Open galal-hussein opened 4 months ago
There are a few more projects:
I will add the rest of the images to the list, so that we can create related issues for them, also we would need to document the process here so that we have consistency between the repos
Are we also doing the switch to either scratch
or bci-busybox
at teh same time?
Are we also doing the switch to either
scratch
orbci-busybox
at the same time?
I don't think we should, I think these series of PRs can act as a template for any other project that we need to move to GH action, so I think its better if we separete the moving to bci-busybox to another series of PRs
The idea right now, is that this effort will be complete by June sometime, though I know we're blocked on an EIO step right now. I will update here as I know more. Thank you all!
All traces of drone must be removed, that includes:
.drone.yml
fileTAG ?= ${DRONE_TAG}
in the makefileSince we are using buildx now to support multiarch builds, then there is no need for manifest.tmpl, this should be removed from:
Makefile:
.PHONY: image-manifest
image-manifest:
DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create --amend \
$(ORG)/hardened-<image>:$(TAG) \
$(ORG)/hardened-<image>:$(TAG)-$(ARCH)
DOCKER_CLI_EXPERIMENTAL=enabled docker manifest push \
$(ORG)/hardened-<image>:$(TAG)
manifest.tmpl file
The idea of the migration is simple, basically includes adding a log section to the makefile which will print all important environment variables that are given by tags or PRs and will be used by the github actions: Makefile
.PHONY: log
log:
@echo "ARCH=$(ARCH)"
@echo "TAG=$(TAG)"
@echo "ORG=$(ORG)"
@echo "PKG=$(PKG)"
@echo "SRC=$(SRC)"
@echo "BUILD_META=$(BUILD_META)"
@echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)"
@echo "UNAME_M=$(UNAME_M)"
And then it can be used in the github action as follows:
run: |
echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
.github/workflow
filesFor image repos we should have 2 main files:
1- .github/workflows/build.yml
(see flannel repo as a reference)
2- .github/workflows/image-push.yml
(see flannel repo as a reference)
The build.yml
file simply builds the images for amd64, arm64 architectures and then runs trivy for scans, and image-push does the same thing but with push set to true.
Note that you would need to set the proper permissions on the pipeline for the image-push workflow, this happens through pulling the secret from vault as follows:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
@galal-hussein very good summary, that's exactly what we did in the PRs already merged
great summary! Maybe warn users that the way to fetch dockerhub secrets changed. Now we use a EIO github action and read the username and password from an env variable
This epic issue is to track the effort of moving the automation of build and release of the following repositories to Github action instead of Drone:
#409#411#412#415#417#418The migration should involve migrating the PR drone and push drone as well, which will include:
Decisions taken so far (up for discussion, of course!):
--load
oroutputs: type=docker
are not compatible with multi-arch imagesMakefile
. Creating the tag: version-build$DATE is complicated in github actions and we already have that in the Makefileaquasecurity/trivy-action
+ dependabot as opposed to running the trivy binary inside the build-base image. This way it is easy to make sure that we are on the latest trivy codegithub/codeql-action/upload-sarif@v3
to keep track of themWe need EIO:
GOTCHAS: