From 56230375a7c23518df93a33d1e986a967fc68d78 Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Mon, 16 Sep 2024 12:09:58 +0200 Subject: [PATCH 01/24] Adding platform option to build ARM64 images --- .github/workflows/tools-container-pr.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index 17f1351..760d131 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -11,15 +11,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - name: Build container image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: cache-from: ghcr.io/xenitab/github-actions/tools:latest file: docker/Dockerfile context: docker + platforms: linux/amd64,linux/arm64 push: false From faced87ace8ade05385e57f40fd37052593a0665 Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Mon, 16 Sep 2024 12:15:38 +0200 Subject: [PATCH 02/24] Add manual trigger --- .github/workflows/tools-container-pr.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index 760d131..aaeed52 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -1,6 +1,7 @@ name: Tools Container - PR Validation on: + workflow_dispatch: pull_request: paths: - 'docker/**' From ee4e537e4faf83626cf715895ac074d3e73df346 Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Mon, 16 Sep 2024 12:23:32 +0200 Subject: [PATCH 03/24] Update ansible version as the old one does not exists --- docker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index f90acfe..a4a39b7 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.21 as tf-prepare-builder +FROM golang:1.21 AS tf-prepare-builder WORKDIR /workspace COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ @@ -12,7 +12,7 @@ FROM debian:12.2-slim #Base RUN apt-get update -y RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils -RUN apt-get install -y ansible=7.3.0+dfsg-1 +RUN apt-get install -y ansible=7.7.0+dfsg-3+deb12u1 RUN mkdir -p /tmp/install /usr/src /work WORKDIR /tmp/install From 3daf15555d1c77767da755f9169e401ab19fdad1 Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Mon, 16 Sep 2024 12:23:52 +0200 Subject: [PATCH 04/24] update OPA version to get rid of warnings? --- .github/workflows/tools-opa-test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tools-opa-test.yaml b/.github/workflows/tools-opa-test.yaml index 7b76d63..3637278 100644 --- a/.github/workflows/tools-opa-test.yaml +++ b/.github/workflows/tools-opa-test.yaml @@ -5,10 +5,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup OPA - uses: open-policy-agent/setup-opa@v1 + uses: open-policy-agent/setup-opa@v2 with: version: 0.40.0 From ab96d764329c3075058aaa9561c74e2ef5affead Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Mon, 16 Sep 2024 12:46:46 +0200 Subject: [PATCH 05/24] more test to make it easier to "work" --- .github/workflows/tools-container-latest.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index 564550b..373e8b1 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -14,23 +14,24 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push container image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest + cache-from: ghcr.io/${{GITHUB_REPOSITORY}}/tools:latest file: docker/Dockerfile context: docker - tags: ghcr.io/xenitab/github-actions/tools:latest + tags: ghcr.io/${{GITHUB_REPOSITORY}}/tools:latest + platforms: linux/amd64,linux/arm64 push: true From 2d4b04f065111617657546507bdc547313bbca8d Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Mon, 16 Sep 2024 13:00:28 +0200 Subject: [PATCH 06/24] Update cache-from and tags in tools-container-latest.yaml to use variables instead. --- .github/workflows/tools-container-latest.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index 373e8b1..9670274 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -29,9 +29,9 @@ jobs: - name: Build and push container image uses: docker/build-push-action@v6 with: - cache-from: ghcr.io/${{GITHUB_REPOSITORY}}/tools:latest + cache-from: ghcr.io/${{env.GITHUB_REPOSITORY}}/tools:latest file: docker/Dockerfile context: docker - tags: ghcr.io/${{GITHUB_REPOSITORY}}/tools:latest + tags: ghcr.io/${{env.GITHUB_REPOSITORY}}/tools:latest platforms: linux/amd64,linux/arm64 push: true From 4403f1a5b8b91ea62045b73f9fc2991f3498ab22 Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Mon, 16 Sep 2024 13:07:36 +0200 Subject: [PATCH 07/24] doh --- .github/workflows/tools-container-latest.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index 9670274..ccadfe6 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -29,9 +29,9 @@ jobs: - name: Build and push container image uses: docker/build-push-action@v6 with: - cache-from: ghcr.io/${{env.GITHUB_REPOSITORY}}/tools:latest + cache-from: ghcr.io/${{github.repository}}/tools:latest file: docker/Dockerfile context: docker - tags: ghcr.io/${{env.GITHUB_REPOSITORY}}/tools:latest + tags: ghcr.io/${{github.repository}}/tools:latest platforms: linux/amd64,linux/arm64 push: true From 003754d4d51ce63ec1e571c8996017b6a9b05d64 Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Tue, 17 Sep 2024 11:34:12 +0200 Subject: [PATCH 08/24] Building lite image Removing, AWS, packer, kubectl and helm --- docker/Dockerfile.lite | 76 +++++++++++++++++++ docker/install-scripts/azure-cli-lite.sh | 33 ++++++++ docker/install-scripts/github-cli-lite.sh | 23 ++++++ docker/install-scripts/jq-lite.sh | 16 ++++ docker/install-scripts/opa-lite.sh | 21 +++++ docker/install-scripts/sops-lite.sh | 20 +++++ docker/install-scripts/tflint-lite.sh | 22 ++++++ docker/install-scripts/tflint-ruleset-lite.sh | 25 ++++++ docker/install-scripts/tfsec-lite.sh | 20 +++++ 9 files changed, 256 insertions(+) create mode 100644 docker/Dockerfile.lite create mode 100755 docker/install-scripts/azure-cli-lite.sh create mode 100755 docker/install-scripts/github-cli-lite.sh create mode 100755 docker/install-scripts/jq-lite.sh create mode 100755 docker/install-scripts/opa-lite.sh create mode 100755 docker/install-scripts/sops-lite.sh create mode 100755 docker/install-scripts/tflint-lite.sh create mode 100755 docker/install-scripts/tflint-ruleset-lite.sh create mode 100755 docker/install-scripts/tfsec-lite.sh diff --git a/docker/Dockerfile.lite b/docker/Dockerfile.lite new file mode 100644 index 0000000..2b45238 --- /dev/null +++ b/docker/Dockerfile.lite @@ -0,0 +1,76 @@ +FROM golang:1.21 AS tf-prepare-builder +WORKDIR /workspace +ARG TARGETARCH + +COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ +RUN go mod download +COPY ./go-tf-prepare/main.go main.go +COPY ./go-tf-prepare/pkg/ pkg/ +RUN GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build -o tf-prepare main.go + +FROM debian:12.2-slim + +#Base +RUN apt-get update -y +RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils lsb-release + +RUN mkdir -p /tmp/install /usr/src /work +WORKDIR /tmp/install + +# Install Azure CLI +COPY install-scripts/azure-cli-lite.sh /usr/src/install-scripts/azure-cli.sh +RUN /usr/src/install-scripts/azure-cli.sh --version="2.64.0" + +# Install tflint +COPY install-scripts/tflint-lite.sh /usr/src/install-scripts/tflint.sh +RUN /usr/src/install-scripts/tflint.sh --version="v0.53.0" +COPY config/.tflint.hcl /work/.tflint.d/.tflint.hcl + +# Install tflint ruleset +COPY install-scripts/tflint-ruleset-lite.sh /usr/src/install-scripts/tflint-ruleset.sh +RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="azurerm" --version="v0.27.0" + +# Install terraform (tfenv) +COPY install-scripts/tfenv.sh /usr/src/install-scripts/tfenv.sh +RUN /usr/src/install-scripts/tfenv.sh --latest-terraform-version="1.9.5" --tfenv-version="v3.0.0" + +# Install tfsec +COPY install-scripts/tfsec-lite.sh /usr/src/install-scripts/tfsec.sh +RUN /usr/src/install-scripts/tfsec.sh --version="v1.28.10" + +# Install Open Policy Agent, version 0.43.0 ??? +COPY install-scripts/opa-lite.sh /usr/src/install-scripts/opa.sh +RUN /usr/src/install-scripts/opa.sh --version="v0.68.0" + +# Install sops +COPY install-scripts/sops-lite.sh /usr/src/install-scripts/sops.sh +RUN /usr/src/install-scripts/sops.sh --version="v3.9.0" + +# Install GitHub CLI +COPY install-scripts/github-cli-lite.sh /usr/src/install-scripts/github-cli.sh +RUN /usr/src/install-scripts/github-cli.sh --version="2.57.0" + +# Install jq +COPY install-scripts/jq-lite.sh /usr/src/install-scripts/jq.sh +RUN /usr/src/install-scripts/jq.sh --version="1.6-2.1" + +# Install yq +COPY install-scripts/yq.sh /usr/src/install-scripts/yq.sh +RUN /usr/src/install-scripts/yq.sh --version="3.1.0-3" + +# Install tfprepare +COPY --from=tf-prepare-builder /workspace/tf-prepare /usr/local/bin/tf-prepare +RUN chmod +x /usr/local/bin/tf-prepare + +#Cleanup +RUN apt-get autoremove && \ + apt-get clean + +RUN rm -rf /tmp/install + +COPY opa-policies /opt/opa-policies +COPY terraform.sh /opt/terraform.sh + +ENV HOME=/work + +WORKDIR /work diff --git a/docker/install-scripts/azure-cli-lite.sh b/docker/install-scripts/azure-cli-lite.sh new file mode 100755 index 0000000..46f0d50 --- /dev/null +++ b/docker/install-scripts/azure-cli-lite.sh @@ -0,0 +1,33 @@ +#!/bin/bash +set -e + +while [ $# -gt 0 ]; do + case "$1" in + --version=*) + VERSION="${1#*=}" + ;; + *) + echo "Error: Invalid argument." + exit 1 + esac + shift +done + +mkdir -p /etc/apt/keyrings +curl -sLS https://packages.microsoft.com/keys/microsoft.asc | + gpg --dearmor | tee /etc/apt/keyrings/microsoft.gpg > /dev/null +chmod go+r /etc/apt/keyrings/microsoft.gpg + +AZ_DIST=$(lsb_release -cs) +echo "Types: deb +URIs: https://packages.microsoft.com/repos/azure-cli/ +Suites: ${AZ_DIST} +Components: main +Architectures: $(dpkg --print-architecture) +Signed-by: /etc/apt/keyrings/microsoft.gpg" | tee /etc/apt/sources.list.d/azure-cli.sources + +apt-get update +apt-get install -y azure-cli=${VERSION}-1~$AZ_DIST + +az extension add --name azure-devops +az extension add --name managementpartner diff --git a/docker/install-scripts/github-cli-lite.sh b/docker/install-scripts/github-cli-lite.sh new file mode 100755 index 0000000..372835d --- /dev/null +++ b/docker/install-scripts/github-cli-lite.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -e + +while [ $# -gt 0 ]; do + case "$1" in + --version=*) + VERSION="${1#*=}" + ;; + *) + echo "Error: Invalid argument." + exit 1 + esac + shift +done + +(type -p wget >/dev/null || (apt update && apt-get install wget -y)) \ + && mkdir -p -m 755 /etc/apt/keyrings \ + && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \ + && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \ + && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null + +apt update +apt install -y gh=${VERSION} \ No newline at end of file diff --git a/docker/install-scripts/jq-lite.sh b/docker/install-scripts/jq-lite.sh new file mode 100755 index 0000000..3224c12 --- /dev/null +++ b/docker/install-scripts/jq-lite.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -e + +while [ $# -gt 0 ]; do + case "$1" in + --version=*) + VERSION="${1#*=}" + ;; + *) + echo "Error: Invalid argument." + exit 1 + esac + shift +done + +apt-get install -y jq=${VERSION} diff --git a/docker/install-scripts/opa-lite.sh b/docker/install-scripts/opa-lite.sh new file mode 100755 index 0000000..a5bb591 --- /dev/null +++ b/docker/install-scripts/opa-lite.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -e + +while [ $# -gt 0 ]; do + case "$1" in + --version=*) + VERSION="${1#*=}" + ;; + *) + echo "Error: Invalid argument." + exit 1 + esac + shift +done + +ARCHITECTURE=$(dpkg --print-architecture) + +wget https://github.com/open-policy-agent/opa/releases/download/${VERSION}/opa_linux_${ARCHITECTURE}_static + +chmod +x opa_linux_${ARCHITECTURE}_static +mv opa_linux_${ARCHITECTURE}_static /usr/local/bin/opa diff --git a/docker/install-scripts/sops-lite.sh b/docker/install-scripts/sops-lite.sh new file mode 100755 index 0000000..7d47985 --- /dev/null +++ b/docker/install-scripts/sops-lite.sh @@ -0,0 +1,20 @@ +#!/bin/bash +set -e + +while [ $# -gt 0 ]; do + case "$1" in + --version=*) + VERSION="${1#*=}" + ;; + *) + echo "Error: Invalid argument." + exit 1 + esac + shift +done + +ARCHITECTURE=$(dpkg --print-architecture) +wget https://github.com/getsops/sops/releases/download/${VERSION}/sops-${VERSION}.linux.${ARCHITECTURE} + +chmod +x sops-${VERSION}.linux.${ARCHITECTURE} +mv sops-${VERSION}.linux.${ARCHITECTURE} /usr/local/bin/sops diff --git a/docker/install-scripts/tflint-lite.sh b/docker/install-scripts/tflint-lite.sh new file mode 100755 index 0000000..98763f0 --- /dev/null +++ b/docker/install-scripts/tflint-lite.sh @@ -0,0 +1,22 @@ +#!/bin/bash +set -e + +while [ $# -gt 0 ]; do + case "$1" in + --version=*) + VERSION="${1#*=}" + ;; + *) + echo "Error: Invalid argument." + exit 1 + esac + shift +done + +ARCHITECTURE=$(dpkg --print-architecture) +wget https://github.com/terraform-linters/tflint/releases/download/${VERSION}/tflint_linux_${ARCHITECTURE}.zip + +unzip tflint_linux_${ARCHITECTURE}.zip +rm tflint_linux_${ARCHITECTURE}.zip +mv tflint /usr/local/bin/tflint +mkdir -p /work/.tflint.d \ No newline at end of file diff --git a/docker/install-scripts/tflint-ruleset-lite.sh b/docker/install-scripts/tflint-ruleset-lite.sh new file mode 100755 index 0000000..5e4e458 --- /dev/null +++ b/docker/install-scripts/tflint-ruleset-lite.sh @@ -0,0 +1,25 @@ +#!/bin/bash +set -e + +while [ $# -gt 0 ]; do + case "$1" in + --ruleset=*) + RULESET="${1#*=}" + ;; + --version=*) + VERSION="${1#*=}" + ;; + *) + echo "Error: Invalid argument." + exit 1 + esac + shift +done + +ARCHITECTURE=$(dpkg --print-architecture) +wget https://github.com/terraform-linters/tflint-ruleset-${RULESET}/releases/download/${VERSION}/tflint-ruleset-${RULESET}_linux_${ARCHITECTURE}.zip + +unzip tflint-ruleset-${RULESET}_linux_${ARCHITECTURE}.zip +rm tflint-ruleset-${RULESET}_linux_${ARCHITECTURE}.zip +mkdir -p /work/.tflint.d/plugins/ +mv tflint-ruleset-${RULESET} /work/.tflint.d/plugins/tflint-ruleset-${RULESET} diff --git a/docker/install-scripts/tfsec-lite.sh b/docker/install-scripts/tfsec-lite.sh new file mode 100755 index 0000000..3d47682 --- /dev/null +++ b/docker/install-scripts/tfsec-lite.sh @@ -0,0 +1,20 @@ +#!/bin/bash +set -e + +while [ $# -gt 0 ]; do + case "$1" in + --version=*) + VERSION="${1#*=}" + ;; + *) + echo "Error: Invalid argument." + exit 1 + esac + shift +done + +ARCHITECTURE=$(dpkg --print-architecture) +wget https://github.com/aquasecurity/tfsec/releases/download/${VERSION}/tfsec-linux-${ARCHITECTURE} + +chmod +x tfsec-linux-${ARCHITECTURE} +mv tfsec-linux-${ARCHITECTURE} /usr/local/bin/tfsec From b6d190a004955bf96561de7c9a64ad95fc8018fb Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Tue, 17 Sep 2024 11:35:29 +0200 Subject: [PATCH 09/24] Test: adding separate image tag --- .github/workflows/tools-container-latest.yaml | 11 ++++++++++ .github/workflows/tools-container-pr.yaml | 13 ++++++++++- .github/workflows/tools-container-tag.yaml | 22 ++++++++++++++----- 3 files changed, 39 insertions(+), 7 deletions(-) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index ccadfe6..af54ef6 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -26,6 +26,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + # Original - name: Build and push container image uses: docker/build-push-action@v6 with: @@ -33,5 +34,15 @@ jobs: file: docker/Dockerfile context: docker tags: ghcr.io/${{github.repository}}/tools:latest + push: true + + # Light multiArch image + - name: '[LIGHT] Build and push container image' + uses: docker/build-push-action@v6 + with: + cache-from: ghcr.io/${{github.repository}}/tools:lite + file: docker/Dockerfile.lite + context: docker + tags: ghcr.io/${{github.repository}}/tools:lite platforms: linux/amd64,linux/arm64 push: true diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index aaeed52..c93338e 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -17,11 +17,22 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + # Build the container image - name: Build container image uses: docker/build-push-action@v6 with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest + cache-from: ghcr.io/${{github.repository}}/tools:latest file: docker/Dockerfile context: docker + push: false + + # Build the LITE multiArch container image + - name: Build container image + uses: docker/build-push-action@v6 + with: + cache-from: ghcr.io/${{github.repository}}/tools:lite + file: docker/Dockerfile.lite + context: docker platforms: linux/amd64,linux/arm64 push: false + tags: ghcr.io/${{github.repository}}/tools:lite diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index 03cefa0..5b0b2ca 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -14,13 +14,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -32,10 +32,20 @@ jobs: echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - name: Build and push container image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: - cache-from: ghcr.io/xenitab/github-actions/tools:latest + cache-from: ghcr.io/${{github.repository}}/tools:latest file: docker/Dockerfile context: docker - tags: ghcr.io/xenitab/github-actions/tools:${{ steps.get_tag.outputs.tag }} + tags: ghcr.io/${{github.repository}}/tools:${{ steps.get_tag.outputs.tag }} + push: true + + - name: Build and push container image + uses: docker/build-push-action@v6 + with: + cache-from: ghcr.io/${{github.repository}}/tools:lite + file: docker/Dockerfile + context: docker + tags: ghcr.io/${{github.repository}}/tools:lite-${{ steps.get_tag.outputs.tag }} + platforms: linux/amd64,linux/arm64 push: true From 14146e3aba8ec4c421b4e08c40f4ddb794feaa61 Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Tue, 17 Sep 2024 12:12:26 +0200 Subject: [PATCH 10/24] add manual start of pipelines --- .github/workflows/tools-container-latest.yaml | 1 + .github/workflows/tools-container-tag.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index af54ef6..035377f 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -1,6 +1,7 @@ name: Tools Container - Publish Latest on: + workflow_dispatch: push: branches: - main diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index 5b0b2ca..eeecd5c 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -1,6 +1,7 @@ name: Tools Container - Publish Tag on: + workflow_dispatch: release: types: - published From 265ce21c65cb891b063cb35daf960f4258d361af Mon Sep 17 00:00:00 2001 From: Lars Osterberg Date: Tue, 17 Sep 2024 13:52:04 +0200 Subject: [PATCH 11/24] renames --- .github/workflows/tools-container-latest.yaml | 2 +- .github/workflows/tools-container-pr.yaml | 2 +- .github/workflows/tools-container-tag.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index 035377f..2e22931 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -38,7 +38,7 @@ jobs: push: true # Light multiArch image - - name: '[LIGHT] Build and push container image' + - name: '[LITE] Build and push container image' uses: docker/build-push-action@v6 with: cache-from: ghcr.io/${{github.repository}}/tools:lite diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index c93338e..b04cab2 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -27,7 +27,7 @@ jobs: push: false # Build the LITE multiArch container image - - name: Build container image + - name: '[LITE] Build container image' uses: docker/build-push-action@v6 with: cache-from: ghcr.io/${{github.repository}}/tools:lite diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index eeecd5c..6e5081b 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -41,7 +41,7 @@ jobs: tags: ghcr.io/${{github.repository}}/tools:${{ steps.get_tag.outputs.tag }} push: true - - name: Build and push container image + - name: '[LITE] Build and push container image' uses: docker/build-push-action@v6 with: cache-from: ghcr.io/${{github.repository}}/tools:lite From cb68568910bc28f515bedfdf6c5890e2c2d97d57 Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 7 Oct 2024 12:54:03 +0200 Subject: [PATCH 12/24] Update versions and use other method to detect distribution --- docker/Dockerfile.lite | 6 +++--- docker/install-scripts/azure-cli-lite.sh | 23 ++++++++++++++++++----- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/docker/Dockerfile.lite b/docker/Dockerfile.lite index 2b45238..3084839 100644 --- a/docker/Dockerfile.lite +++ b/docker/Dockerfile.lite @@ -1,4 +1,4 @@ -FROM golang:1.21 AS tf-prepare-builder +FROM golang:1.23-bookworm AS tf-prepare-builder WORKDIR /workspace ARG TARGETARCH @@ -8,11 +8,11 @@ COPY ./go-tf-prepare/main.go main.go COPY ./go-tf-prepare/pkg/ pkg/ RUN GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build -o tf-prepare main.go -FROM debian:12.2-slim +FROM debian:bookworm-slim #Base RUN apt-get update -y -RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils lsb-release +RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils RUN mkdir -p /tmp/install /usr/src /work WORKDIR /tmp/install diff --git a/docker/install-scripts/azure-cli-lite.sh b/docker/install-scripts/azure-cli-lite.sh index 46f0d50..c231763 100755 --- a/docker/install-scripts/azure-cli-lite.sh +++ b/docker/install-scripts/azure-cli-lite.sh @@ -13,21 +13,34 @@ while [ $# -gt 0 ]; do shift done +echo "Adding keys to the keyring..." mkdir -p /etc/apt/keyrings curl -sLS https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/keyrings/microsoft.gpg > /dev/null +echo "Keys added to the keyring, setting permissions..." chmod go+r /etc/apt/keyrings/microsoft.gpg -AZ_DIST=$(lsb_release -cs) +#AZ_DIST=$(lsb_release -cs) +AZ_DIST=$(grep -ioP '^VERSION_CODENAME=\K.+' /etc/os-release) +ARCHITECTURE=$(dpkg --print-architecture) +echo "Adding sources to the sources list, DIST=${AZ_DIST} and ARCH=..." + echo "Types: deb URIs: https://packages.microsoft.com/repos/azure-cli/ Suites: ${AZ_DIST} Components: main -Architectures: $(dpkg --print-architecture) +Architectures: ${ARCHITECTURE} Signed-by: /etc/apt/keyrings/microsoft.gpg" | tee /etc/apt/sources.list.d/azure-cli.sources +echo "Sources added to the sources list, updating apt and installing AZ CLI..." apt-get update -apt-get install -y azure-cli=${VERSION}-1~$AZ_DIST +apt-get install -y azure-cli=${VERSION}-1~${AZ_DIST} + +echo "AZ CLI installed..." +az version -az extension add --name azure-devops -az extension add --name managementpartner +echo "Adding DEVOPS extension..." +az extension add --yes --allow-preview false --upgrade --name azure-devops +echo "Adding MANAGEMENTPARTNER extension..." +az extension add --yes --allow-preview false --upgrade --name managementpartner +echo "AZ CLI installation complete." \ No newline at end of file From eba6c8da70c20c27bff773e736634a01512f1cc9 Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 7 Oct 2024 13:59:00 +0200 Subject: [PATCH 13/24] update gh version, as their GPG key had expired and the old versions are not available --- docker/Dockerfile.lite | 2 +- docker/install-scripts/azure-cli-lite.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.lite b/docker/Dockerfile.lite index 3084839..15a26e2 100644 --- a/docker/Dockerfile.lite +++ b/docker/Dockerfile.lite @@ -48,7 +48,7 @@ RUN /usr/src/install-scripts/sops.sh --version="v3.9.0" # Install GitHub CLI COPY install-scripts/github-cli-lite.sh /usr/src/install-scripts/github-cli.sh -RUN /usr/src/install-scripts/github-cli.sh --version="2.57.0" +RUN /usr/src/install-scripts/github-cli.sh --version="2.58.0" # Install jq COPY install-scripts/jq-lite.sh /usr/src/install-scripts/jq.sh diff --git a/docker/install-scripts/azure-cli-lite.sh b/docker/install-scripts/azure-cli-lite.sh index c231763..5f71142 100755 --- a/docker/install-scripts/azure-cli-lite.sh +++ b/docker/install-scripts/azure-cli-lite.sh @@ -23,7 +23,7 @@ chmod go+r /etc/apt/keyrings/microsoft.gpg #AZ_DIST=$(lsb_release -cs) AZ_DIST=$(grep -ioP '^VERSION_CODENAME=\K.+' /etc/os-release) ARCHITECTURE=$(dpkg --print-architecture) -echo "Adding sources to the sources list, DIST=${AZ_DIST} and ARCH=..." +echo "Adding sources to the sources list, DIST=${AZ_DIST} and ARCH=${ARCHITECTURE}..." echo "Types: deb URIs: https://packages.microsoft.com/repos/azure-cli/ From 5e6f3ba7a710d8be947c1465dbedea63d0f3df4b Mon Sep 17 00:00:00 2001 From: Osterberg Date: Wed, 9 Oct 2024 23:04:45 +0200 Subject: [PATCH 14/24] - Remove tagging from PR workflow - Convert repository name to lowercase as tags can't have any char in UPPER --- .github/workflows/tools-container-latest.yaml | 10 ++++++++-- .github/workflows/tools-container-pr.yaml | 1 - .github/workflows/tools-container-tag.yaml | 10 ++++------ 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index 2e22931..153a28d 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -27,6 +27,12 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + # Stupid, lowercase tag + - name: Lowercase tags + id: lowercase + run: | + echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT + # Original - name: Build and push container image uses: docker/build-push-action@v6 @@ -34,7 +40,7 @@ jobs: cache-from: ghcr.io/${{github.repository}}/tools:latest file: docker/Dockerfile context: docker - tags: ghcr.io/${{github.repository}}/tools:latest + tags: ghcr.io/l${{ steps.lowercase.outputs.repository }}/tools:latest push: true # Light multiArch image @@ -44,6 +50,6 @@ jobs: cache-from: ghcr.io/${{github.repository}}/tools:lite file: docker/Dockerfile.lite context: docker - tags: ghcr.io/${{github.repository}}/tools:lite + tags: ghcr.io/l${{ steps.lowercase.outputs.repository }}/tools:lite platforms: linux/amd64,linux/arm64 push: true diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index b04cab2..10a5d71 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -35,4 +35,3 @@ jobs: context: docker platforms: linux/amd64,linux/arm64 push: false - tags: ghcr.io/${{github.repository}}/tools:lite diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index 6e5081b..3cb1a05 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -5,9 +5,6 @@ on: release: types: - published - paths: - - "docker/**" - - ".github/**" jobs: publish_latest: @@ -31,6 +28,7 @@ jobs: id: get_tag run: | echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT - name: Build and push container image uses: docker/build-push-action@v6 @@ -38,15 +36,15 @@ jobs: cache-from: ghcr.io/${{github.repository}}/tools:latest file: docker/Dockerfile context: docker - tags: ghcr.io/${{github.repository}}/tools:${{ steps.get_tag.outputs.tag }} + tags: ghcr.io/${{ steps.get_tag.outputs.repository }}/tools:${{ steps.get_tag.outputs.tag }} push: true - name: '[LITE] Build and push container image' uses: docker/build-push-action@v6 with: cache-from: ghcr.io/${{github.repository}}/tools:lite - file: docker/Dockerfile + file: docker/Dockerfile.lite context: docker - tags: ghcr.io/${{github.repository}}/tools:lite-${{ steps.get_tag.outputs.tag }} + tags: ghcr.io/${{ steps.get_tag.outputs.repository }}/tools:lite-${{ steps.get_tag.outputs.tag }} platforms: linux/amd64,linux/arm64 push: true From 0cea80436b1a9c2ba7f3adc2a1dc7909bc59890b Mon Sep 17 00:00:00 2001 From: Osterberg Date: Fri, 11 Oct 2024 19:18:01 +0200 Subject: [PATCH 15/24] Remove bloaty wget output --- docker/install-scripts/opa-lite.sh | 2 +- docker/install-scripts/sops-lite.sh | 2 +- docker/install-scripts/tflint-lite.sh | 2 +- docker/install-scripts/tflint-ruleset-lite.sh | 2 +- docker/install-scripts/tfsec-lite.sh | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docker/install-scripts/opa-lite.sh b/docker/install-scripts/opa-lite.sh index a5bb591..5eb6c0e 100755 --- a/docker/install-scripts/opa-lite.sh +++ b/docker/install-scripts/opa-lite.sh @@ -15,7 +15,7 @@ done ARCHITECTURE=$(dpkg --print-architecture) -wget https://github.com/open-policy-agent/opa/releases/download/${VERSION}/opa_linux_${ARCHITECTURE}_static +wget -nv https://github.com/open-policy-agent/opa/releases/download/${VERSION}/opa_linux_${ARCHITECTURE}_static chmod +x opa_linux_${ARCHITECTURE}_static mv opa_linux_${ARCHITECTURE}_static /usr/local/bin/opa diff --git a/docker/install-scripts/sops-lite.sh b/docker/install-scripts/sops-lite.sh index 7d47985..edddff2 100755 --- a/docker/install-scripts/sops-lite.sh +++ b/docker/install-scripts/sops-lite.sh @@ -14,7 +14,7 @@ while [ $# -gt 0 ]; do done ARCHITECTURE=$(dpkg --print-architecture) -wget https://github.com/getsops/sops/releases/download/${VERSION}/sops-${VERSION}.linux.${ARCHITECTURE} +wget -nv https://github.com/getsops/sops/releases/download/${VERSION}/sops-${VERSION}.linux.${ARCHITECTURE} chmod +x sops-${VERSION}.linux.${ARCHITECTURE} mv sops-${VERSION}.linux.${ARCHITECTURE} /usr/local/bin/sops diff --git a/docker/install-scripts/tflint-lite.sh b/docker/install-scripts/tflint-lite.sh index 98763f0..a5be627 100755 --- a/docker/install-scripts/tflint-lite.sh +++ b/docker/install-scripts/tflint-lite.sh @@ -14,7 +14,7 @@ while [ $# -gt 0 ]; do done ARCHITECTURE=$(dpkg --print-architecture) -wget https://github.com/terraform-linters/tflint/releases/download/${VERSION}/tflint_linux_${ARCHITECTURE}.zip +wget -nv https://github.com/terraform-linters/tflint/releases/download/${VERSION}/tflint_linux_${ARCHITECTURE}.zip unzip tflint_linux_${ARCHITECTURE}.zip rm tflint_linux_${ARCHITECTURE}.zip diff --git a/docker/install-scripts/tflint-ruleset-lite.sh b/docker/install-scripts/tflint-ruleset-lite.sh index 5e4e458..9aba87e 100755 --- a/docker/install-scripts/tflint-ruleset-lite.sh +++ b/docker/install-scripts/tflint-ruleset-lite.sh @@ -17,7 +17,7 @@ while [ $# -gt 0 ]; do done ARCHITECTURE=$(dpkg --print-architecture) -wget https://github.com/terraform-linters/tflint-ruleset-${RULESET}/releases/download/${VERSION}/tflint-ruleset-${RULESET}_linux_${ARCHITECTURE}.zip +wget -nv https://github.com/terraform-linters/tflint-ruleset-${RULESET}/releases/download/${VERSION}/tflint-ruleset-${RULESET}_linux_${ARCHITECTURE}.zip unzip tflint-ruleset-${RULESET}_linux_${ARCHITECTURE}.zip rm tflint-ruleset-${RULESET}_linux_${ARCHITECTURE}.zip diff --git a/docker/install-scripts/tfsec-lite.sh b/docker/install-scripts/tfsec-lite.sh index 3d47682..1f851dd 100755 --- a/docker/install-scripts/tfsec-lite.sh +++ b/docker/install-scripts/tfsec-lite.sh @@ -14,7 +14,7 @@ while [ $# -gt 0 ]; do done ARCHITECTURE=$(dpkg --print-architecture) -wget https://github.com/aquasecurity/tfsec/releases/download/${VERSION}/tfsec-linux-${ARCHITECTURE} +wget -nv https://github.com/aquasecurity/tfsec/releases/download/${VERSION}/tfsec-linux-${ARCHITECTURE} chmod +x tfsec-linux-${ARCHITECTURE} mv tfsec-linux-${ARCHITECTURE} /usr/local/bin/tfsec From 0f5cec2b9919c4f0b20e8ab6c9b4018aa8f0ab6f Mon Sep 17 00:00:00 2001 From: Osterberg Date: Fri, 11 Oct 2024 19:18:39 +0200 Subject: [PATCH 16/24] Create dedicated workflows for the lite image --- .github/workflows/shared-steps.yml | 65 +++++++++++++++++++ .../workflows/tools-lite-container-latest.yml | 26 ++++++++ .../workflows/tools-lite-container-pr.yaml | 15 +++++ .../workflows/tools-lite-container-tag.yaml | 22 +++++++ 4 files changed, 128 insertions(+) create mode 100644 .github/workflows/shared-steps.yml create mode 100644 .github/workflows/tools-lite-container-latest.yml create mode 100644 .github/workflows/tools-lite-container-pr.yaml create mode 100644 .github/workflows/tools-lite-container-tag.yaml diff --git a/.github/workflows/shared-steps.yml b/.github/workflows/shared-steps.yml new file mode 100644 index 0000000..7ff9074 --- /dev/null +++ b/.github/workflows/shared-steps.yml @@ -0,0 +1,65 @@ +on: + workflow_call: + inputs: + registry: + required: true + type: string + do_tag: + required: true + type: string # boolean exists, but that will be a string as ENV VAR. Set to YES or NOPE + secrets: + token: + required: true + +jobs: + reusable: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + if: ${{github.event_name != 'pull_request'}} + uses: docker/login-action@v3 + with: + registry: ${{ inputs.registry }} + username: ${{ github.actor }} + password: ${{ secrets.token }} + + - name: Do some shell magic + if: ${{ github.event_name != 'pull_request'}} + shell: bash + id: sh_settings + env: + DO_TAG: ${{inputs.do_tag}} + run: | + if [ $DO_TAG = 'YES' ]; then + echo "tag=lite-${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + else + echo "tag=lite" >> $GITHUB_OUTPUT + fi + echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT + + - name: '[LITE] Build and push container image' + id: push + uses: docker/build-push-action@v6 + with: + cache-from: ${{inputs.registry}}/${{github.repository}}/tools:${{ steps.sh_settings.outputs.tag }} + file: docker/Dockerfile.lite + context: docker + tags: ${{inputs.registry}}/${{ steps.sh_settings.outputs.repository }}/tools:${{ steps.sh_settings.outputs.tag }} + platforms: linux/amd64,linux/arm64 + push: ${{github.event_name != 'pull_request'}} + + - name: '[LITE] Generate artifact attestation' + if: ${{github.event_name != 'pull_request'}} + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ inputs.registry }}//${{ steps.sh_settings.outputs.repository }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + \ No newline at end of file diff --git a/.github/workflows/tools-lite-container-latest.yml b/.github/workflows/tools-lite-container-latest.yml new file mode 100644 index 0000000..ce037c1 --- /dev/null +++ b/.github/workflows/tools-lite-container-latest.yml @@ -0,0 +1,26 @@ +name: Tools [LITE] Container - Publish + +on: + workflow_dispatch: + push: + branches: + - main + paths: + - 'docker/**' + - '.github/**' + +jobs: + publish_latest: + name: Push latest [LITE] container image to GitHub Packages + permissions: + contents: read + packages: write + attestations: write + id-token: write + uses: .github/workflows/shared-steps.yml + with: + registry: ghcr.io + do_tag: 'NOPE' + secrets: + token: ${{ secrets.GITHUB_TOKEN }} + diff --git a/.github/workflows/tools-lite-container-pr.yaml b/.github/workflows/tools-lite-container-pr.yaml new file mode 100644 index 0000000..6047f73 --- /dev/null +++ b/.github/workflows/tools-lite-container-pr.yaml @@ -0,0 +1,15 @@ +name: '[LITE] Tools Container - PR Validation' + +on: + workflow_dispatch: + pull_request: + paths: + - 'docker/**' + +jobs: + pr_validation: + name: '[LITE] PR Validation' + uses: .github/workflows/shared-steps.yml + with: + registry: ghcr.io + do_tag: 'NOPE' diff --git a/.github/workflows/tools-lite-container-tag.yaml b/.github/workflows/tools-lite-container-tag.yaml new file mode 100644 index 0000000..392ab3d --- /dev/null +++ b/.github/workflows/tools-lite-container-tag.yaml @@ -0,0 +1,22 @@ +name: '[LITE] Tools Container - Publish Tag' + +on: + workflow_dispatch: + release: + types: + - published + +jobs: + publish_latest: + name: '[LITE] Push tagged container image to GitHub Packages' + permissions: + contents: read + packages: write + attestations: write + id-token: write + uses: .github/workflows/shared-steps.yml + with: + registry: ghcr.io + do_tag: 'YES' + secrets: + token: ${{ secrets.GITHUB_TOKEN }} From 676b0ef754d8df28ed02aab672fbab2c51f88ab7 Mon Sep 17 00:00:00 2001 From: Osterberg Date: Fri, 11 Oct 2024 19:21:05 +0200 Subject: [PATCH 17/24] revert back to org workflows for main image --- .github/workflows/tools-container-latest.yaml | 33 ++++--------------- .github/workflows/tools-container-pr.yaml | 22 +++---------- .github/workflows/tools-container-tag.yaml | 29 ++++++---------- 3 files changed, 22 insertions(+), 62 deletions(-) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index 153a28d..a7d0411 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -1,7 +1,6 @@ name: Tools Container - Publish Latest on: - workflow_dispatch: push: branches: - main @@ -15,41 +14,23 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Stupid, lowercase tag - - name: Lowercase tags - id: lowercase - run: | - echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT - - # Original - name: Build and push container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v2 with: - cache-from: ghcr.io/${{github.repository}}/tools:latest + cache-from: ghcr.io/xenitab/github-actions/tools:latest file: docker/Dockerfile context: docker - tags: ghcr.io/l${{ steps.lowercase.outputs.repository }}/tools:latest - push: true - - # Light multiArch image - - name: '[LITE] Build and push container image' - uses: docker/build-push-action@v6 - with: - cache-from: ghcr.io/${{github.repository}}/tools:lite - file: docker/Dockerfile.lite - context: docker - tags: ghcr.io/l${{ steps.lowercase.outputs.repository }}/tools:lite - platforms: linux/amd64,linux/arm64 - push: true + tags: ghcr.io/xenitab/github-actions/tools:latest + push: true \ No newline at end of file diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index 10a5d71..cc1831d 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -1,7 +1,6 @@ name: Tools Container - PR Validation on: - workflow_dispatch: pull_request: paths: - 'docker/**' @@ -12,26 +11,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v1 - # Build the container image - name: Build container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v2 with: - cache-from: ghcr.io/${{github.repository}}/tools:latest + cache-from: ghcr.io/xenitab/github-actions/tools:latest file: docker/Dockerfile context: docker - push: false - - # Build the LITE multiArch container image - - name: '[LITE] Build container image' - uses: docker/build-push-action@v6 - with: - cache-from: ghcr.io/${{github.repository}}/tools:lite - file: docker/Dockerfile.lite - context: docker - platforms: linux/amd64,linux/arm64 - push: false + push: false \ No newline at end of file diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index 3cb1a05..2758ce9 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -1,10 +1,12 @@ name: Tools Container - Publish Tag on: - workflow_dispatch: release: types: - published + paths: + - "docker/**" + - ".github/**" jobs: publish_latest: @@ -12,13 +14,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v1 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} @@ -28,23 +30,12 @@ jobs: id: get_tag run: | echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT - name: Build and push container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v2 with: - cache-from: ghcr.io/${{github.repository}}/tools:latest + cache-from: ghcr.io/xenitab/github-actions/tools:latest file: docker/Dockerfile context: docker - tags: ghcr.io/${{ steps.get_tag.outputs.repository }}/tools:${{ steps.get_tag.outputs.tag }} - push: true - - - name: '[LITE] Build and push container image' - uses: docker/build-push-action@v6 - with: - cache-from: ghcr.io/${{github.repository}}/tools:lite - file: docker/Dockerfile.lite - context: docker - tags: ghcr.io/${{ steps.get_tag.outputs.repository }}/tools:lite-${{ steps.get_tag.outputs.tag }} - platforms: linux/amd64,linux/arm64 - push: true + tags: ghcr.io/xenitab/github-actions/tools:${{ steps.get_tag.outputs.tag }} + push: true \ No newline at end of file From afa4bad680ca1bbea899ce1ab3c8668b66f42ac9 Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 14 Oct 2024 14:41:33 +0200 Subject: [PATCH 18/24] Revert changes for existing workflows --- .github/workflows/tools-container-latest.yaml | 2 +- .github/workflows/tools-container-pr.yaml | 2 +- .github/workflows/tools-container-tag.yaml | 2 +- .github/workflows/tools-opa-test.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tools-container-latest.yaml b/.github/workflows/tools-container-latest.yaml index a7d0411..564550b 100644 --- a/.github/workflows/tools-container-latest.yaml +++ b/.github/workflows/tools-container-latest.yaml @@ -33,4 +33,4 @@ jobs: file: docker/Dockerfile context: docker tags: ghcr.io/xenitab/github-actions/tools:latest - push: true \ No newline at end of file + push: true diff --git a/.github/workflows/tools-container-pr.yaml b/.github/workflows/tools-container-pr.yaml index cc1831d..17f1351 100644 --- a/.github/workflows/tools-container-pr.yaml +++ b/.github/workflows/tools-container-pr.yaml @@ -22,4 +22,4 @@ jobs: cache-from: ghcr.io/xenitab/github-actions/tools:latest file: docker/Dockerfile context: docker - push: false \ No newline at end of file + push: false diff --git a/.github/workflows/tools-container-tag.yaml b/.github/workflows/tools-container-tag.yaml index 2758ce9..03cefa0 100644 --- a/.github/workflows/tools-container-tag.yaml +++ b/.github/workflows/tools-container-tag.yaml @@ -38,4 +38,4 @@ jobs: file: docker/Dockerfile context: docker tags: ghcr.io/xenitab/github-actions/tools:${{ steps.get_tag.outputs.tag }} - push: true \ No newline at end of file + push: true diff --git a/.github/workflows/tools-opa-test.yaml b/.github/workflows/tools-opa-test.yaml index 3637278..7b76d63 100644 --- a/.github/workflows/tools-opa-test.yaml +++ b/.github/workflows/tools-opa-test.yaml @@ -5,10 +5,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository code - uses: actions/checkout@v4 + uses: actions/checkout@v3 - name: Setup OPA - uses: open-policy-agent/setup-opa@v2 + uses: open-policy-agent/setup-opa@v1 with: version: 0.40.0 From 74a8bed070caf9f86687378aee11bbba58e1a07a Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 14 Oct 2024 14:41:33 +0200 Subject: [PATCH 19/24] Revert changes for existing workflows and docker --- docker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index a4a39b7..f90acfe 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.21 AS tf-prepare-builder +FROM golang:1.21 as tf-prepare-builder WORKDIR /workspace COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ @@ -12,7 +12,7 @@ FROM debian:12.2-slim #Base RUN apt-get update -y RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils -RUN apt-get install -y ansible=7.7.0+dfsg-3+deb12u1 +RUN apt-get install -y ansible=7.3.0+dfsg-1 RUN mkdir -p /tmp/install /usr/src /work WORKDIR /tmp/install From d1441e5246d9fe85042588cc58ead978bc754909 Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 14 Oct 2024 14:57:17 +0200 Subject: [PATCH 20/24] Have to add changes to the existing docker file as the PR validation pipeline wont pass --- docker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index f90acfe..a4a39b7 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.21 as tf-prepare-builder +FROM golang:1.21 AS tf-prepare-builder WORKDIR /workspace COPY ./go-tf-prepare/go.mod ./go-tf-prepare/go.sum ./ @@ -12,7 +12,7 @@ FROM debian:12.2-slim #Base RUN apt-get update -y RUN apt-get install -y git curl openssl pip make unzip gpg wget apt-utils -RUN apt-get install -y ansible=7.3.0+dfsg-1 +RUN apt-get install -y ansible=7.7.0+dfsg-3+deb12u1 RUN mkdir -p /tmp/install /usr/src /work WORKDIR /tmp/install From 2008c8487d35ad4a109a2b216bf088b7ec1fff77 Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 14 Oct 2024 15:02:36 +0200 Subject: [PATCH 21/24] Add version on reusable template --- .github/workflows/tools-lite-container-latest.yml | 4 ++-- .github/workflows/tools-lite-container-pr.yaml | 2 +- .github/workflows/tools-lite-container-tag.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tools-lite-container-latest.yml b/.github/workflows/tools-lite-container-latest.yml index ce037c1..5b2fc07 100644 --- a/.github/workflows/tools-lite-container-latest.yml +++ b/.github/workflows/tools-lite-container-latest.yml @@ -1,4 +1,4 @@ -name: Tools [LITE] Container - Publish +name: '[LITE] Tools Container - Publish Latest' on: workflow_dispatch: @@ -17,7 +17,7 @@ jobs: packages: write attestations: write id-token: write - uses: .github/workflows/shared-steps.yml + uses: ./.github/workflows/shared-steps.yml@afa4bad680ca1bbea899ce1ab3c8668b66f42ac9 with: registry: ghcr.io do_tag: 'NOPE' diff --git a/.github/workflows/tools-lite-container-pr.yaml b/.github/workflows/tools-lite-container-pr.yaml index 6047f73..a6af1bf 100644 --- a/.github/workflows/tools-lite-container-pr.yaml +++ b/.github/workflows/tools-lite-container-pr.yaml @@ -9,7 +9,7 @@ on: jobs: pr_validation: name: '[LITE] PR Validation' - uses: .github/workflows/shared-steps.yml + uses: ./.github/workflows/shared-steps.yml@afa4bad680ca1bbea899ce1ab3c8668b66f42ac9 with: registry: ghcr.io do_tag: 'NOPE' diff --git a/.github/workflows/tools-lite-container-tag.yaml b/.github/workflows/tools-lite-container-tag.yaml index 392ab3d..f421a5a 100644 --- a/.github/workflows/tools-lite-container-tag.yaml +++ b/.github/workflows/tools-lite-container-tag.yaml @@ -14,7 +14,7 @@ jobs: packages: write attestations: write id-token: write - uses: .github/workflows/shared-steps.yml + uses: ./.github/workflows/shared-steps.yml@afa4bad680ca1bbea899ce1ab3c8668b66f42ac9 with: registry: ghcr.io do_tag: 'YES' From bd1ca0c85153e0a96815e1a5e7b830e10eccee21 Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 14 Oct 2024 15:12:47 +0200 Subject: [PATCH 22/24] Yes as before, why and why --- .github/workflows/tools-lite-container-latest.yml | 2 +- .github/workflows/tools-lite-container-pr.yaml | 2 +- .github/workflows/tools-lite-container-tag.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tools-lite-container-latest.yml b/.github/workflows/tools-lite-container-latest.yml index 5b2fc07..13929db 100644 --- a/.github/workflows/tools-lite-container-latest.yml +++ b/.github/workflows/tools-lite-container-latest.yml @@ -17,7 +17,7 @@ jobs: packages: write attestations: write id-token: write - uses: ./.github/workflows/shared-steps.yml@afa4bad680ca1bbea899ce1ab3c8668b66f42ac9 + uses: ./.github/workflows/shared-steps.yml with: registry: ghcr.io do_tag: 'NOPE' diff --git a/.github/workflows/tools-lite-container-pr.yaml b/.github/workflows/tools-lite-container-pr.yaml index a6af1bf..570a7ae 100644 --- a/.github/workflows/tools-lite-container-pr.yaml +++ b/.github/workflows/tools-lite-container-pr.yaml @@ -9,7 +9,7 @@ on: jobs: pr_validation: name: '[LITE] PR Validation' - uses: ./.github/workflows/shared-steps.yml@afa4bad680ca1bbea899ce1ab3c8668b66f42ac9 + uses: ./.github/workflows/shared-steps.yml with: registry: ghcr.io do_tag: 'NOPE' diff --git a/.github/workflows/tools-lite-container-tag.yaml b/.github/workflows/tools-lite-container-tag.yaml index f421a5a..c724512 100644 --- a/.github/workflows/tools-lite-container-tag.yaml +++ b/.github/workflows/tools-lite-container-tag.yaml @@ -14,7 +14,7 @@ jobs: packages: write attestations: write id-token: write - uses: ./.github/workflows/shared-steps.yml@afa4bad680ca1bbea899ce1ab3c8668b66f42ac9 + uses: ./.github/workflows/shared-steps.yml with: registry: ghcr.io do_tag: 'YES' From c5677d8feec4fb0e09be3ac7fe6dbce29aba12f3 Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 14 Oct 2024 15:18:09 +0200 Subject: [PATCH 23/24] Token is not required when validating a PR --- .github/workflows/shared-steps.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-steps.yml b/.github/workflows/shared-steps.yml index 7ff9074..871a587 100644 --- a/.github/workflows/shared-steps.yml +++ b/.github/workflows/shared-steps.yml @@ -9,7 +9,7 @@ on: type: string # boolean exists, but that will be a string as ENV VAR. Set to YES or NOPE secrets: token: - required: true + required: false jobs: reusable: From 1193a6fef04b14657afea2044fffe625ff4b61fb Mon Sep 17 00:00:00 2001 From: Osterberg Date: Mon, 14 Oct 2024 15:24:05 +0200 Subject: [PATCH 24/24] Shell magic task are always needed --- .github/workflows/shared-steps.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/shared-steps.yml b/.github/workflows/shared-steps.yml index 871a587..0510741 100644 --- a/.github/workflows/shared-steps.yml +++ b/.github/workflows/shared-steps.yml @@ -31,7 +31,6 @@ jobs: password: ${{ secrets.token }} - name: Do some shell magic - if: ${{ github.event_name != 'pull_request'}} shell: bash id: sh_settings env: @@ -44,7 +43,7 @@ jobs: fi echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT - - name: '[LITE] Build and push container image' + - name: '[LITE] Build container image, (and push)' id: push uses: docker/build-push-action@v6 with: