Open galal-hussein opened 4 months ago
manuelbuil
commented
4 months ago There are a few more projects:
briandowns
commented
4 months ago manuelbuil
commented
4 months ago 
galal-hussein
commented
4 months ago I will add the rest of the images to the list, so that we can create related issues for them, also we would need to document the process here so that we have consistency between the repos
cwayne18
commented
4 months ago Are we also doing the switch to either scratch or bci-busybox at teh same time?
galal-hussein
commented
4 months ago Are we also doing the switch to either
scratchorbci-busyboxat the same time?
I don't think we should, I think these series of PRs can act as a template for any other project that we need to move to GH action, so I think its better if we separete the moving to bci-busybox to another series of PRs
caroline-suse-rancher
commented
3 months ago The idea right now, is that this effort will be complete by June sometime, though I know we're blocked on an EIO step right now. I will update here as I know more. Thank you all!
galal-hussein
commented
3 months ago All traces of drone must be removed, that includes:
.drone.yml fileTAG ?= ${DRONE_TAG} in the makefileSince we are using buildx now to support multiarch builds, then there is no need for manifest.tmpl, this should be removed from:
Makefile:
.PHONY: image-manifest
image-manifest:
DOCKER_CLI_EXPERIMENTAL=enabled docker manifest create --amend \
$(ORG)/hardened-<image>:$(TAG) \
$(ORG)/hardened-<image>:$(TAG)-$(ARCH)
DOCKER_CLI_EXPERIMENTAL=enabled docker manifest push \
$(ORG)/hardened-<image>:$(TAG)manifest.tmpl file
The idea of the migration is simple, basically includes adding a log section to the makefile which will print all important environment variables that are given by tags or PRs and will be used by the github actions: Makefile
.PHONY: log
log:
@echo "ARCH=$(ARCH)"
@echo "TAG=$(TAG)"
@echo "ORG=$(ORG)"
@echo "PKG=$(PKG)"
@echo "SRC=$(SRC)"
@echo "BUILD_META=$(BUILD_META)"
@echo "K3S_ROOT_VERSION=$(K3S_ROOT_VERSION)"
@echo "UNAME_M=$(UNAME_M)"And then it can be used in the github action as follows:
run: |
echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV".github/workflow filesFor image repos we should have 2 main files:
1- .github/workflows/build.yml (see flannel repo as a reference)
2- .github/workflows/image-push.yml (see flannel repo as a reference)
The build.yml file simply builds the images for amd64, arm64 architectures and then runs trivy for scans, and image-push does the same thing but with push set to true.
Note that you would need to set the proper permissions on the pipeline for the image-push workflow, this happens through pulling the secret from vault as follows:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
thomasferrandiz
commented
3 months ago @galal-hussein very good summary, that's exactly what we did in the PRs already merged
manuelbuil
commented
3 months ago great summary! Maybe warn users that the way to fetch dockerhub secrets changed. Now we use a EIO github action and read the username and password from an env variable
This epic issue is to track the effort of moving the automation of build and release of the following repositories to Github action instead of Drone:
#409#411#412#415#417#418The migration should involve migrating the PR drone and push drone as well, which will include:
Decisions taken so far (up for discussion, of course!):
--loadoroutputs: type=dockerare not compatible with multi-arch imagesMakefile. Creating the tag: version-build$DATE is complicated in github actions and we already have that in the Makefileaquasecurity/trivy-action+ dependabot as opposed to running the trivy binary inside the build-base image. This way it is easy to make sure that we are on the latest trivy codegithub/codeql-action/upload-sarif@v3to keep track of themWe need EIO:
GOTCHAS: