Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EPIC] Move build/release automation to GH Actions #375

Open
33 tasks done
galal-hussein opened this issue Mar 11, 2024 · 10 comments
Open
33 tasks done

[EPIC] Move build/release automation to GH Actions #375

galal-hussein opened this issue Mar 11, 2024 · 10 comments
Assignees
@galal-hussein @brooksn
Labels
enhancement New feature or request priority/high

Comments

@galal-hussein
Copy link
Contributor

galal-hussein commented Mar 11, 2024
edited
Loading

This epic issue is to track the effort of moving the automation of build and release of the following repositories to Github action instead of Drone:

The migration should involve migrating the PR drone and push drone as well, which will include:

  • indicating successful/failure builds
  • in case of release:
    • release any related artifacts to the github release
    • the push of the related docker images to docker hub

Decisions taken so far (up for discussion, of course!):

  • Use buildx to build ARM64. General guidance from RAT suggests to wait until we have our own ARM64 runners because or limited resources but RAT is ok for our projects to use buildx as the resource consumption is not high
  • Separate the build in two different jobs: one for amd64 and one for arm64. The reason is that we are running trivy to inspect the images and thus they need to be locally available. Combining both archs in one job is not supported because buildx and options like --load or outputs: type=docker are not compatible with multi-arch images
  • In the push job, we can combine both archs as we are not applying trivy
  • Keep the Makefile we were using with drone, even if we are not using it anymore. This can help run the build commands manually
  • In the build workflow, consume the TAG from the Makefile. Creating the tag: version-build$DATE is complicated in github actions and we already have that in the Makefile
  • Security recommends only running trivy in one arch, it does not have to be in both (image-build-flannel is using it in both)
  • Security recommends using the trivy github action aquasecurity/trivy-action + dependabot as opposed to running the trivy binary inside the build-base image. This way it is easy to make sure that we are on the latest trivy code
  • Security recommends adding to the workflows:
permissions:
    contents: read
    security-events: write # upload Sarif results (only in build workflow)
  • Security recommends uploading the detected CVEs with github/codeql-action/upload-sarif@v3 to keep track of them

We need EIO:

GOTCHAS:

  • Remember to remove the updatecli policy which updates drone
@galal-hussein galal-hussein added the enhancement New feature or request label Mar 11, 2024
@galal-hussein galal-hussein self-assigned this Mar 11, 2024
@galal-hussein galal-hussein mentioned this issue Mar 11, 2024
Merged
@manuelbuil
Copy link
Contributor

There are a few more projects:

@briandowns
Copy link
Contributor

https://github.com/rancher/ecm-distro-tools/blob/master/docs/rke2-dependencies.md

@manuelbuil
Copy link
Contributor

https://github.com/rancherlabs/eio/issues/2106

@galal-hussein
Copy link
Contributor Author

I will add the rest of the images to the list, so that we can create related issues for them, also we would need to document the process here so that we have consistency between the repos

@cwayne18
Copy link
Member

Are we also doing the switch to either scratch or bci-busybox at teh same time?

@galal-hussein
Copy link
Contributor Author

Are we also doing the switch to either scratch or bci-busybox at the same time?

I don't think we should, I think these series of PRs can act as a template for any other project that we need to move to GH action, so I think its better if we separete the moving to bci-busybox to another series of PRs

@manuelbuil manuelbuil mentioned this issue Mar 19, 2024
Closed
@brooksn brooksn self-assigned this Mar 25, 2024
@caroline-suse-rancher
Copy link

The idea right now, is that this effort will be complete by June sometime, though I know we're blocked on an EIO step right now. I will update here as I know more. Thank you all!

@galal-hussein
Copy link
Contributor Author

galal-hussein commented Apr 12, 2024
edited
Loading

This is a small guide that should be applied for any new image/repo that we want to migrate to GH Actions:

Image repos (image-build-*)

Step 1 - Remove Drone Traces

All traces of drone must be removed, that includes:

  • .drone.yml file
  • TAG ?= ${DRONE_TAG} in the makefile
  • updatecli - remove drone if mentioned from updatecli

Step 2 - Remove manifest

Since we are using buildx now to support multiarch builds, then there is no need for manifest.tmpl, this should be removed from:

  • Makefile:
.PHONY: image-manifest
image-manifest:
	DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create --amend \
		$(ORG)/hardened-<image>:$(TAG) \
		$(ORG)/hardened-<image>:$(TAG)-$(ARCH)
	DOCKER_CLI_EXPERIMENTAL=enabled docker manifest push \
		$(ORG)/hardened-<image>:$(TAG)
  • manifest.tmpl file

Step 3 - Add log to the makefile

The idea of the migration is simple, basically includes adding a log section to the makefile which will print all important environment variables that are given by tags or PRs and will be used by the github actions:
Makefile

.PHONY: log
log:
	@echo "ARCH=$(ARCH)"
	@echo "TAG=$(TAG)"
	@echo "ORG=$(ORG)"
	@echo "PKG=$(PKG)"
	@echo "SRC=$(SRC)"
	@echo "BUILD_META=$(BUILD_META)"
	@echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)"
	@echo "UNAME_M=$(UNAME_M)"

And then it can be used in the github action as follows:

run: |
        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"

Step 4 - Add .github/workflow files

For image repos we should have 2 main files:

1- .github/workflows/build.yml (see flannel repo as a reference)
2- .github/workflows/image-push.yml (see flannel repo as a reference)

The build.yml file simply builds the images for amd64, arm64 architectures and then runs trivy for scans, and image-push does the same thing but with push set to true.

Note that you would need to set the proper permissions on the pipeline for the image-push workflow, this happens through pulling the secret from vault as follows:

secrets: |
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD

@thomasferrandiz
Copy link

@galal-hussein very good summary, that's exactly what we did in the PRs already merged

@manuelbuil
Copy link
Contributor

great summary! Maybe warn users that the way to fetch dockerhub secrets changed. Now we use a EIO github action and read the username and password from an env variable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@galal-hussein galal-hussein

@brooksn brooksn

Labels
enhancement New feature or request priority/high
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@cwayne18 @galal-hussein @brooksn @briandowns @manuelbuil @thomasferrandiz @caroline-suse-rancher