Merge pull request #357 from jiaqiluo/gha-1-27

.github/workflows/fossa.yaml

@@ -0,0 +1,31 @@
+name: Run Fossa Scan
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  fossa:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # needed for the Vault authentication
+    continue-on-error: true # we know that fossa test will report errors
+    steps:
+      - name: Load Secrets from Vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/fossa/credentials token | FOSSA
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Run Fossa analyze
+        uses: fossas/[email protected]
+        with:
+          api-key: ${{ env.FOSSA }}
+      - name: Run Fossa test
+        uses: fossas/[email protected]
+        with:
+          api-key: ${{ env.FOSSA }}
+          run-tests: true

.github/workflows/release.yaml

@@ -0,0 +1,117 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  IMAGE: rancher/hyperkube
+
+jobs:
+  build-push-images:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # needed for the Vault authentication
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [linux]
+        arch: [amd64, arm64]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Environment Variables
+        run: |
+          echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV"
+          echo "K8S_VERSION=$( echo ${{ github.ref_name }} | tr -s " " | cut -d "-" -f1 )" >> "$GITHUB_ENV"
+      - name: Prepare binaries
+        run: make k8s-binaries
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE }}
+          flavor: |
+            latest=false
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Load Secrets from Vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+      - name: Build and push Docker image
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: "${{ steps.meta.outputs.tags }}"
+          platforms: "${{ matrix.os }}/${{ matrix.arch }}"
+          labels: "${{ steps.meta.outputs.labels }}"
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: "digests-${{ matrix.os }}-${{ matrix.arch }}"
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 7
+          overwrite: true
+
+  merge:
+    runs-on: ubuntu-latest
+    needs:
+      - build-push-images
+    permissions:
+      contents: read
+      id-token: write # needed for the Vault authentication
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE }}
+          flavor: |
+            latest=false
+            - name: Load Secrets from Vault
+              uses: rancher-eio/read-vault-secrets@main
+              with:
+                secrets: |
+                  secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+                  secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.IMAGE }}@sha256:%s ' *)
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.meta.outputs.version }}

.github/workflows/test-prepare-binaries.yaml

@@ -0,0 +1,24 @@
+name: Test Prepare Binaries
+
+on:
+  push:
+    branches:
+      - "*"
+  pull_request:
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch: [ amd64, arm64 ]
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Environment Variables
+        run: |
+          echo "ARCH=${{ matrix.arch }}" >> "$GITHUB_ENV"
+      - name: Prepare binaries
+        run: make k8s-binaries

.github/workflows/trivy.yaml

@@ -0,0 +1,28 @@
+name:  Run Trivy scan
+
+on:
+  push:
+    tags:
+      - '*'
+  pull_request:
+
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Get base image
+        run: |
+          image=$(grep hyperkube-base Dockerfile | awk '{ print $2 }')
+          echo "HYPERKUBE=${image}"
+          echo "HYPERKUBE=${image}" >> "$GITHUB_ENV"
+      - name: Run Trivy scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref:  ${{ env.HYPERKUBE }}
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'

.gitignore

@@ -1,2 +1,3 @@
 k8s-tars/
-k8s-binaries/
+k8s-binaries/
+.idea/