Migrate to github actions

Signed-off-by: Manuel Buil <[email protected]>

.drone.yml

@@ -1,64 +1,3 @@
----
-kind: pipeline
-type: docker
-name: linux-amd64
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-- name: build
-  pull: always
-  image: rancher/hardened-build-base:v1.21.8b1
-  commands:
-  - make DRONE_TAG=${DRONE_TAG}
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    ref:
-      include:
-      - refs/heads/master
-      - refs/pull/**
-      - refs/tags/*
-
-- name: publish
-  image: rancher/hardened-build-base:v1.21.8b1
-  commands:
-  - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
-  - make DRONE_TAG=${DRONE_TAG} image-push
-  environment:
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    DOCKER_USERNAME:
-      from_secret: docker_username
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    event:
-    - tag
-
-- name: scan
-  image: rancher/hardened-build-base:v1.21.8b1
-  commands:
-  - make DRONE_TAG=${DRONE_TAG} image-scan
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-  when:
-    ref:
-      include:
-      - refs/heads/master
-      - refs/pull/**
-      - refs/tags/*
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock
-
 ---
 kind: pipeline
 type: docker
@@ -141,7 +80,6 @@ steps:
     event:
     - tag
 depends_on:
-- linux-amd64
 - linux-arm64
 ...
 

.github/workflows/build.yml

@@ -0,0 +1,39 @@
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+name: Build
+jobs:
+  build:
+    strategy:
+      matrix:
+        goarch: [amd64] #arm64 not yet fully supported in upstream Github Actions
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set the TAG value
+      id: get-TAG
+      run: |
+        echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
+
+    - name: Build container image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        tags: rancher/hardened-flannel:${{ env.TAG }}
+        file: Dockerfile
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: rancher/hardened-flannel:${{ env.TAG }}
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'

.github/workflows/image-push.yml

@@ -0,0 +1,27 @@
+on:
+  release:
+    types: [published]
+
+jobs:
+  push-amd64:
+    strategy:
+      matrix:
+        goarch: [amd64] #arm64 not yet fully supported in upstream Github Actions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4
+
+      - name: Login to Container Registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.docker_username }}
+          password: ${{ secrets.docker_password }}
+
+      - name: Build container image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: rancher/hardened-flannel:${{ github.event.release.tag_name }}
+          file: Dockerfile

Makefile

@@ -17,12 +17,8 @@ SRC ?= github.com/flannel-io/flannel
 TAG ?= v0.24.3$(BUILD_META)
 K3S_ROOT_VERSION ?= v0.13.0
 
-ifneq ($(DRONE_TAG),)
-	TAG := $(DRONE_TAG)
-endif
-
 ifeq (,$(filter %$(BUILD_META),$(TAG)))
-$(error TAG needs to end with build metadata: $(BUILD_META))
+$(error TAG ${TAG} needs to end with build metadata: $(BUILD_META))
 endif
 
 .PHONY: image-build
@@ -53,3 +49,15 @@ image-manifest:
 .PHONY: image-scan
 image-scan:
 	trivy image --severity $(SEVERITIES) --no-progress --ignore-unfixed $(ORG)/hardened-flannel:$(TAG)
+
+.PHONY: log
+log:
+	@echo "ARCH=$(ARCH)"
+	@echo "TAG=$(TAG)"
+	@echo "ORG=$(ORG)"
+	@echo "PKG=$(PKG)"
+	@echo "SRC=$(SRC)"
+	@echo "BUILD_META=$(BUILD_META)"
+	@echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)"
+	@echo "UNAME_M=$(UNAME_M)"
+

manifest.tmpl

@@ -1,10 +1,5 @@
 image: rancher/hardened-flannel:{{build.tag}}
 manifests:
-  -
-    image: rancher/hardened-flannel:{{build.tag}}-amd64
-    platform:
-      architecture: amd64
-      os: linux
   -
     image: rancher/hardened-flannel:{{build.tag}}-arm64
     platform: