From 52da9f075d0e4972858cd52c75522025f47a2b84 Mon Sep 17 00:00:00 2001 From: peterdeme Date: Sat, 25 Nov 2023 09:41:03 +0100 Subject: [PATCH] Use Goreleaser, and publish arm64 Signed-off-by: peterdeme --- .github/workflows/build-binary.yml | 22 ++-- .github/workflows/preprod-deployment.yml | 153 ++++++++--------------- .github/workflows/prod-deployment.yml | 2 +- .github/workflows/trivy.yml | 79 ++++++------ .gitignore | 2 + .goreleaser.yaml | 17 +++ Dockerfile | 3 +- 7 files changed, 123 insertions(+), 155 deletions(-) create mode 100644 .goreleaser.yaml diff --git a/.github/workflows/build-binary.yml b/.github/workflows/build-binary.yml index ecd713c..47e237b 100644 --- a/.github/workflows/build-binary.yml +++ b/.github/workflows/build-binary.yml @@ -2,21 +2,21 @@ name: Build Binary on: { push: { branches-ignore: [main, production] } } +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + jobs: - preprod-agent-deployment: - name: Build and upload agent + build-binary: + name: Build binary runs-on: ubuntu-latest container: golang:1.20 - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build - steps: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 + - name: Mark source directory as safe. run: git config --global --add safe.directory $GITHUB_WORKSPACE - name: parse short SHA @@ -24,9 +24,11 @@ jobs: run: | echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot env: BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }} - CGO_ENABLED: 0 SHORT_SHA: ${{ steps.vars.outputs.sha }} diff --git a/.github/workflows/preprod-deployment.yml b/.github/workflows/preprod-deployment.yml index 97c8dd5..e3f31a1 100644 --- a/.github/workflows/preprod-deployment.yml +++ b/.github/workflows/preprod-deployment.yml @@ -1,20 +1,16 @@ name: Preprod deployment -on: - push: - branches: - - main +on: [push] + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true jobs: preprod-agent-deployment: name: Build and upload agent runs-on: ubuntu-latest - outputs: - deployment_id: ${{ steps.deployment.outputs.deployment_id }} container: golang:1.20 - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build permissions: id-token: write contents: read @@ -24,34 +20,30 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 + - name: Mark source directory as safe. run: git config --global --add safe.directory $GITHUB_WORKSPACE - - uses: chrnorm/deployment-action@releases/v1 - name: Create GitHub deployment - if: ${{ github.ref == 'refs/heads/main' }} - id: deployment - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - environment: preprod/vcs-agent - - - name: parse short SHA + - name: Parse short SHA id: vars - run: | - echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) + run: echo "sha=$(git rev-parse --short=8 ${{ github.sha }})" >> $GITHUB_OUTPUT - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent + - name: Fake tag for GoReleaser + if: ${{ github.ref == 'refs/heads/main' }} + run: git tag -a v0.0.0 + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot=${{ github.ref != 'refs/heads/main' }} env: BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }} - CGO_ENABLED: 0 SHORT_SHA: ${{ steps.vars.outputs.sha }} - name: Install dependencies run: | apt-get update -y - apt-get install -y awscli zip + apt-get install -y awscli - name: Import the PGP key run: | @@ -66,69 +58,48 @@ jobs: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - name: Sign Spacelift VCS Agent Binary - run: ./scripts/sign.sh $BIN_DIR $BASE_NAME + run: | + chmod 755 ./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent + ./scripts/sign.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent + ./scripts/verify.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent + + chmod 755 ./dist/vcs-agent_linux_arm64/spacelift-vcs-agent + ./scripts/sign.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent + ./scripts/verify.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent env: GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Verify Checksum Spacelift VCS Agent Binary - run: ./scripts/verify.sh $BIN_DIR $BASE_NAME - env: - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Upload the VCS Agent binary - uses: actions/upload-artifact@v3 - with: - name: vcs-agent-binary - path: build/ - retention-days: 1 - - - name: Update deployment status (failure) - uses: chrnorm/deployment-status@releases/v1 - if: failure() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "failure" - deployment_id: ${{ steps.deployment.outputs.deployment_id }} - - publish-preprod-agent-deployment: - name: Upload VCS agent binary and container image - needs: ["preprod-agent-deployment"] - runs-on: ubuntu-latest - - env: - BIN_DIR: build - permissions: - id-token: write - contents: read - deployments: write - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Download the VCS Agent binary - uses: actions/download-artifact@v3 - with: - name: vcs-agent-binary - path: ./build - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 - if: ${{ github.ref == 'refs/heads/main' }} with: aws-region: eu-west-1 role-to-assume: ${{ secrets.PREPROD_AWS_ROLE_TO_ASSUME }} role-duration-seconds: 900 - - name: Upload the VCS Agent binary to downloads.spacelift.dev - if: ${{ github.ref == 'refs/heads/main' }} + - name: Put the binaries to the right place + run: | + mkdir -p build + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent build/spacelift-vcs-agent + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent_SHA256SUMS + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent_SHA256SUMS.sig + + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent build/spacelift-vcs-agent-amd64 + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent-amd64_SHA256SUMS + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent-amd64_SHA256SUMS.sig + + cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent build/spacelift-vcs-agent-aarch64 + cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent-aarch64_SHA256SUMS + cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent-aarch64_SHA256SUMS.sig + + # In case you're interested: + ls -l build + + - name: Upload the VCS Agent binaries to downloads.spacelift.dev run: >- aws s3 sync - ${BIN_DIR} s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/ - --no-progress + build/ s3://${{ secrets.PREPROD_AWS_S3_BUCKET }} + --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }} - name: Invalidate downloads.spacelift.dev cache if: ${{ github.ref == 'refs/heads/main' }} @@ -141,36 +112,18 @@ jobs: if: ${{ github.ref == 'refs/heads/main' }} run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws - # This will be needed in the future for adding multi architecture build support - # - name: Set up QEMU - # uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: linux/amd64,linux/arm64 + - name: Build and push the image uses: docker/build-push-action@v5 with: - context: . - platforms: linux/amd64 + platforms: linux/amd64,linux/arm64 push: ${{ github.ref == 'refs/heads/main' }} tags: | ${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest - - - name: Update deployment status (success) - uses: chrnorm/deployment-status@releases/v1 - if: success() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "success" - deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }} - - - name: Update deployment status (failure) - uses: chrnorm/deployment-status@releases/v1 - if: failure() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "failure" - deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }} diff --git a/.github/workflows/prod-deployment.yml b/.github/workflows/prod-deployment.yml index 9d8b50a..7adf040 100644 --- a/.github/workflows/prod-deployment.yml +++ b/.github/workflows/prod-deployment.yml @@ -24,7 +24,7 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 + - name: Mark source directory as safe. run: git config --global --add safe.directory $GITHUB_WORKSPACE - uses: chrnorm/deployment-action@releases/v1 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 86e2439..e75ecbd 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -13,75 +13,68 @@ jobs: name: Build runs-on: ubuntu-latest - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build - steps: - name: Checkout uses: actions/checkout@v4 with: { fetch-depth: 0 } - - name: Set up Go + - name: Mark source directory as safe. + run: git config --global --add safe.directory $GITHUB_WORKSPACE + + - name: Setup Go uses: actions/setup-go@v4 - with: { go-version: 1.18 } + with: { go-version: "1.20" } - name: parse short SHA id: vars run: | echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot env: BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }} - CGO_ENABLED: 0 SHORT_SHA: ${{ steps.vars.outputs.sha }} - - name: Archive artifacts for use in Docker build - uses: actions/upload-artifact@v3 - with: - name: build - path: | - build - - analyze: - name: Analyze with Trivy - needs: build - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download build artifacts - uses: actions/download-artifact@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 with: - name: build - path: build + platforms: "linux/amd64,linux/arm64" - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Build Docker image + run: | + docker build --platform linux/amd64 -t spacelift-vcs-agent:${{ github.sha }}-amd64 . + docker build --platform linux/arm64 -t spacelift-vcs-agent:${{ github.sha }}-arm64 . - - name: Build and push the image - uses: docker/build-push-action@v5 + - name: Run Trivy vulnerability scanner (amd64) + uses: aquasecurity/trivy-action@master with: - context: . - push: false - load: true - tags: "spacelift-vcs-agent:${{ github.sha }}" + image-ref: "spacelift-vcs-agent:${{ github.sha }}-amd64" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results-amd64.sarif" + severity: "CRITICAL,HIGH" - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner (arm64) uses: aquasecurity/trivy-action@master with: - image-ref: "spacelift-vcs-agent:${{ github.sha }}" + image-ref: "spacelift-vcs-agent:${{ github.sha }}-arm64" format: "template" template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" + output: "trivy-results-arm64.sarif" severity: "CRITICAL,HIGH" - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Trivy scan results to GitHub Security tab (amd64) + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-amd64.sarif" + category: "Trivy (amd64)" + + - name: Upload Trivy scan results to GitHub Security tab (arm64) uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: "trivy-results.sarif" - category: "Trivy" + sarif_file: "trivy-results-arm64.sarif" + category: "Trivy (arm64)" diff --git a/.gitignore b/.gitignore index 723794d..f9e1b13 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,5 @@ # Binary cmd/spacelift-vcs-agent/spacelift-vcs-agent + +dist/ diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..94d7fc5 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,17 @@ +builds: + - main: ./cmd/spacelift-vcs-agent + binary: spacelift-vcs-agent + env: [CGO_ENABLED=0] + goos: [linux] + goarch: [amd64, arm64] + flags: [-trimpath] + tags: [netgo] + ldflags: + - "-s -w -extldflags '-static' -X main.VERSION={{.Env.SHORT_SHA}} -X main.BugsnagAPIKey={{.Env.BUGSNAG_API_KEY}}" + +changelog: + skip: true + +archives: + # This disables the archive step entirely + - format: binary diff --git a/Dockerfile b/Dockerfile index 51df8c4..d85a169 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,12 @@ FROM alpine:3.18 +ARG TARGETARCH RUN apk add --no-cache ca-certificates RUN apk upgrade --update-cache --available RUN adduser --disabled-password --no-create-home --uid=1983 spacelift -COPY build/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent +COPY dist/vcs-agent_linux_${TARGETARCH}*/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent RUN chmod +x /usr/bin/spacelift-vcs-agent