Misc GitHub action fixes (#75)

* use correct branch name for dev target * use short name for --variables since the go-sqlcmd util used by sql-action inteprets --variables as a filename input to the -i flag * go mod tidy to cleanup go.mod and go.sum * install snyk cli for arm and amd * change name of pr action
equinor · Aug 1, 2024 · bfaf2c4 · bfaf2c4
1 parent a238c92
commit bfaf2c4
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 32 deletions.
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -17,7 +17,7 @@ jobs:
       matrix:
         target:
         - name: "dev"
-          ref: "refs/heads/master"
+          ref: "refs/heads/main"
           acr-name: "radixdev"
           client-id: "2bfe6984-f5e3-4d09-a0b2-4dd96de3f21e"
           subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"

diff --git a/.github/workflows/deploy-database.yml b/.github/workflows/deploy-database.yml
@@ -67,7 +67,7 @@ jobs:
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/sql-scripts/roles.sql'
-          arguments: '--variables RADIX_ZONE=${{matrix.target.name}}'
+          arguments: '-v RADIX_ZONE=${{matrix.target.name}}'
 
 
       - uses: azure/sql-action@v2.3

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -1,4 +1,4 @@
-name: radix-acr-cleanup-pr
+name: radix-vulnerability-scanner-pr
 on:
   pull_request:
     branches:

diff --git a/Dockerfile b/Dockerfile
@@ -1,35 +1,28 @@
-FROM docker.io/golang:1.22.5-alpine3.20 AS builder
-
-ENV CGO_ENABLED=0 \
-    GOOS=linux
-
+# Build stage
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.22.5-alpine3.20 AS builder
+ARG TARGETARCH
 WORKDIR /src
-
-# Install project dependencies
+ENV CGO_ENABLED=0 \
+    GOOS=linux \
+    GOARCH=${TARGETARCH}
 COPY ./go.mod ./go.sum ./
 RUN go mod download
-
-# Copy project code
 COPY . .
-
-# Build
 RUN go build -ldflags="-s -w" -o /build/radix-vulnerability-scanner
 
-# Install SNYK
-FROM alpine:3 as tools
-ADD https://github.com/snyk/cli/releases/download/v1.1292.1/snyk-linux-arm64 /
-RUN chmod +x /snyk-linux-arm64
+# SNYK cli
+FROM --platform=$BUILDPLATFORM docker.io/alpine:3.20 AS tools
+ARG TARGETARCH
+RUN snykVersion=v1.1292.1 snykBinary=snyk-linux && \
+    if [ "${TARGETARCH}" = "arm64" ]; then snykBinary=snyk-linux-arm64; fi && \
+    wget -O /snyk -q https://github.com/snyk/cli/releases/download/${snykVersion}/${snykBinary}
 
-# Run scanner
-FROM alpine:3
-RUN apk update && \
-    apk add ca-certificates libstdc++
+# Final stage
+FROM docker.io/ubuntu:24.04
 WORKDIR /app
+RUN usermod --home /home/radix-vulnerability-scanner ubuntu
 COPY --from=builder /build/radix-vulnerability-scanner .
-COPY --from=tools /snyk-linux-arm64 /usr/local/bin/snyk
-RUN addgroup -S -g 1000 radix-vulnerability-scanner
-RUN adduser -S -u 1000 -G radix-vulnerability-scanner radix-vulnerability-scanner
-
+COPY --from=tools --chmod=755 /snyk /usr/local/bin/snyk
+COPY --from=gcr.io/distroless/static /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 USER 1000
-
 ENTRYPOINT ["/app/radix-vulnerability-scanner"]
diff --git a/Makefile b/Makefile
@@ -8,10 +8,15 @@ build:
 	docker build -t $(IMAGE_NAME) .
 
 .PHONY: push
-push:
+push: build
 	az acr login -n $(DOCKER_REGISTRY)
 	docker push $(IMAGE_NAME)
 
+.PHONY: pushmultiplatform
+pushmultiplatform:
+	az acr login -n $(DOCKER_REGISTRY)
+	docker buildx build --platform=linux/amd64,linux/arm64 -t $(IMAGE_NAME) --push .
+
 .PHONY: test
 test:
 	go test -cover `go list ./... | grep -v 'pkg/client'`

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ toolchain go1.22.5
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
-	github.com/containerd/containerd v1.7.20
+	github.com/distribution/reference v0.6.0
 	github.com/equinor/radix-common v1.9.3
 	github.com/equinor/radix-operator v1.57.1
 	github.com/golang-jwt/jwt/v5 v5.2.1
@@ -36,7 +36,6 @@ require (
 	github.com/cert-manager/cert-manager v1.14.2 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/distribution/reference v0.6.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.2 // indirect
 	github.com/evanphx/json-patch v5.8.1+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect

diff --git a/go.sum b/go.sum
@@ -31,8 +31,6 @@ github.com/cert-manager/cert-manager v1.14.2 h1:C/uci6yxiCRO04PWomBbSX+T4JT58FII
 github.com/cert-manager/cert-manager v1.14.2/go.mod h1:pik7K6jXfgh++lfVJ/i1HzEnDluSUtTVLXSHikj8Lho=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ=
-github.com/containerd/containerd v1.7.20/go.mod h1:52GsS5CwquuqPuLncsXwG0t2CiUce+KsNHJZQJvAgR0=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=