From da1c49e3ed0596bd72e223fdd0d42313110ab914 Mon Sep 17 00:00:00 2001 From: Brooks Newberry Date: Tue, 10 Sep 2024 10:12:55 -0700 Subject: [PATCH 1/4] use publish-image action Signed-off-by: Brooks Newberry --- .github/workflows/image-push.yml | 34 ++++++---------------- Dockerfile | 6 ++-- Makefile | 49 ++++++++++++++++++++------------ 3 files changed, 41 insertions(+), 48 deletions(-) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index 43961c6..a465008 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -18,14 +18,6 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - name: Set the TAG value - id: get-TAG - run: | - echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: "Read secrets" uses: rancher-eio/read-vault-secrets@main with: @@ -33,22 +25,12 @@ jobs: secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Container Registry - uses: docker/login-action@v3 - with: - username: ${{ env.DOCKER_USERNAME }} - password: ${{ env.DOCKER_PASSWORD }} - - - name: Build container image - uses: docker/build-push-action@v6 + - name: Build and push image + uses: rancher/ecm-distro-tools/actions/publish-image@master with: - context: . - push: true - tags: rancher/hardened-coredns:${{ github.event.release.tag_name }} - file: Dockerfile - platforms: linux/amd64, linux/arm64 - build-args: | - TAG=${{ env.TAG }} \ No newline at end of file + image: hardened-coredns + tag: ${{ github.event.release.tag_name }} + public-repo: rancher + public-username: ${{ env.DOCKER_USERNAME }} + public-password: ${{ env.DOCKER_PASSWORD }} + push-to-prime: false diff --git a/Dockerfile b/Dockerfile index 2065380..8f99f83 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,5 @@ ARG BCI_IMAGE=registry.suse.com/bci/bci-busybox ARG GO_IMAGE=rancher/hardened-build-base:v1.22.7b1 -ARG ARCH="amd64" # Image that provides cross compilation tooling. FROM --platform=$BUILDPLATFORM rancher/mirrored-tonistiigi-xx:1.3.0 as xx @@ -19,7 +18,6 @@ RUN set -x && \ FROM --platform=$BUILDPLATFORM base-builder as coredns-builder ARG SRC=github.com/coredns/coredns ARG PKG=github.com/coredns/coredns -ARG ARCH ARG TAG=v1.11.3 RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/${PKG} WORKDIR $GOPATH/src/${PKG} @@ -27,13 +25,13 @@ RUN git fetch --all --tags --prune RUN git checkout tags/${TAG} -b ${TAG} RUN go mod download # cross-compilation setup -ARG TARGETPLATFORM +ARG TARGETPLATFORM TARGETARCH RUN xx-go --wrap && \ GO_LDFLAGS="-linkmode=external -X ${PKG}/coremain.GitCommit=$(git rev-parse --short HEAD)" \ go-build-static.sh -gcflags=-trimpath=${GOPATH}/src -o bin/coredns . RUN go-assert-static.sh bin/* RUN xx-verify --static bin/* -RUN if [ "${ARCH}" != "s390x" || "${ARCH}" != "arm64" ]; then \ +RUN if [ "${TARGETARCH}" = "amd64" ] || [ "${TARGETARCH}" = "arm64" ]; then \ go-assert-boring.sh bin/*; \ fi diff --git a/Makefile b/Makefile index 0c9ad18..9fd9125 100644 --- a/Makefile +++ b/Makefile @@ -1,17 +1,17 @@ SEVERITIES = HIGH,CRITICAL UNAME_M = $(shell uname -m) -ARCH= -ifeq ($(UNAME_M), x86_64) - ARCH=amd64 -else ifeq ($(UNAME_M), aarch64) - ARCH=arm64 -else - ARCH=$(UNAME_M) +ifndef TARGET_PLATFORMS + ifeq ($(UNAME_M), x86_64) + TARGET_PLATFORMS:=linux/amd64 + else ifeq ($(UNAME_M), aarch64) + TARGET_PLATFORMS:=linux/arm64 + else + TARGET_PLATFORMS:=linux/$(UNAME_M) + endif endif BUILD_META=-build$(shell date +%Y%m%d) -ORG ?= rancher PKG ?= github.com/coredns/coredns SRC ?= github.com/coredns/coredns TAG ?= ${GITHUB_ACTION_TAG} @@ -25,29 +25,42 @@ ifeq (,$(filter %$(BUILD_META),$(TAG))) $(error TAG $(TAG) needs to end with build metadata: $(BUILD_META)) endif +REPO ?= rancher +IMAGE = $(REPO)/hardened-coredns:$(TAG) +BUILD_OPTS = \ + --platform=$(TARGET_PLATFORMS) \ + --build-arg PKG=$(PKG) \ + --build-arg SRC=$(SRC) \ + --build-arg TAG=$(TAG:$(BUILD_META)=) \ + --target coredns \ + --tag "$(IMAGE)" + .PHONY: image-build image-build: docker buildx build \ - --platform=$(ARCH) \ - --build-arg PKG=$(PKG) \ - --build-arg SRC=$(SRC) \ - --build-arg TAG=$(TAG:$(BUILD_META)=) \ - --build-arg ARCH=$(ARCH) \ - --target coredns \ - --tag $(ORG)/hardened-coredns:$(TAG) \ - --tag $(ORG)/hardened-coredns:$(TAG)-$(ARCH) \ + $(BUILD_OPTS) \ --load \ . +.PHONY: push-image +push-image: + docker buildx build \ + $(BUILD_OPTS) \ + --sbom=true \ + --attest type=provenance,mode=max \ + --push \ + . + PHONY: log log: - @echo "ARCH=$(ARCH)" @echo "TAG=$(TAG:$(BUILD_META)=)" - @echo "ORG=$(ORG)" + @echo "REPO=$(REPO)" + @echo "IMAGE=$(IMAGE)" @echo "PKG=$(PKG)" @echo "SRC=$(SRC)" @echo "BUILD_META=$(BUILD_META)" @echo "UNAME_M=$(UNAME_M)" + @echo "TARGET_PLATFORMS=$(TARGET_PLATFORMS)" .PHONY: image-scan image-scan: From 411864c9ab8a53175fd576ef74f114f0dc15527c Mon Sep 17 00:00:00 2001 From: Brooks Newberry Date: Thu, 26 Sep 2024 11:52:05 -0700 Subject: [PATCH 2/4] push to prime registry Signed-off-by: Brooks Newberry --- .github/workflows/image-push.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml index a465008..437a8d9 100644 --- a/.github/workflows/image-push.yml +++ b/.github/workflows/image-push.yml @@ -23,14 +23,22 @@ jobs: with: secrets: | secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ; - secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD + secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ; + secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD - name: Build and push image uses: rancher/ecm-distro-tools/actions/publish-image@master with: image: hardened-coredns tag: ${{ github.event.release.tag_name }} + public-repo: rancher public-username: ${{ env.DOCKER_USERNAME }} public-password: ${{ env.DOCKER_PASSWORD }} - push-to-prime: false + + prime-repo: rancher + prime-registry: ${{ env.PRIME_REGISTRY }} + prime-username: ${{ env.PRIME_REGISTRY_USERNAME }} + prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }} From 24f84249c701499ccfde8f6f5724b6638a78ac54 Mon Sep 17 00:00:00 2001 From: Brooks Newberry Date: Thu, 3 Oct 2024 13:32:28 -0700 Subject: [PATCH 3/4] remove target Signed-off-by: Brooks Newberry --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index 9fd9125..1a378ea 100644 --- a/Makefile +++ b/Makefile @@ -32,7 +32,6 @@ BUILD_OPTS = \ --build-arg PKG=$(PKG) \ --build-arg SRC=$(SRC) \ --build-arg TAG=$(TAG:$(BUILD_META)=) \ - --target coredns \ --tag "$(IMAGE)" .PHONY: image-build From db55c6cce1fac91c9028418b278b64b4ff72bac7 Mon Sep 17 00:00:00 2001 From: Brooks Newberry Date: Thu, 3 Oct 2024 13:32:35 -0700 Subject: [PATCH 4/4] IID_FILE_FLAG Signed-off-by: Brooks Newberry --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 1a378ea..9374e18 100644 --- a/Makefile +++ b/Makefile @@ -45,6 +45,7 @@ image-build: push-image: docker buildx build \ $(BUILD_OPTS) \ + $(IID_FILE_FLAG) \ --sbom=true \ --attest type=provenance,mode=max \ --push \