diff --git a/.github/workflows/build-binary.yml b/.github/workflows/build-binary.yml index ecd713c..47e237b 100644 --- a/.github/workflows/build-binary.yml +++ b/.github/workflows/build-binary.yml @@ -2,21 +2,21 @@ name: Build Binary on: { push: { branches-ignore: [main, production] } } +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + jobs: - preprod-agent-deployment: - name: Build and upload agent + build-binary: + name: Build binary runs-on: ubuntu-latest container: golang:1.20 - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build - steps: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 + - name: Mark source directory as safe. run: git config --global --add safe.directory $GITHUB_WORKSPACE - name: parse short SHA @@ -24,9 +24,11 @@ jobs: run: | echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot env: BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }} - CGO_ENABLED: 0 SHORT_SHA: ${{ steps.vars.outputs.sha }} diff --git a/.github/workflows/preprod-deployment.yml b/.github/workflows/preprod-deployment.yml index 97c8dd5..376ef6a 100644 --- a/.github/workflows/preprod-deployment.yml +++ b/.github/workflows/preprod-deployment.yml @@ -1,20 +1,16 @@ name: Preprod deployment -on: - push: - branches: - - main +on: [push] + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true jobs: preprod-agent-deployment: name: Build and upload agent runs-on: ubuntu-latest - outputs: - deployment_id: ${{ steps.deployment.outputs.deployment_id }} container: golang:1.20 - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build permissions: id-token: write contents: read @@ -24,28 +20,21 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 + - name: Mark source directory as safe. run: git config --global --add safe.directory $GITHUB_WORKSPACE - - uses: chrnorm/deployment-action@releases/v1 - name: Create GitHub deployment - if: ${{ github.ref == 'refs/heads/main' }} - id: deployment - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - environment: preprod/vcs-agent - - name: parse short SHA id: vars run: | echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot=${{ github.ref != 'refs/heads/main' }} env: BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }} - CGO_ENABLED: 0 SHORT_SHA: ${{ steps.vars.outputs.sha }} - name: Install dependencies @@ -66,54 +55,17 @@ jobs: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - name: Sign Spacelift VCS Agent Binary - run: ./scripts/sign.sh $BIN_DIR $BASE_NAME + run: | + chmod 755 ./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent + ./scripts/sign.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent + ./scripts/verify.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent + + chmod 755 ./dist/vcs-agent_linux_arm64/spacelift-vcs-agent + ./scripts/sign.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent + ./scripts/verify.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent env: GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Verify Checksum Spacelift VCS Agent Binary - run: ./scripts/verify.sh $BIN_DIR $BASE_NAME - env: - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Upload the VCS Agent binary - uses: actions/upload-artifact@v3 - with: - name: vcs-agent-binary - path: build/ - retention-days: 1 - - - name: Update deployment status (failure) - uses: chrnorm/deployment-status@releases/v1 - if: failure() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "failure" - deployment_id: ${{ steps.deployment.outputs.deployment_id }} - - publish-preprod-agent-deployment: - name: Upload VCS agent binary and container image - needs: ["preprod-agent-deployment"] - runs-on: ubuntu-latest - - env: - BIN_DIR: build - permissions: - id-token: write - contents: read - deployments: write - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Download the VCS Agent binary - uses: actions/download-artifact@v3 - with: - name: vcs-agent-binary - path: ./build - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -124,11 +76,36 @@ jobs: role-duration-seconds: 900 - name: Upload the VCS Agent binary to downloads.spacelift.dev - if: ${{ github.ref == 'refs/heads/main' }} run: >- + ######## AMD 64 old path ######## + + aws s3 sync + dist/vcs-agent_linux_amd64_v1/* s3://${{ secrets.PREPROD_AWS_S3_BUCKET }} + --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }} + + ######## AMD 64 new path ######## + + aws s3 sync + "./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64 + --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }} + + aws s3 sync + "./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64_SHA256SUMS + --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }} + + ######## ARM 64 new path ######## + + aws s3 sync + "./dist/vcs-agent_linux_arm64/spacelift-vcs-agent" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64 + --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }} + + aws s3 sync + "./dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64_SHA256SUMS + --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }} + aws s3 sync - ${BIN_DIR} s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/ - --no-progress + "./dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS.sig" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64_SHA256SUMS.sig + --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }} - name: Invalidate downloads.spacelift.dev cache if: ${{ github.ref == 'refs/heads/main' }} @@ -141,36 +118,16 @@ jobs: if: ${{ github.ref == 'refs/heads/main' }} run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws - # This will be needed in the future for adding multi architecture build support - # - name: Set up QEMU - # uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Build and push the image uses: docker/build-push-action@v5 with: - context: . - platforms: linux/amd64 + platforms: linux/amd64,linux/arm64 push: ${{ github.ref == 'refs/heads/main' }} tags: | ${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest - - - name: Update deployment status (success) - uses: chrnorm/deployment-status@releases/v1 - if: success() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "success" - deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }} - - - name: Update deployment status (failure) - uses: chrnorm/deployment-status@releases/v1 - if: failure() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "failure" - deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }} diff --git a/.github/workflows/prod-deployment.yml b/.github/workflows/prod-deployment.yml index 9d8b50a..7adf040 100644 --- a/.github/workflows/prod-deployment.yml +++ b/.github/workflows/prod-deployment.yml @@ -24,7 +24,7 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 + - name: Mark source directory as safe. run: git config --global --add safe.directory $GITHUB_WORKSPACE - uses: chrnorm/deployment-action@releases/v1 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 86e2439..e75ecbd 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -13,75 +13,68 @@ jobs: name: Build runs-on: ubuntu-latest - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build - steps: - name: Checkout uses: actions/checkout@v4 with: { fetch-depth: 0 } - - name: Set up Go + - name: Mark source directory as safe. + run: git config --global --add safe.directory $GITHUB_WORKSPACE + + - name: Setup Go uses: actions/setup-go@v4 - with: { go-version: 1.18 } + with: { go-version: "1.20" } - name: parse short SHA id: vars run: | echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot env: BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }} - CGO_ENABLED: 0 SHORT_SHA: ${{ steps.vars.outputs.sha }} - - name: Archive artifacts for use in Docker build - uses: actions/upload-artifact@v3 - with: - name: build - path: | - build - - analyze: - name: Analyze with Trivy - needs: build - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download build artifacts - uses: actions/download-artifact@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 with: - name: build - path: build + platforms: "linux/amd64,linux/arm64" - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Build Docker image + run: | + docker build --platform linux/amd64 -t spacelift-vcs-agent:${{ github.sha }}-amd64 . + docker build --platform linux/arm64 -t spacelift-vcs-agent:${{ github.sha }}-arm64 . - - name: Build and push the image - uses: docker/build-push-action@v5 + - name: Run Trivy vulnerability scanner (amd64) + uses: aquasecurity/trivy-action@master with: - context: . - push: false - load: true - tags: "spacelift-vcs-agent:${{ github.sha }}" + image-ref: "spacelift-vcs-agent:${{ github.sha }}-amd64" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results-amd64.sarif" + severity: "CRITICAL,HIGH" - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner (arm64) uses: aquasecurity/trivy-action@master with: - image-ref: "spacelift-vcs-agent:${{ github.sha }}" + image-ref: "spacelift-vcs-agent:${{ github.sha }}-arm64" format: "template" template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" + output: "trivy-results-arm64.sarif" severity: "CRITICAL,HIGH" - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Trivy scan results to GitHub Security tab (amd64) + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-amd64.sarif" + category: "Trivy (amd64)" + + - name: Upload Trivy scan results to GitHub Security tab (arm64) uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: "trivy-results.sarif" - category: "Trivy" + sarif_file: "trivy-results-arm64.sarif" + category: "Trivy (arm64)" diff --git a/.gitignore b/.gitignore index 723794d..f9e1b13 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,5 @@ # Binary cmd/spacelift-vcs-agent/spacelift-vcs-agent + +dist/ diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..94d7fc5 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,17 @@ +builds: + - main: ./cmd/spacelift-vcs-agent + binary: spacelift-vcs-agent + env: [CGO_ENABLED=0] + goos: [linux] + goarch: [amd64, arm64] + flags: [-trimpath] + tags: [netgo] + ldflags: + - "-s -w -extldflags '-static' -X main.VERSION={{.Env.SHORT_SHA}} -X main.BugsnagAPIKey={{.Env.BUGSNAG_API_KEY}}" + +changelog: + skip: true + +archives: + # This disables the archive step entirely + - format: binary diff --git a/Dockerfile b/Dockerfile index 51df8c4..d85a169 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,12 @@ FROM alpine:3.18 +ARG TARGETARCH RUN apk add --no-cache ca-certificates RUN apk upgrade --update-cache --available RUN adduser --disabled-password --no-create-home --uid=1983 spacelift -COPY build/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent +COPY dist/vcs-agent_linux_${TARGETARCH}*/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent RUN chmod +x /usr/bin/spacelift-vcs-agent