Merge pull request #62 from spacelift-io/main

Production deployment 🎁
spacelift-io · Aug 17, 2023 · 8786c89 · 8786c89
2 parents c6811f6 + 6637d3d
commit 8786c89
Show file tree

Hide file tree

Showing 8 changed files with 289 additions and 38 deletions.
diff --git a/.github/workflows/preprod-deployment.yml b/.github/workflows/preprod-deployment.yml
@@ -1,16 +1,17 @@
 name: Preprod deployment
 
 on:
-  push:
+  push: 
     branches:
       - main
 
 jobs:
   preprod-agent-deployment:
     name: Build and upload agent
     runs-on: ubuntu-latest
+    outputs:
+      deployment_id: ${{ steps.deployment.outputs.deployment_id }}
     container: golang:1.20
-
     env:
       BASE_NAME: spacelift-vcs-agent
       BIN_DIR: build
@@ -23,18 +24,12 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@master
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
-        with:
-          aws-region: eu-west-1
-          role-to-assume: ${{ secrets.PREPROD_AWS_ROLE_TO_ASSUME }}
-          role-duration-seconds: 900
-
       - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - uses: chrnorm/deployment-action@releases/v1
         name: Create GitHub deployment
+        if: ${{ github.ref == 'refs/heads/main' }}
         id: deployment
         with:
           token: "${{ github.token }}"
@@ -82,32 +77,101 @@ jobs:
         env:
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
 
+      - name: Upload the VCS Agent binary
+        uses: actions/upload-artifact@v3
+        with:
+          name: vcs-agent-binary
+          path: build/
+          retention-days: 1
+
+      - name: Update deployment status (failure)
+        uses: chrnorm/deployment-status@releases/v1
+        if: failure() && ${{ github.ref == 'refs/heads/main' }}
+        with:
+          token: "${{ github.token }}"
+          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
+          state: "failure"
+          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
+
+  publish-preprod-agent-deployment:
+    name: Upload VCS agent binary and container image
+    needs: ["preprod-agent-deployment"]
+    runs-on: ubuntu-latest
+
+    env:
+      BIN_DIR: build
+    permissions:
+      id-token: write
+      contents: read
+      deployments: write
+
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@master
+
+      - name: Download the VCS Agent binary
+        uses: actions/download-artifact@v3
+        with:
+          name: vcs-agent-binary
+          path: ./build
+          retention-days: 1
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          aws-region: eu-west-1
+          role-to-assume: ${{ secrets.PREPROD_AWS_ROLE_TO_ASSUME }}
+          role-duration-seconds: 900
+
       - name: Upload the VCS Agent binary to downloads.spacelift.dev
+        if: ${{ github.ref == 'refs/heads/main' }}
         run: >-
           aws s3 sync
           ${BIN_DIR} s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/
           --no-progress
 
       - name: Invalidate downloads.spacelift.dev cache
+        if: ${{ github.ref == 'refs/heads/main' }}
         run: >-
           aws cloudfront create-invalidation
           --distribution-id ${{ secrets.PREPROD_DISTRIBUTION }}
           --paths "/*"
 
+      - name: Log in to Amazon public ECR
+        if: ${{ github.ref == 'refs/heads/main' }}
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+
+    # This will be needed in the future for adding multi architecture build support
+    #  - name: Set up QEMU
+    #    uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build and push the image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64
+          push: ${{ github.ref == 'refs/heads/main' }}
+          tags: |
+            ${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest
+
       - name: Update deployment status (success)
-        uses: chrnorm/deployment-status@releases/v1
-        if: success()
+        uses: chrnorm/deployment-status@releases/v1        
+        if: success() && ${{ github.ref == 'refs/heads/main' }}
         with:
           token: "${{ github.token }}"
           target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
           state: "success"
-          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
+          deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
 
       - name: Update deployment status (failure)
         uses: chrnorm/deployment-status@releases/v1
-        if: failure()
+        if: failure() && ${{ github.ref == 'refs/heads/main' }}
         with:
           token: "${{ github.token }}"
           target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
           state: "failure"
-          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
+          deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
diff --git a/.github/workflows/prod-deployment.yml b/.github/workflows/prod-deployment.yml
@@ -9,6 +9,8 @@ jobs:
   prod-agent-deployment:
     name: Build and upload agent
     runs-on: ubuntu-latest
+    outputs:
+      deployment_id: ${{ steps.deployment.outputs.deployment_id }}
     container: golang:1.20
     env:
       BASE_NAME: spacelift-vcs-agent
@@ -22,18 +24,12 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@master
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
-        with:
-          aws-region: eu-west-1
-          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
-          role-duration-seconds: 900
-
       - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - uses: chrnorm/deployment-action@releases/v1
         name: Create GitHub deployment
+        if: ${{ github.ref == 'refs/heads/production' }}
         id: deployment
         with:
           token: "${{ github.token }}"
@@ -81,32 +77,101 @@ jobs:
         env:
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
 
+      - name: Upload the VCS Agent binary
+        uses: actions/upload-artifact@v3
+        with:
+          name: vcs-agent-binary
+          path: build/
+          retention-days: 1
+
+      - name: Update deployment status (failure)
+        uses: chrnorm/deployment-status@releases/v1
+        if: failure() && ${{ github.ref == 'refs/heads/production' }}
+        with:
+          token: "${{ github.token }}"
+          target_url: https://downloads.spacelift.io/spacelift-vcs-agent
+          state: "failure"
+          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
+
+  publish-prod-agent-deployment:
+    name: Upload VCS agent binary and container image
+    needs: ["prod-agent-deployment"]
+    runs-on: ubuntu-latest
+
+    env:
+      BIN_DIR: build
+    permissions:
+      id-token: write
+      contents: read
+      deployments: write
+
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@master
+
+      - name: Download the VCS Agent binary
+        uses: actions/download-artifact@v3
+        with:
+          name: vcs-agent-binary
+          path: ./build
+          retention-days: 1
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        if: ${{ github.ref == 'refs/heads/production' }}
+        with:
+          aws-region: eu-west-1
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-duration-seconds: 900
+
       - name: Upload the VCS Agent binary to downloads.spacelift.io
+        if: ${{ github.ref == 'refs/heads/production' }}
         run: >-
           aws s3 sync
           ${BIN_DIR} s3://${{ secrets.AWS_S3_BUCKET }}/
           --no-progress
 
       - name: Invalidate downloads.spacelift.io cache
+        if: ${{ github.ref == 'refs/heads/production' }}
         run: >-
           aws cloudfront create-invalidation
           --distribution-id ${{ secrets.DISTRIBUTION }}
           --paths "/*"
 
+      - name: Log in to Amazon public ECR
+        if: ${{ github.ref == 'refs/heads/production' }}
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+
+    # This will be needed in the future for adding multi architecture build support
+    #  - name: Set up QEMU
+    #    uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build and push the image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64
+          push: ${{ github.ref == 'refs/heads/production' }}
+          tags: |
+            ${{ secrets.PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest
+
       - name: Update deployment status (success)
         uses: chrnorm/deployment-status@releases/v1
-        if: success()
+        if: success() && ${{ github.ref == 'refs/heads/production' }}
         with:
           token: "${{ github.token }}"
           target_url: https://downloads.spacelift.io/spacelift-vcs-agent
           state: "success"
-          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
+          deployment_id: ${{ needs.prod-agent-deployment.outputs.deployment_id }}
 
       - name: Update deployment status (failure)
         uses: chrnorm/deployment-status@releases/v1
-        if: failure()
+        if: failure() && ${{ github.ref == 'refs/heads/production' }}
         with:
           token: "${{ github.token }}"
           target_url: https://downloads.spacelift.io/spacelift-vcs-agent
           state: "failure"
-          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
+          deployment_id: ${{ needs.prod-agent-deployment.outputs.deployment_id }}
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,87 @@
+name: Trivy
+
+on:
+  push: 
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "19 7 * * 0"
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+
+    env:
+      BASE_NAME: spacelift-vcs-agent
+      BIN_DIR: build
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with: { fetch-depth: 0 }
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with: { go-version: 1.18 }
+
+      - name: parse short SHA
+        id: vars
+        run: |
+          echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
+
+      - name: Build Spacelift VCS Agent
+        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+        env:
+          BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }}
+          CGO_ENABLED: 0
+          SHORT_SHA: ${{ steps.vars.outputs.sha }}
+
+      - name: Archive artifacts for use in Docker build
+        uses: actions/upload-artifact@v3
+        with:
+          name: build
+          path: |
+            build
+
+  analyze:
+    name: Analyze with Trivy
+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: build
+          path: build
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build and push the image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          push: false
+          load: true
+          tags: "spacelift-vcs-agent:${{ github.sha }}"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "spacelift-vcs-agent:${{ github.sha }}"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
+          category: "Trivy"
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,14 @@
+FROM alpine:3.18
+
+
+RUN apk add --no-cache ca-certificates
+RUN apk upgrade --update-cache --available
+RUN adduser --disabled-password --no-create-home --uid=1983 spacelift
+
+COPY build/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent
+
+RUN chmod +x /usr/bin/spacelift-vcs-agent
+
+CMD ["/usr/bin/spacelift-vcs-agent", "serve"]
+
+USER spacelift