-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b86b6fd
commit 37dcfe9
Showing
8 changed files
with
533 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/usr/bin/env bash | ||
set -e | ||
|
||
FROM=$1 | ||
TO=$2 | ||
|
||
echo "Pushing ${TO}" | ||
docker tag "${FROM}" "${TO}" | ||
docker push "${TO}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,283 @@ | ||
name: Build docker images | ||
on: | ||
push: | ||
# TODO Enable schedule | ||
#schedule: | ||
# At 00:00 every Sunday | ||
#- cron: 0 0 * * 0 | ||
concurrency: | ||
group: docker-${{ github.ref }} | ||
cancel-in-progress: true | ||
jobs: | ||
matrix: | ||
name: Compute build matrix from pypi API | ||
runs-on: ubuntu-latest | ||
outputs: | ||
matrix: ${{ steps.matrix.outputs.matrix }} | ||
steps: | ||
- name: Check out the repo | ||
uses: actions/checkout@v4 | ||
|
||
- uses: actions/setup-go@v5 | ||
with: | ||
go-version-file: './build-matrix/go.mod' | ||
cache-dependency-path: './build-matrix/go.mod' | ||
|
||
- name: Run matrix generator tests | ||
working-directory: build-matrix | ||
run: go test ./ | ||
|
||
# TODO Remove the fake matrix | ||
- id: matrix | ||
working-directory: build-matrix | ||
run: | | ||
MATRIX=$(go run ./) | ||
echo ${MATRIX} | jq | ||
echo 'matrix=[{"ansible":"10.2","additional_tags":["10"]},{"ansible":"10.1","additional_tags":[]}]' >> $GITHUB_OUTPUT | ||
#echo "matrix=${MATRIX}" >> $GITHUB_OUTPUT | ||
build: | ||
needs: [ matrix ] | ||
runs-on: ubuntu-latest | ||
name: Build ansible ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }} | ||
permissions: | ||
packages: write | ||
contents: read | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
target: | ||
- base | ||
- aws | ||
- gcp | ||
platform: | ||
- linux/amd64 | ||
- linux/arm64 | ||
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | ||
steps: | ||
- name: Check out the repo | ||
uses: actions/checkout@v4 | ||
|
||
- name: Prepare | ||
run: | | ||
platform=${{ matrix.platform }} | ||
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | ||
- name: Set up QEMU | ||
if: matrix.platform == 'linux/arm64' | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Build Docker images | ||
uses: docker/build-push-action@v6 | ||
id: build | ||
with: | ||
pull: true | ||
target: ${{ matrix.target }} | ||
build-args: | | ||
ANSIBLE_VERSION=${{ matrix.versions.ansible }} | ||
platforms: ${{ matrix.platform }} | ||
outputs: type=docker,dest=/tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | ||
tags: ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}-${{ github.sha }} | ||
|
||
- name: Upload artifact | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }} | ||
path: /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | ||
retention-days: 1 | ||
if-no-files-found: error | ||
|
||
test: | ||
name: Test image ${{ matrix.versions.ansible }}-${{ matrix.target }}/${{ matrix.platform }} | ||
needs: [ matrix, build ] | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
target: | ||
- base | ||
- aws | ||
- gcp | ||
platform: | ||
- linux/amd64 | ||
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | ||
steps: | ||
- name: Prepare | ||
run: | | ||
platform=${{ matrix.platform }} | ||
export PLATFORM_PAIR=${platform//\//-} | ||
echo "PLATFORM_PAIR=${PLATFORM_PAIR}" >> $GITHUB_ENV | ||
echo "IMAGE=ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ matrix.target }}-${PLATFORM_PAIR}-${{ github.sha }}" >> $GITHUB_ENV | ||
- name: Download artifact | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }} | ||
path: /tmp | ||
|
||
- name: Load image | ||
run: | | ||
docker load --input /tmp/${{ matrix.versions.ansible }}-${{ matrix.target }}-${{ env.PLATFORM_PAIR }}.tar | ||
docker image ls -a | ||
- name: Test ansible version | ||
run: docker run --rm ${{ env.IMAGE }} ansible-community --version | grep 'Ansible community version ${{ matrix.versions.ansible }}' | ||
|
||
- name: Test aws flavor | ||
if: matrix.target == 'aws' | ||
run: | | ||
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import boto3; print(boto3.__version__)\"" | ||
- name: Test gcp flavor | ||
if: matrix.target == 'gcp' | ||
run: | | ||
docker run --rm ${{ env.IMAGE }} sh -c "python3 -c \"import google.auth; print(google.auth.__version__)\"" | ||
deploy: | ||
name: Push image ${{ matrix.versions.ansible }} | ||
needs: [ matrix, test ] | ||
runs-on: ubuntu-latest | ||
env: | ||
AWS_REGION: "us-east-1" | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | ||
if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/ansible_build_matrix' }} # TODO(eliecharra): Remove condition | ||
permissions: | ||
id-token: write | ||
packages: write | ||
contents: read | ||
steps: | ||
- name: Download base/amd64 artifact | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-base-linux-amd64 | ||
path: /tmp | ||
|
||
- name: Download gcp/amd64 artifact | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-gcp-linux-amd64 | ||
path: /tmp | ||
|
||
- name: Download aws/amd64 artifact | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-aws-linux-amd64 | ||
path: /tmp | ||
|
||
- name: Download base/arm64 artifact | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-base-linux-arm64 | ||
path: /tmp | ||
|
||
- name: Download gcp/arm64 artifact | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-gcp-linux-arm64 | ||
path: /tmp | ||
|
||
- name: Download aws/arm64 artifact | ||
uses: actions/download-artifact@v4 | ||
with: | ||
name: ansible-runner-${{ github.sha }}-${{ matrix.versions.ansible }}-aws-linux-arm64 | ||
path: /tmp | ||
|
||
- name: Load image | ||
run: | | ||
docker load --input /tmp/${{ matrix.versions.ansible }}-base-linux-amd64.tar | ||
docker load --input /tmp/${{ matrix.versions.ansible }}-gcp-linux-amd64.tar | ||
docker load --input /tmp/${{ matrix.versions.ansible }}-aws-linux-amd64.tar | ||
docker load --input /tmp/${{ matrix.versions.ansible }}-base-linux-arm64.tar | ||
docker load --input /tmp/${{ matrix.versions.ansible }}-gcp-linux-arm64.tar | ||
docker load --input /tmp/${{ matrix.versions.ansible }}-aws-linux-arm64.tar | ||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v4 | ||
with: | ||
aws-region: ${{ env.AWS_REGION }} | ||
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | ||
role-duration-seconds: 900 | ||
|
||
- name: Login to Amazon ECR | ||
run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${REPOSITORY_PATH} | ||
env: | ||
REPOSITORY_PATH: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }} | ||
|
||
- name: Log in to Github Container registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Push images | ||
env: | ||
ECR_IMAGE: ${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }}/${{ github.repository }} | ||
run: | | ||
# Push ECR amd64 tags | ||
.github/scripts/retag-and-push.sh\ | ||
ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-base-linux-amd64-${{ github.sha }}\ | ||
${{ env.ECR_IMAGE }}:${{ matrix.versions.ansible }}-linux-amd64 | ||
security: | ||
name: Security scan | ||
needs: [ matrix, deploy ] | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
platform: | ||
- linux/amd64 | ||
- linux/arm64 | ||
versions: ${{ fromJson(needs.matrix.outputs.matrix) }} | ||
steps: | ||
- name: Prepare | ||
run: | | ||
platform=${{ matrix.platform }} | ||
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | ||
- name: Run Trivy vulnerability scanner for base image | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-${{ env.PLATFORM_PAIR }}" | ||
format: "template" | ||
template: "@/contrib/sarif.tpl" | ||
output: "base.sarif" | ||
severity: "CRITICAL,HIGH" | ||
|
||
- name: Run Trivy vulnerability scanner for gcp image | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-gcp-${{ env.PLATFORM_PAIR }}" | ||
format: "template" | ||
template: "@/contrib/sarif.tpl" | ||
output: "gcp.sarif" | ||
severity: "CRITICAL,HIGH" | ||
|
||
- name: Run Trivy vulnerability scanner for aws image | ||
uses: aquasecurity/[email protected] | ||
with: | ||
image-ref: "ghcr.io/${{ github.repository }}:${{ matrix.versions.ansible }}-aws-${{ env.PLATFORM_PAIR }}" | ||
format: "template" | ||
template: "@/contrib/sarif.tpl" | ||
output: "aws.sarif" | ||
severity: "CRITICAL,HIGH" | ||
|
||
- name: Upload base image scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v3 | ||
with: | ||
sarif_file: "base.sarif" | ||
|
||
- name: Upload gcp image scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v3 | ||
with: | ||
sarif_file: "gcp.sarif" | ||
|
||
- name: Upload aws image scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v3 | ||
with: | ||
sarif_file: "aws.sarif" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
FROM python:3.12-alpine AS ansible | ||
ARG ANSIBLE_VERSION=10.0 | ||
RUN apk -U upgrade --available &&\ | ||
# Required to install ansible pip package, bear in mind to remove those build deps at the end of this RUN directive | ||
apk add --no-cache gcc musl-dev libffi-dev openssl-dev &&\ | ||
# Add here package mandatory to be able to run ansible | ||
apk add --no-cache openssh-client ca-certificates&&\ | ||
pip install --no-cache-dir --upgrade pip &&\ | ||
pip install --no-cache-dir ansible==${ANSIBLE_VERSION}.* ansible-runner~=2.4 &&\ | ||
# Cleanup package manager cache and remove build deps | ||
rm -rf /var/cache/apk/* &&\ | ||
pip cache purge &&\ | ||
apk del gcc musl-dev gcc musl-dev libffi-dev openssl-dev | ||
|
||
FROM ansible AS base | ||
USER 1983 | ||
|
||
FROM ansible AS gcp | ||
RUN pip install --no-cache-dir requests==2.* google-auth==2.* | ||
USER 1983 | ||
|
||
FROM ansible AS aws | ||
RUN pip install --no-cache-dir boto3==1.* | ||
USER 1983 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
module github.com/spacelift-io/build-matrix | ||
|
||
go 1.22.1 | ||
|
||
require ( | ||
github.com/Masterminds/semver/v3 v3.2.1 // indirect | ||
github.com/davecgh/go-spew v1.1.1 // indirect | ||
github.com/pmezard/go-difflib v1.0.0 // indirect | ||
github.com/stretchr/testify v1.9.0 // indirect | ||
gopkg.in/yaml.v3 v3.0.1 // indirect | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= | ||
github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= | ||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= | ||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | ||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= | ||
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= | ||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= | ||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= |
Oops, something went wrong.