Migrate neco-admission to ghcr.io

Signed-off-by: Daichi Sakaue <[email protected]>
cybozu · Dec 21, 2023 · 42082dc · 42082dc
1 parent 4efc11a
commit 42082dc
Show file tree

Hide file tree

Showing 8 changed files with 189 additions and 51 deletions.
diff --git a/.github/actions/build_admission/action.yaml b/.github/actions/build_admission/action.yaml
@@ -0,0 +1,52 @@
+name: "Build admission"
+description: "Build admission"
+inputs:
+  github_token:
+    description: "GitHub Token"
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Setup build environment
+      uses: ./.github/actions/setup
+      with:
+        github_token: ${{ inputs.github_token }}
+        go-version-file: admission/go.mod
+    - id: extract
+      name: Extract targets
+      uses: ./.github/actions/extract_tags
+      with:
+        container-image: admission
+        github_token: ${{ inputs.github_token }}
+    # - name: Run check-generate
+    #   if: ${{ steps.extract.outputs.build }}
+    #   shell: bash
+    #   run: make check-generate
+    #   working-directory: admission
+    # - name: Test
+    #   if: ${{ steps.extract.outputs.build }}
+    #   uses: docker/build-push-action@v5
+    #   with:
+    #     context: admission
+    #     platforms: "linux/amd64"
+    #     target: test
+    #     provenance: false
+    #     push: false
+    - name: Test
+      if: ${{ steps.extract.outputs.build }}
+      shell: bash
+      run: |
+        make check-generate
+        make test
+      working-directory: admission
+    - name: Build and push
+      if: ${{ steps.extract.outputs.build }}
+      uses: docker/build-push-action@v5
+      with:
+        context: admission
+        platforms: "linux/amd64"
+        provenance: false
+        push: ${{ steps.extract.outputs.docker_push }}
+        tags: |
+          ${{ steps.extract.outputs.tag }}
+          ${{ steps.extract.outputs.branch }}
diff --git a/.github/actions/build_push/action.yaml b/.github/actions/build_push/action.yaml
@@ -18,13 +18,11 @@ inputs:
   enable_arm64:
     description: "Add arm64 to container image platform"
     required: false
-    type: boolean
-    default: false
+    default: "false"
   make_test:
     description: "Run make test before building docker image"
     required: false
-    type: boolean
-    default: false
+    default: "false"
   scan:
     description: "Enable image scanning"
     required: false
@@ -39,37 +37,15 @@ runs:
   steps:
     - name: Checkout
       uses: actions/checkout@v4
-    - name: Extract targets
-      shell: bash
-      run: |
-        dir=${{ inputs.dir }}
-        if [ "$dir" = "" ]; then dir=${{ inputs.container-image }} ; fi
-        image=${{ inputs.container-image }}
-        TAG=$(cat ${dir}/TAG)
-        c=$(container-tag-exists ghcr.io/cybozu/$image $TAG)
-        # The stdout should be either "" or "found".
-        if [ "$c" = "" ]; then
-            echo "BUILDS_TAG=ghcr.io/cybozu/$image:$TAG" >> $GITHUB_ENV
-
-            if [ -f $dir/BRANCH ]; then
-              if echo $TAG | grep -q -e - ; then
-                echo ===== Skip pushing branch tags for pre-release $TAG =====
-              else
-                BRANCH=$(cat $dir/BRANCH)
-                echo "BUILDS_BRANCH=ghcr.io/cybozu/$image:$BRANCH" >> $GITHUB_ENV
-              fi
-            fi
-        fi
-      env:
-        GITHUB_TOKEN: ${{ inputs.github_token }}
-    - name: Validate consistency between BRANCH and TAG
-      shell: bash
-      run: |
-        dir=${{ inputs.dir }}
-        if [ "$dir" = "" ]; then dir=${{ inputs.container-image }} ; fi
-        if [ -e "$dir/NO_TAG_BRANCH_CONSISTENCY" ]; then exit 0; fi
-        ./tag_branch_consistency $dir
+    - id: extract
+      name: Extract targets
+      uses: ./.github/actions/extract_tags
+      with:
+        dir: ${{ inputs.dir }}
+        container-image: ${{ inputs.container-image }}
+        github_token: ${{ inputs.github_token }}
     - name: Set container build platform
+      if: ${{ steps.extract.outputs.build }}
       shell: bash
       run: |
         enable_arm64=${{ inputs.enable_arm64 }}
@@ -79,40 +55,40 @@ runs:
           echo "PLATFORM=linux/amd64" >> $GITHUB_ENV
         fi
     - name: Make test
-      if: inputs.make_test && env.BUILDS_TAG != null
+      if: ${{ inputs.make_test == 'true' && steps.extract.outputs.build }}
       shell: bash
       run: |
         make -C ${{ inputs.dir }} test
     - name: Build and push
-      if: env.BUILDS_TAG != null
+      if: ${{ steps.extract.outputs.build }}
       uses: docker/build-push-action@v5
       with:
         context: ${{ inputs.dir }}
         platforms: ${{ env.PLATFORM }}
         provenance: false
-        push: ${{ github.event_name != 'pull_request' }}
+        push: ${{ steps.extract.outputs.docker_push }}
         tags: |
-          ${{ env.BUILDS_TAG }}
-          ${{ env.BUILDS_BRANCH }}
+          ${{ steps.extract.outputs.tag }}
+          ${{ steps.extract.outputs.branch }}
         target: ${{ inputs.target }}
     - name: Install Trivy
-      if: inputs.scan == 'true' && env.BUILDS_TAG != null && github.event_name != 'pull_request'
+      if: ${{ inputs.scan == 'true' && steps.extract.outputs.push }}
       shell: bash
       run: |
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
     - name: Scan images
-      if: inputs.scan == 'true' && env.BUILDS_TAG != null && github.event_name != 'pull_request'
+      if: ${{ inputs.scan == 'true' && steps.extract.outputs.push }}
       shell: bash
       env:
         YAMORY_ACCESS_TOKEN: ${{ inputs.yamory_token }}
       run: |
         echo
-        echo "scanning $BUILDS_TAG ..."
-        if [[ $BUILDS_TAG == "ghcr.io/cybozu/golang:"* ]]; then
+        echo "scanning $${{ steps.extract.outputs.tag }} ..."
+        if [[ $${{ steps.extract.outputs.tag }} == "ghcr.io/cybozu/golang:"* ]]; then
           dir=${{ inputs.dir }}
           BRANCH=$(cat $dir/BRANCH)
           image=${{ inputs.container-image }}:$BRANCH
         else
           image=${{ inputs.container-image }}
         fi
-        YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/$image" YAMORY_IMAGE_NAME="$BUILDS_TAG" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
+        YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/$image" YAMORY_IMAGE_NAME="$${{ steps.extract.outputs.tag }}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
diff --git a/.github/actions/extract_tags/action.yaml b/.github/actions/extract_tags/action.yaml
@@ -0,0 +1,96 @@
+name: "Extract tags"
+description: "Extract tags to use for the new image"
+inputs:
+  dir:
+    description: "working directory"
+    required: false
+    default: ""
+  container-image:
+    description: "container image"
+    required: true
+  github_token:
+    description: "GitHub Token"
+    required: true
+outputs:
+  branch:
+    description: "branch"
+    value: ${{ steps.extract.outputs.branch }}
+  tag:
+    description: "tag"
+    value: ${{ steps.extract.outputs.tag }}
+  build:
+    description: "build is needed (true or '')"
+    value: ${{ steps.flags.outputs.build }}
+  push:
+    description: "push is needed (true or '')"
+    value: ${{ steps.flags.outputs.push }}
+  # docker/build-push-action does not accept '' as its push flag
+  docker_push:
+    description: "push is needed (true or false)"
+    value: ${{ steps.flags.outputs.docker_push }}
+
+runs:
+  using: composite
+  steps:
+    - id: extract
+      name: Extract targets
+      shell: bash
+      run: |
+        DIR=${{ inputs.dir }}
+        if [ "${DIR}" = "" ]; then DIR=${{ inputs.container-image }}; fi
+        IMAGE=${{ inputs.container-image }}
+        TAG=$(cat ${DIR}/TAG)
+        FOUND=$(container-tag-exists ghcr.io/cybozu/${IMAGE} ${TAG})
+        # The stdout should be either "" or "found".
+        if [ "${FOUND}" = "" ]; then
+          echo "tag=ghcr.io/cybozu/${IMAGE}:${TAG}" >> $GITHUB_OUTPUT
+
+          if [ -f ${DIR}/BRANCH ]; then
+            if echo ${TAG} | grep -q -e - ; then
+              echo ===== Skip pushing branch tags for pre-release ${TAG} =====
+            else
+              BRANCH=$(cat ${DIR}/BRANCH)
+              echo "branch=ghcr.io/cybozu/${IMAGE}:${BRANCH}" >> $GITHUB_OUTPUT
+            fi
+          fi
+        fi
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+    - id: flags
+      name: Decide build flags
+      shell: bash
+      run: |
+        if ! [ -z "${{ steps.extract.outputs.tag }}" ]; then
+          echo "build=true" >> $GITHUB_OUTPUT
+          if [ "${EVENT_NAME}" != "pull_request" ]; then
+            echo "push=true" >> $GITHUB_OUTPUT
+            echo "docker_push=true" >> $GITHUB_OUTPUT
+          else
+            echo "docker_push=false" >> $GITHUB_OUTPUT
+          fi
+        else
+          echo "docker_push=false" >> $GITHUB_OUTPUT
+        fi
+      env:
+        EVENT_NAME: ${{ github.event_name }}
+    - name: Validate consistency between BRANCH and TAG
+      shell: bash
+      run: |
+        DIR=${{ inputs.dir }}
+        if [ "${DIR}" = "" ]; then DIR=${{ inputs.container-image }}; fi
+        if [ -e "${DIR}/NO_TAG_BRANCH_CONSISTENCY" ]; then exit 0; fi
+        ./tag_branch_consistency ${DIR}
+    - name: Echo output
+      shell: bash
+      run: |
+        echo
+        echo "vvvvvvvvvv vvvvvvvvvv vvvvvvvvvv vvvvvvvvvv vvvvvvvvvv vvvvvvvvvv"
+        echo "    Build Policy:"
+        echo
+        echo "         branch: ${{ steps.extract.outputs.branch }}"
+        echo "            tag: ${{ steps.extract.outputs.tag }}"
+        echo "          build: ${{ steps.flags.outputs.build }}"
+        echo "           push: ${{ steps.flags.outputs.push }}"
+        echo "    docker_push: ${{ steps.flags.outputs.docker_push }}"
+        echo ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^
+        echo
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -183,3 +183,12 @@ jobs:
           enable_arm64: ${{ matrix.job.enable_arm64 }}
           make_test: ${{ matrix.job.make_test }}
           scan: ${{ matrix.job.scan }}
+
+  build_admission:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build container image
+        uses: ./.github/actions/build_admission
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/admission/.dockerignore b/admission/.dockerignore
@@ -1,2 +1,2 @@
-*
-!workspace
+bin
+*.md
diff --git a/admission/Dockerfile b/admission/Dockerfile
@@ -1,7 +1,12 @@
-FROM scratch
+FROM quay.io/cybozu/golang:1.20-jammy AS test
+COPY . /work
+RUN make test
 
-COPY workspace/neco-admission /neco-admission
+FROM quay.io/cybozu/golang:1.20-jammy AS build
+COPY . /work
+RUN make build
 
+FROM scratch
+COPY --from=build /work/bin/neco-admission /neco-admission
 USER 10000:10000
-
 ENTRYPOINT ["/neco-admission"]
diff --git a/admission/TAG b/admission/TAG
@@ -1 +1 @@
-0.24.2
+0.24.3
diff --git a/bmc-reverse-proxy/TAG b/bmc-reverse-proxy/TAG
@@ -1 +1 @@
-0.1.24
+0.1.25