From 771cc3533ed84dbddf027d42185bd65b54d446e9 Mon Sep 17 00:00:00 2001 From: Prithak Sharma Date: Mon, 18 Dec 2023 10:12:25 +0000 Subject: [PATCH] refactor: add github actions for docker image push - refactor existing github actions for image and binary push - add exceptions for trivy scanner --- .github/workflows/build.yaml | 18 ++++---- .github/workflows/release.yaml | 84 +++++++++++++++++++++++++++++++++- .trivy-config/.trivyignore | 24 ++++++++++ CHANGELOG.md | 6 +++ Dockerfile | 4 +- dev.Dockerfile | 2 +- 6 files changed, 124 insertions(+), 14 deletions(-) create mode 100644 .trivy-config/.trivyignore diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3d6c15c6..fbc35316 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -5,8 +5,7 @@ on: tags-ignore: - '*' branches: - #- '*' - - 'KS-*' + - '*' pull_request: branches: ['main', 'master'] @@ -43,7 +42,7 @@ jobs: - name: Build run: go build -v ./... - build-scan-push-image: + build-scan-docker-images: runs-on: ubuntu-latest needs: lint-and-build steps: @@ -58,7 +57,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Login to Docker Hub # for testing the credentials + - name: Login to Docker Hub uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -69,16 +68,17 @@ jobs: with: context: . file: ./dev.Dockerfile - tags: 'controlplane/simulator:dev' + tags: | + controlplane/simulator:dev load: true - push: false # for testing + push: false - name: Run Trivy vulnerability scanner on the dev image uses: aquasecurity/trivy-action@master with: image-ref: 'controlplane/simulator:dev' format: 'table' - exit-code: '0' + exit-code: '1' vuln-type: 'os,library' severity: 'CRITICAL,HIGH' @@ -96,7 +96,7 @@ jobs: with: image-ref: controlplane/simulator:${{ github.sha }} format: 'table' - exit-code: '0' # TODO: change to 1 when we have no more vulnerabilities + exit-code: '1' vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - + trivyignores: './.trivy-config/.trivyignore' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0ee2ab7a..8ad930fd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,4 +1,4 @@ -name: release-binary +name: release-binary-docker-images on: push: @@ -10,13 +10,93 @@ permissions: contents: write jobs: + build-push-docker-images: + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and tag dev image + uses: docker/build-push-action@v5 + with: + context: . + file: ./dev.Dockerfile + tags: | + controlplane/simulator:dev + load: true + push: false + + - name: Run Trivy vulnerability scanner on the dev image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'controlplane/simulator:dev' + format: 'table' + exit-code: '1' + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - name: Build and tag simulator image + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + tags: controlplane/simulator:${{ github.ref_name }} + load: true + push: false + + - name: Run Trivy vulnerability scanner on simulator image + uses: aquasecurity/trivy-action@master + with: + image-ref: controlplane/simulator:${{ github.ref_name }} + format: 'table' + exit-code: '1' + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + trivyignores: './.trivy-config/.trivyignore' + + - name: Build and push dev image ## should use cache image from the previous step + uses: docker/build-push-action@v5 + with: + context: . + file: ./dev.Dockerfile + tags: 'controlplane/simulator:dev' + load: false ## push and load cannot be set at the same time + push: true + + - name: pull dev image + run: | + docker images ls + docker pull controlplane/simulator:dev + docker images ls + + - name: Build and push simulator image ## should use cache image from the previous step + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + tags: | + controlplane/simulator:${{ github.ref_name }} + controlplane/simulator:latest + load: false + push: true + goreleaser: runs-on: ubuntu-latest + name: goreleaser + needs: build-push-docker-images steps: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: 0 # Shallow clones should be disabled for a releaser + fetch-depth: 0 - name: Setup Go uses: actions/setup-go@v4 diff --git a/.trivy-config/.trivyignore b/.trivy-config/.trivyignore new file mode 100644 index 00000000..89dd8835 --- /dev/null +++ b/.trivy-config/.trivyignore @@ -0,0 +1,24 @@ +## these following are not fixed in the upstream yet, so we are ignoring them for now +# packer-plugin-amazon_v1.2.8_x5.0_linux_amd64 +# registry.terraform.io/hashicorp/template/2.2.0/linux_amd64/terraform-provider-template_v2.2.0_x4 +CVE-2023-39325 +GHSA-m425-mq94-257g +CVE-2022-26945 +CVE-2022-30321 +CVE-2022-30322 +CVE-2022-30323 +CVE-2019-19316 +CVE-2020-16845 +CVE-2021-29482 +CVE-2020-29652 +CVE-2020-7919 +CVE-2020-9283 +CVE-2021-43565 +CVE-2022-27191 +CVE-2019-9512 +CVE-2019-9514 +CVE-2021-33194 +CVE-2022-27664 +CVE-2022-41723 +CVE-2021-38561 +CVE-2022-32149 diff --git a/CHANGELOG.md b/CHANGELOG.md index 348055a7..6cca8f19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## Table of Contents +- [2.0.0](#200) + +## `2.0.0` + +- New scenarios format and API + - [2.0.0-alpha1](#200-alpha1) ## `2.0.0-alpha1` diff --git a/Dockerfile b/Dockerfile index 31243ba1..beb388be 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,5 +4,5 @@ COPY --chown=ubuntu:ubuntu packer packer COPY --chown=ubuntu:ubuntu terraform terraform COPY --chown=ubuntu:ubuntu ansible ansible -RUN cd packer && packer init bastion.pkr.hcl && packer init k8s.pkr.hcl -RUN cd terraform/workspaces/simulator && terraform init -backend=false +RUN cd packer && packer init -upgrade bastion.pkr.hcl && packer init -upgrade k8s.pkr.hcl +RUN cd terraform/workspaces/simulator && terraform init -upgrade -backend=false diff --git a/dev.Dockerfile b/dev.Dockerfile index 85e5908b..b00ce920 100644 --- a/dev.Dockerfile +++ b/dev.Dockerfile @@ -1,6 +1,6 @@ ARG GOLANG_IMAGE=golang:1.21.5-alpine3.19@sha256:55f716237933c85cee01748700755b4ac8736fb1ca974c9aed051691b68d6dc2 ARG GOLANGCI_LINT_IMAGE=golangci/golangci-lint:latest@sha256:fb70c9b2e6d0763141f057abcafde7f88d5e4bb3b5882d6b14bc79382f04481c -ARG PACKER_IMAGE=hashicorp/packer:1.10@sha256:00dcbbc0e5a3346a9d8b7ea97d86d2e1deb5be4191e027499646242fdb1768b6 +ARG PACKER_IMAGE=hashicorp/packer:1.10@sha256:a10638519af09f5ecad52b6eb4eab489377e4e89f30ea46832f1f401a234d783 ARG TERRAFORM_IMAGE=hashicorp/terraform:1.6@sha256:d593c353357a3db5a795c2ba0b998580cf12bad9125807bd877092c2e813279b ARG UBUNTU_IMAGE=ubuntu:mantic@sha256:8d093e0651575a6437cc4a3d561f892a345d263aeac6156ef378fe6a4ccabd4c