rancher · galal-hussein · May 14, 2024 · May 8, 2024 · May 8, 2024 · May 8, 2024
diff --git a/.drone.yml b/.drone.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,121 @@
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+name: Build
+jobs:
+  build-amd64:
+    permissions:
+      contents: read # read the repository
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-containerd:${{ env.TAG }}-amd64
+        file: Dockerfile
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: rancher/hardened-containerd:${{ env.TAG }}-amd64
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+      continue-on-error: true 
+
+  build-arm64:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-containerd:${{ env.TAG }}-arm64
+        file: Dockerfile
+        outputs: type=docker
+        platforms: linux/arm64
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: rancher/hardened-containerd:${{ env.TAG }}-arm64
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+      continue-on-error: true
+
+  build-windows:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-containerd:${{ env.TAG }}-amd64-windows
+        file: Dockerfile.windows
+        outputs: type=docker
+        platforms: linux/amd64
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: rancher/hardened-containerd:${{ env.TAG }}-amd64-windows
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+      continue-on-error: true
+
diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml
@@ -0,0 +1,50 @@
+on:
+  release:
+    types: [published]
+
+jobs:
+  push-multiarch:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: "Read secrets"
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to Container Registry
+      uses: docker/login-action@v3
+      with:
+        username: ${{ env.DOCKER_USERNAME }}
+        password: ${{ env.DOCKER_PASSWORD }}
+
+    - name: Build container image for Linux
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        tags: rancher/hardened-containerd:${{ github.event.release.tag_name }}
+        file: Dockerfile
+        platforms: linux/amd64, linux/arm64
+
+    - name: Build container image for Windows
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        tags: rancher/hardened-containerd:${{ github.event.release.tag_name }}-amd64-windows
+        file: Dockerfile.windows
+        platforms: linux/amd64
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 ARG BCI_IMAGE=registry.suse.com/bci/bci-base
-ARG GO_IMAGE=rancher/hardened-build-base:v1.20.12b2
+ARG GO_IMAGE=rancher/hardened-build-base:v1.22.3b1
 FROM ${BCI_IMAGE} as bci
 FROM ${GO_IMAGE} as builder
 ARG ARCH="amd64"
@@ -19,10 +19,7 @@ RUN set -x && \
     mercurial \
     subversion \
     unzip
-RUN if [ "${ARCH}" == "s390x" ]; then \
-        curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v3.17.3/protoc-3.17.3-linux-s390_64.zip; \
-        unzip protoc-3.17.3-linux-s390_64.zip -d /usr; \
-    elif [ "${ARCH}" == "arm64" ]; then \
+RUN if [ "${ARCH}" == "arm64" ]; then \
         curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v3.17.3/protoc-3.17.3-linux-aarch_64.zip; \
         unzip protoc-3.17.3-linux-aarch_64.zip -d /usr; \
     else \
@@ -32,7 +29,7 @@ RUN if [ "${ARCH}" == "s390x" ]; then \
 # setup containerd build
 ARG SRC="github.com/k3s-io/containerd"
 ARG PKG="github.com/containerd/containerd"
-ARG TAG="v1.6.19-k3s1"
+ARG TAG="v1.7.11-k3s1"
 RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/${PKG}
 WORKDIR $GOPATH/src/${PKG}
 RUN git fetch --tags --depth=1 origin ${TAG}

diff --git a/Dockerfile.windows b/Dockerfile.windows
@@ -1,5 +1,5 @@
 ARG BCI_IMAGE=registry.suse.com/bci/bci-base
-ARG GO_IMAGE=rancher/hardened-build-base:v1.20.12b2
+ARG GO_IMAGE=rancher/hardened-build-base:v1.22.3b1
 FROM ${BCI_IMAGE} as bci
 FROM ${GO_IMAGE} as builder
 ARG ARCH="amd64"
@@ -25,7 +25,7 @@ RUN curl -LO https://github.com/google/protobuf/releases/download/v3.17.3/protoc
 # setup containerd build
 ARG SRC="github.com/k3s-io/containerd"
 ARG PKG="github.com/containerd/containerd"
-ARG TAG="v1.6.14-k3s1"
+ARG TAG="v1.7.11-k3s1"
 RUN git clone --depth=1 https://${SRC}.git ${GOPATH}/src/${PKG}
 WORKDIR $GOPATH/src/${PKG}
 RUN git fetch --tags --depth=1 origin ${TAG}