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -141,8 +141,8 @@ jobs: id: tag run: | if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "PR detected. Using version: ${{ cat VERSION }}." - echo "TAG=${{ cat VERSION }}" >> $GITHUB_ENV + echo "PR detected. Using version: $( cat VERSION )." + echo "TAG=$( cat VERSION ) " >> $GITHUB_ENV elif [[ "${GITHUB_REF##*/}" == "main" ]]; then echo "TAG=staging" >> $GITHUB_ENV else From 58f996cddc4eda860349814c7b5287c43b43a3b6 Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 23 Oct 2024 16:59:18 +0300 Subject: [PATCH 06/10] Invoke on branch push and check version change Signed-off-by: Charalampos Mainas --- .github/workflows/build-trigger.yml | 21 ++++----------------- .github/workflows/build.yml | 7 +++++-- 2 files changed, 9 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml index f6f75d6..b81a43f 100644 --- a/.github/workflows/build-trigger.yml +++ b/.github/workflows/build-trigger.yml @@ -1,13 +1,9 @@ name: 🍜 Build/publish go runners on: - pull_request: - branches: ["main"] push: - branches: ["main", "staging"] + branches: ["cm_add_runner"] workflow_dispatch: # build on demand - #schedule: - # - cron: "43 6 * * 0" # build every Sunday at 6:43 AM UTC concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -46,6 +42,7 @@ jobs: - name: Show Changed Files run: | echo "Files in dockerfile: ${{ steps.filter.outputs.dockerfile_files }}" + echo "Files for version: ${{ steps.filter.outputs.version_files }}" echo "Files in go: ${{ steps.filter.outputs.go_files }}" echo "dockerfile: ${{ steps.filter.outputs.dockerfile}}" echo "version: ${{ steps.filter.outputs.version}}" @@ -54,21 +51,11 @@ jobs: build-pun: needs: [get-changed-files] name: Pun - if: ${{ needs.get-changed-files.outputs.go == 'true' || needs.get-changed-files.outputs.dockerfile == 'true' }} - uses: ./.github/workflows/build.yml - secrets: inherit - with: - runner: '["gcc", "dind", "2204"]' - runner-archs: '["amd64", "arm64"]' - dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} - - release-pun: - needs: [get-changed-files] - name: Pun - if: ${{ needs.get-changed-files.outputs.version == 'true' }} + if: ${{ needs.get-changed-files.outputs.go == 'true' || needs.get-changed-files.outputs.dockerfile == 'true' }} || ${{ needs.get-changed-files.outputs.version == 'true' }} uses: ./.github/workflows/build.yml secrets: inherit with: runner: '["gcc", "dind", "2204"]' runner-archs: '["amd64", "arm64"]' dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} + version-tag: needs.get-changed-files.outputs.version diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8a4586d..ec3e03d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,9 @@ on: registry: type: string default: 'harbor.nbfc.io' + version-tag: + type: boolean + default: false secrets: GIT_CLONE_PAT: required: false @@ -140,8 +143,8 @@ jobs: - name: Set Docker tag based on branch, PR or version id: tag run: | - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "PR detected. Using version: $( cat VERSION )." + if [[ ${{ inputs.registry }} == true ]]; then + echo "Version change detected. Using version: $( cat VERSION )." echo "TAG=$( cat VERSION ) " >> $GITHUB_ENV elif [[ "${GITHUB_REF##*/}" == "main" ]]; then echo "TAG=staging" >> $GITHUB_ENV From 9781af0d885142a2fe5d3f4bededffe476bff551 Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 23 Oct 2024 17:00:28 +0300 Subject: [PATCH 07/10] Set correct format in parameter Signed-off-by: Charalampos Mainas --- .github/workflows/build-trigger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml index b81a43f..ec50d71 100644 --- a/.github/workflows/build-trigger.yml +++ b/.github/workflows/build-trigger.yml @@ -58,4 +58,4 @@ jobs: runner: '["gcc", "dind", "2204"]' runner-archs: '["amd64", "arm64"]' dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} - version-tag: needs.get-changed-files.outputs.version + version-tag: ${{ needs.get-changed-files.outputs.version }} From f62b4efd6f200f40bc3137a5170d1c10bdc5f8a1 Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 23 Oct 2024 17:26:32 +0300 Subject: [PATCH 08/10] Pass the result of string comparison Signed-off-by: Charalampos Mainas --- .github/workflows/build-trigger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml index ec50d71..230e5fa 100644 --- a/.github/workflows/build-trigger.yml +++ b/.github/workflows/build-trigger.yml @@ -58,4 +58,4 @@ jobs: runner: '["gcc", "dind", "2204"]' runner-archs: '["amd64", "arm64"]' dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} - version-tag: ${{ needs.get-changed-files.outputs.version }} + version-tag: ${{ needs.get-changed-files.outputs.version }} == 'true' }} From f4428ac148be350aa6c4484937c4439b03e2cda6 Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 23 Oct 2024 17:30:02 +0300 Subject: [PATCH 09/10] Forgot brackets Signed-off-by: Charalampos Mainas --- .github/workflows/build-trigger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-trigger.yml b/.github/workflows/build-trigger.yml index 230e5fa..2357b89 100644 --- a/.github/workflows/build-trigger.yml +++ b/.github/workflows/build-trigger.yml @@ -58,4 +58,4 @@ jobs: runner: '["gcc", "dind", "2204"]' runner-archs: '["amd64", "arm64"]' dockerfiles: ${{ toJSON(fromJSON(needs.get-changed-files.outputs.dockerfile_files || '[]')) }} - version-tag: ${{ needs.get-changed-files.outputs.version }} == 'true' }} + version-tag: ${{ needs.get-changed-files.outputs.version == 'true' }} From b4de5f5f46ea7df2bf3d5968450e298aefc606d2 Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 23 Oct 2024 17:38:30 +0300 Subject: [PATCH 10/10] Check correct input parameter Signed-off-by: Charalampos Mainas --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec3e03d..1987a4c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -143,7 +143,7 @@ jobs: - name: Set Docker tag based on branch, PR or version id: tag run: | - if [[ ${{ inputs.registry }} == true ]]; then + if [[ ${{ inputs.version-tag }} == true ]]; then echo "Version change detected. Using version: $( cat VERSION )." echo "TAG=$( cat VERSION ) " >> $GITHUB_ENV elif [[ "${GITHUB_REF##*/}" == "main" ]]; then