From 1445b913d892e07392a9dd1aef5772c50fdd2887 Mon Sep 17 00:00:00 2001
From: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
Date: Wed, 20 Mar 2024 10:48:41 +0000
Subject: [PATCH] Migrate to Github Actions

Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
---
 .drone.yml                                 | 143 ---------------------
 .github/workflows/build.yml                |  70 ++++++++++
 .github/workflows/image-push.yml           |  44 +++++++
 Dockerfile                                 |  32 +++--
 Makefile                                   |  20 ++-
 manifest.tmpl                              |  12 --
 updatecli/updatecli.d/updatebuildbase.yaml |  10 --
 7 files changed, 152 insertions(+), 179 deletions(-)
 delete mode 100644 .drone.yml
 create mode 100644 .github/workflows/build.yml
 create mode 100644 .github/workflows/image-push.yml
 delete mode 100644 manifest.tmpl

diff --git a/.drone.yml b/.drone.yml
deleted file mode 100644
index 2b59448..0000000
--- a/.drone.yml
+++ /dev/null
@@ -1,143 +0,0 @@
----
-kind: pipeline
-type: docker
-name: linux-amd64
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-- name: build
-  pull: always
-  image: rancher/hardened-build-base:v1.22.2b1
-  commands:
-  - make DRONE_TAG=${DRONE_TAG}
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    ref:
-      include:
-      - refs/heads/main
-      - refs/pull/**
-      - refs/tags/*
-
-- name: publish
-  image: rancher/hardened-build-base:v1.22.2b1
-  commands:
-  - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
-  - make DRONE_TAG=${DRONE_TAG} image-push
-  environment:
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    DOCKER_USERNAME:
-      from_secret: docker_username
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    event:
-    - tag
-
-- name: scan
-  image: rancher/hardened-build-base:v1.22.2b1
-  commands:
-  - make DRONE_TAG=${DRONE_TAG} image-scan
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    ref:
-      include:
-      - refs/heads/main
-      - refs/pull/**
-      - refs/tags/*
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock
----
-kind: pipeline
-type: docker
-name: linux-arm64
-
-platform:
-  os: linux
-  arch: arm64
-
-steps:
-- name: build
-  pull: always
-  image: rancher/hardened-build-base:v1.22.2b1
-  commands:
-  - make DRONE_TAG=${DRONE_TAG}
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    ref:
-      include:
-      - refs/heads/main
-      - refs/pull/**
-      - refs/tags/*
-
-- name: publish
-  image: rancher/hardened-build-base:v1.22.2b1
-  commands:
-  - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
-  - make DRONE_TAG=${DRONE_TAG} image-push
-  environment:
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    DOCKER_USERNAME:
-      from_secret: docker_username
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    event:
-    - tag
-
-- name: scan
-  image: rancher/hardened-build-base:v1.22.2b1
-  commands:
-  - make DRONE_TAG=${DRONE_TAG} image-scan
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    ref:
-      include:
-      - refs/heads/main
-      - refs/pull/**
-      - refs/tags/*
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock
----
-kind: pipeline
-type: docker
-name: manifest
-platform:
-  os: linux
-  arch: amd64
-steps:
-- name: push
-  image: plugins/manifest:1.2.3
-  settings:
-    password:
-      from_secret: docker_password
-    username:
-      from_secret: docker_username
-    spec: manifest.tmpl
-    ignore_missing: true
-  when:
-    event:
-    - tag
-depends_on:
-- linux-amd64
-- linux-arm64
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..c173deb
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,70 @@
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+
+permissions:
+  contents: read
+  security-events: write # upload Sarif results
+
+name: Build
+jobs:
+  build-amd64:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-cluster-autoscaler:${{ env.TAG }}-amd64
+        file: Dockerfile
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.18.0
+      with:
+        image-ref: rancher/hardened-cluster-autoscaler:${{ env.TAG }}-amd64
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+  build-arm64:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-cluster-autoscaler:${{ env.TAG }}-arm64
+        file: Dockerfile
+        outputs: type=docker
+        platforms: linux/arm64
diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml
new file mode 100644
index 0000000..0406ae0
--- /dev/null
+++ b/.github/workflows/image-push.yml
@@ -0,0 +1,44 @@
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read  
+
+jobs:
+  push-multiarch:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+
+    - name: Login to Container Registry
+      uses: docker/login-action@v3
+      with:
+        username: ${{ env.DOCKER_USERNAME }}
+        password: ${{ env.DOCKER_PASSWORD }}
+
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        tags: rancher/hardened-cluster-autoscaler:${{ github.event.release.tag_name }}
+        file: Dockerfile
+        platforms: linux/amd64, linux/arm64
diff --git a/Dockerfile b/Dockerfile
index 7f7b721..b1372ec 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,31 +1,47 @@
 ARG GO_IMAGE=rancher/hardened-build-base:v1.22.2b1
-FROM ${GO_IMAGE} as base-builder
+
+# Image that provides cross compilation tooling.
+FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 as xx
+
+FROM --platform=$BUILDPLATFORM ${GO_IMAGE} as base-builder
+COPY --from=xx / /
 # setup required packages
 RUN set -x && \
     apk --no-cache add \
     file \
     gcc \
     git \
-    make
+    make \
+    clang lld
 
 # setup the autoscaler build
 FROM base-builder as autoscaler-builder
 ARG SRC=github.com/kubernetes-sigs/cluster-proportional-autoscaler
 ARG PKG=github.com/kubernetes-sigs/cluster-proportional-autoscaler
 RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/${PKG}
-ARG TAG=v1.8.11
-ARG ARCH="amd64"
+ARG TAG=vv1.8.11
 WORKDIR $GOPATH/src/${PKG}
 RUN git fetch --all --tags --prune
 RUN git checkout tags/${TAG} -b ${TAG}
-RUN GOARCH=${ARCH} GO_LDFLAGS="-linkmode=external -X ${PKG}/pkg/version.VERSION=${TAG}" \
+
+ARG TARGETPLATFORM
+RUN set -x && \
+    xx-apk add musl-dev gcc  lld 
+
+RUN xx-go --wrap &&\
+    GOARCH=${ARCH} GO_LDFLAGS="-linkmode=external -X ${PKG}/pkg/version.VERSION=${TAG}" \
     go-build-static.sh -gcflags=-trimpath=${GOPATH}/src -o . ./...
 RUN go-assert-static.sh cluster-proportional-autoscaler
-RUN if [ "${ARCH}" = "amd64" ]; then \
+RUN if [ `xx-info arch` = "amd64" ]; then \
     	go-assert-boring.sh cluster-proportional-autoscaler; \
     fi
-RUN install -s cluster-proportional-autoscaler /usr/local/bin
+RUN install cluster-proportional-autoscaler /usr/local/bin
 
-FROM scratch as autoscaler
+#strip needs to run on TARGETPLATFORM, not BUILDPLATFORM
+FROM ${GO_IMAGE} as strip_binary
 COPY --from=autoscaler-builder /usr/local/bin/cluster-proportional-autoscaler /cluster-proportional-autoscaler
+RUN strip /cluster-proportional-autoscaler
+
+FROM scratch as autoscaler
+COPY --from=strip_binary /cluster-proportional-autoscaler /cluster-proportional-autoscaler
 ENTRYPOINT ["/cluster-proportional-autoscaler"]
diff --git a/Makefile b/Makefile
index 6d66f4f..f20d827 100644
--- a/Makefile
+++ b/Makefile
@@ -17,17 +17,14 @@ SRC ?= github.com/kubernetes-sigs/cluster-proportional-autoscaler
 TAG ?= v1.8.11$(BUILD_META)
 export DOCKER_BUILDKIT?=1
 
-ifneq ($(DRONE_TAG),)
-	TAG := $(DRONE_TAG)
-endif
-
 ifeq (,$(filter %$(BUILD_META),$(TAG)))
-	$(error TAG needs to end with build metadata: $(BUILD_META))
+$(error TAG $(TAG) needs to end with build metadata: $(BUILD_META))
 endif
 
 .PHONY: image-build
 image-build:
-	docker build \
+	docker buildx build \
+		--platform=$(ARCH) \
 		--pull \
 		--build-arg PKG=$(PKG) \
 		--build-arg SRC=$(SRC) \
@@ -36,6 +33,7 @@ image-build:
 		--target autoscaler \
 		--tag $(ORG)/hardened-cluster-autoscaler:$(TAG) \
 		--tag $(ORG)/hardened-cluster-autoscaler:$(TAG)-$(ARCH) \
+		--load \
 	.
 
 .PHONY: image-push
@@ -53,3 +51,13 @@ image-manifest:
 .PHONY: image-scan
 image-scan:
 	trivy image --severity $(SEVERITIES) --no-progress --ignore-unfixed $(ORG)/hardened-cluster-autoscaler:$(TAG)
+
+.PHONY: log
+log:
+	@echo "ARCH=$(ARCH)"
+	@echo "TAG=$(TAG)"
+	@echo "ORG=$(ORG)"
+	@echo "PKG=$(PKG)"
+	@echo "SRC=$(SRC)"
+	@echo "BUILD_META=$(BUILD_META)"
+	@echo "UNAME_M=$(UNAME_M)"
diff --git a/manifest.tmpl b/manifest.tmpl
deleted file mode 100644
index 7d5d3b7..0000000
--- a/manifest.tmpl
+++ /dev/null
@@ -1,12 +0,0 @@
-image: rancher/hardened-cluster-autoscaler:{{build.tag}}
-manifests:
-  -
-    image: rancher/hardened-cluster-autoscaler:{{build.tag}}-amd64
-    platform:
-      architecture: amd64
-      os: linux
-  -
-    image: rancher/hardened-cluster-autoscaler:{{build.tag}}-arm64
-    platform:
-      architecture: arm64
-      os: linux
diff --git a/updatecli/updatecli.d/updatebuildbase.yaml b/updatecli/updatecli.d/updatebuildbase.yaml
index de7cf1f..e7f3d81 100644
--- a/updatecli/updatecli.d/updatebuildbase.yaml
+++ b/updatecli/updatecli.d/updatebuildbase.yaml
@@ -42,16 +42,6 @@ targets:
     transformers:
       - addprefix: "rancher/hardened-build-base:"
 
-  drone:
-    name: "Bump to latest build base version in Dockerfile"
-    kind: file
-    scmid: default
-    disablesourceinput: true
-    spec:
-      file: .drone.yml
-      matchpattern: '(?m)^  image: rancher/hardened-build-base:(.*)'
-      replacepattern: '  image: rancher/hardened-build-base:{{ source "buildbase" }}'
-
 scms:
   default:
     kind: github