From bfaf2c4e1c13a306043176440668a3b589df34ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= <65334626+nilsgstrabo@users.noreply.github.com> Date: Thu, 1 Aug 2024 13:11:28 +0200 Subject: [PATCH] Misc GitHub action fixes (#75) * use correct branch name for dev target * use short name for --variables since the go-sqlcmd util used by sql-action inteprets --variables as a filename input to the -i flag * go mod tidy to cleanup go.mod and go.sum * install snyk cli for arm and amd * change name of pr action --- .github/workflows/build-push.yml | 2 +- .github/workflows/deploy-database.yml | 2 +- .github/workflows/pr.yml | 2 +- Dockerfile | 41 +++++++++++---------------- Makefile | 7 ++++- go.mod | 3 +- go.sum | 2 -- 7 files changed, 27 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index f889150..da03e90 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -17,7 +17,7 @@ jobs: matrix: target: - name: "dev" - ref: "refs/heads/master" + ref: "refs/heads/main" acr-name: "radixdev" client-id: "2bfe6984-f5e3-4d09-a0b2-4dd96de3f21e" subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b" diff --git a/.github/workflows/deploy-database.yml b/.github/workflows/deploy-database.yml index 118c86d..686b7f4 100644 --- a/.github/workflows/deploy-database.yml +++ b/.github/workflows/deploy-database.yml @@ -67,7 +67,7 @@ jobs: with: connection-string: ${{env.connection}} path: './azure-infrastructure/sql-scripts/roles.sql' - arguments: '--variables RADIX_ZONE=${{matrix.target.name}}' + arguments: '-v RADIX_ZONE=${{matrix.target.name}}' - uses: azure/sql-action@v2.3 diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 4614aa7..5f4a4a9 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,4 +1,4 @@ -name: radix-acr-cleanup-pr +name: radix-vulnerability-scanner-pr on: pull_request: branches: diff --git a/Dockerfile b/Dockerfile index dd661b8..09b9cfe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,35 +1,28 @@ -FROM docker.io/golang:1.22.5-alpine3.20 AS builder - -ENV CGO_ENABLED=0 \ - GOOS=linux - +# Build stage +FROM --platform=$BUILDPLATFORM docker.io/golang:1.22.5-alpine3.20 AS builder +ARG TARGETARCH WORKDIR /src - -# Install project dependencies +ENV CGO_ENABLED=0 \ + GOOS=linux \ + GOARCH=${TARGETARCH} COPY ./go.mod ./go.sum ./ RUN go mod download - -# Copy project code COPY . . - -# Build RUN go build -ldflags="-s -w" -o /build/radix-vulnerability-scanner -# Install SNYK -FROM alpine:3 as tools -ADD https://github.com/snyk/cli/releases/download/v1.1292.1/snyk-linux-arm64 / -RUN chmod +x /snyk-linux-arm64 +# SNYK cli +FROM --platform=$BUILDPLATFORM docker.io/alpine:3.20 AS tools +ARG TARGETARCH +RUN snykVersion=v1.1292.1 snykBinary=snyk-linux && \ + if [ "${TARGETARCH}" = "arm64" ]; then snykBinary=snyk-linux-arm64; fi && \ + wget -O /snyk -q https://github.com/snyk/cli/releases/download/${snykVersion}/${snykBinary} -# Run scanner -FROM alpine:3 -RUN apk update && \ - apk add ca-certificates libstdc++ +# Final stage +FROM docker.io/ubuntu:24.04 WORKDIR /app +RUN usermod --home /home/radix-vulnerability-scanner ubuntu COPY --from=builder /build/radix-vulnerability-scanner . -COPY --from=tools /snyk-linux-arm64 /usr/local/bin/snyk -RUN addgroup -S -g 1000 radix-vulnerability-scanner -RUN adduser -S -u 1000 -G radix-vulnerability-scanner radix-vulnerability-scanner - +COPY --from=tools --chmod=755 /snyk /usr/local/bin/snyk +COPY --from=gcr.io/distroless/static /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ USER 1000 - ENTRYPOINT ["/app/radix-vulnerability-scanner"] diff --git a/Makefile b/Makefile index 6503860..e900393 100644 --- a/Makefile +++ b/Makefile @@ -8,10 +8,15 @@ build: docker build -t $(IMAGE_NAME) . .PHONY: push -push: +push: build az acr login -n $(DOCKER_REGISTRY) docker push $(IMAGE_NAME) +.PHONY: pushmultiplatform +pushmultiplatform: + az acr login -n $(DOCKER_REGISTRY) + docker buildx build --platform=linux/amd64,linux/arm64 -t $(IMAGE_NAME) --push . + .PHONY: test test: go test -cover `go list ./... | grep -v 'pkg/client'` diff --git a/go.mod b/go.mod index 58556c1..90cd3b1 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ toolchain go1.22.5 require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 - github.com/containerd/containerd v1.7.20 + github.com/distribution/reference v0.6.0 github.com/equinor/radix-common v1.9.3 github.com/equinor/radix-operator v1.57.1 github.com/golang-jwt/jwt/v5 v5.2.1 @@ -36,7 +36,6 @@ require ( github.com/cert-manager/cert-manager v1.14.2 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/distribution/reference v0.6.0 // indirect github.com/emicklei/go-restful/v3 v3.11.2 // indirect github.com/evanphx/json-patch v5.8.1+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect diff --git a/go.sum b/go.sum index 11711f9..c62adac 100644 --- a/go.sum +++ b/go.sum @@ -31,8 +31,6 @@ github.com/cert-manager/cert-manager v1.14.2 h1:C/uci6yxiCRO04PWomBbSX+T4JT58FII github.com/cert-manager/cert-manager v1.14.2/go.mod h1:pik7K6jXfgh++lfVJ/i1HzEnDluSUtTVLXSHikj8Lho= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/containerd/containerd v1.7.20 h1:Sl6jQYk3TRavaU83h66QMbI2Nqg9Jm6qzwX57Vsn1SQ= -github.com/containerd/containerd v1.7.20/go.mod h1:52GsS5CwquuqPuLncsXwG0t2CiUce+KsNHJZQJvAgR0= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=