diff --git a/.drone.yml b/.drone.yml index 6722aec..8a96da5 100644 --- a/.drone.yml +++ b/.drone.yml @@ -1,64 +1,3 @@ ---- -kind: pipeline -type: docker -name: linux-amd64 - -platform: - os: linux - arch: amd64 - -steps: -- name: build - pull: always - image: rancher/hardened-build-base:v1.21.8b1 - commands: - - make DRONE_TAG=${DRONE_TAG} - volumes: - - name: docker - path: /var/run/docker.sock - when: - ref: - include: - - refs/heads/master - - refs/pull/** - - refs/tags/* - -- name: publish - image: rancher/hardened-build-base:v1.21.8b1 - commands: - - docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD - - make DRONE_TAG=${DRONE_TAG} image-push - environment: - DOCKER_PASSWORD: - from_secret: docker_password - DOCKER_USERNAME: - from_secret: docker_username - volumes: - - name: docker - path: /var/run/docker.sock - when: - event: - - tag - -- name: scan - image: rancher/hardened-build-base:v1.21.8b1 - commands: - - make DRONE_TAG=${DRONE_TAG} image-scan - volumes: - - name: docker - path: /var/run/docker.sock - when: - ref: - include: - - refs/heads/master - - refs/pull/** - - refs/tags/* - -volumes: -- name: docker - host: - path: /var/run/docker.sock - --- kind: pipeline type: docker @@ -141,7 +80,6 @@ steps: event: - tag depends_on: -- linux-amd64 - linux-arm64 ... diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..37bbd14 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,39 @@ +on: + push: + branches: + - master + pull_request: + +name: Build +jobs: + build: + strategy: + matrix: + goarch: [amd64] #arm64 not yet fully supported in upstream Github Actions + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set the TAG value + id: get-TAG + run: | + echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV" + + - name: Build container image + uses: docker/build-push-action@v5 + with: + context: . + push: false + tags: rancher/hardened-flannel:${{ env.TAG }} + file: Dockerfile + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.18.0 + with: + image-ref: rancher/hardened-flannel:${{ env.TAG }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml new file mode 100644 index 0000000..8776f3b --- /dev/null +++ b/.github/workflows/image-push.yml @@ -0,0 +1,27 @@ +on: + release: + types: [published] + +jobs: + push-amd64: + strategy: + matrix: + goarch: [amd64] #arm64 not yet fully supported in upstream Github Actions + runs-on: ubuntu-latest + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v4 + + - name: Login to Container Registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.docker_username }} + password: ${{ secrets.docker_password }} + + - name: Build container image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: rancher/hardened-flannel:${{ github.event.release.tag_name }} + file: Dockerfile \ No newline at end of file diff --git a/Makefile b/Makefile index dd3d4f4..0d00559 100644 --- a/Makefile +++ b/Makefile @@ -17,12 +17,8 @@ SRC ?= github.com/flannel-io/flannel TAG ?= v0.24.3$(BUILD_META) K3S_ROOT_VERSION ?= v0.13.0 -ifneq ($(DRONE_TAG),) - TAG := $(DRONE_TAG) -endif - ifeq (,$(filter %$(BUILD_META),$(TAG))) -$(error TAG needs to end with build metadata: $(BUILD_META)) +$(error TAG ${TAG} needs to end with build metadata: $(BUILD_META)) endif .PHONY: image-build @@ -53,3 +49,15 @@ image-manifest: .PHONY: image-scan image-scan: trivy image --severity $(SEVERITIES) --no-progress --ignore-unfixed $(ORG)/hardened-flannel:$(TAG) + +.PHONY: log +log: + @echo "ARCH=$(ARCH)" + @echo "TAG=$(TAG)" + @echo "ORG=$(ORG)" + @echo "PKG=$(PKG)" + @echo "SRC=$(SRC)" + @echo "BUILD_META=$(BUILD_META)" + @echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)" + @echo "UNAME_M=$(UNAME_M)" + diff --git a/manifest.tmpl b/manifest.tmpl index 438e4a1..15351c9 100644 --- a/manifest.tmpl +++ b/manifest.tmpl @@ -1,10 +1,5 @@ image: rancher/hardened-flannel:{{build.tag}} manifests: - - - image: rancher/hardened-flannel:{{build.tag}}-amd64 - platform: - architecture: amd64 - os: linux - image: rancher/hardened-flannel:{{build.tag}}-arm64 platform: