From d684d38ce83b5a2033ece8ba8985a6d81e310dbd Mon Sep 17 00:00:00 2001 From: peterdeme Date: Sat, 25 Nov 2023 09:41:03 +0100 Subject: [PATCH] Use Goreleaser, and publish arm64 Signed-off-by: peterdeme --- .github/workflows/build-binary.yml | 23 +-- .github/workflows/linting.yml | 4 + .github/workflows/preprod-deployment.yml | 179 +++-------------------- .github/workflows/prod-deployment.yml | 179 +++-------------------- .github/workflows/publish/action.yml | 142 ++++++++++++++++++ .github/workflows/security.yml | 4 + .github/workflows/trivy.yml | 84 +++++------ .github/workflows/unit-testing.yml | 4 + .gitignore | 2 + .goreleaser.yaml | 17 +++ Dockerfile | 7 +- 11 files changed, 263 insertions(+), 382 deletions(-) create mode 100644 .github/workflows/publish/action.yml create mode 100644 .goreleaser.yaml diff --git a/.github/workflows/build-binary.yml b/.github/workflows/build-binary.yml index ecd713c..de20403 100644 --- a/.github/workflows/build-binary.yml +++ b/.github/workflows/build-binary.yml @@ -2,21 +2,21 @@ name: Build Binary on: { push: { branches-ignore: [main, production] } } +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + jobs: - preprod-agent-deployment: - name: Build and upload agent + build-binary: + name: Build binary runs-on: ubuntu-latest container: golang:1.20 - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build - steps: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 + - name: Mark source directory as safe. run: git config --global --add safe.directory $GITHUB_WORKSPACE - name: parse short SHA @@ -24,9 +24,10 @@ jobs: run: | echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot env: BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }} - CGO_ENABLED: 0 - SHORT_SHA: ${{ steps.vars.outputs.sha }} diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 2052c91..533e0d9 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -2,6 +2,10 @@ name: Linting on: { push: { branches-ignore: [main, production] } } +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + jobs: linting: name: Lint the code diff --git a/.github/workflows/preprod-deployment.yml b/.github/workflows/preprod-deployment.yml index 97c8dd5..f1d0ef1 100644 --- a/.github/workflows/preprod-deployment.yml +++ b/.github/workflows/preprod-deployment.yml @@ -1,176 +1,31 @@ name: Preprod deployment -on: - push: - branches: - - main +on: [push] + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true jobs: preprod-agent-deployment: - name: Build and upload agent + name: Build and upload VCS Agent runs-on: ubuntu-latest - outputs: - deployment_id: ${{ steps.deployment.outputs.deployment_id }} - container: golang:1.20 - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build permissions: id-token: write contents: read - deployments: write steps: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 - run: git config --global --add safe.directory $GITHUB_WORKSPACE - - - uses: chrnorm/deployment-action@releases/v1 - name: Create GitHub deployment - if: ${{ github.ref == 'refs/heads/main' }} - id: deployment - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - environment: preprod/vcs-agent - - - name: parse short SHA - id: vars - run: | - echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent - env: - BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }} - CGO_ENABLED: 0 - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Install dependencies - run: | - apt-get update -y - apt-get install -y awscli zip - - - name: Import the PGP key - run: | - echo ${GPG_KEY_BASE64} | base64 -d > spacelift.gpg - gpg --import \ - --passphrase=$GPG_PASSPHRASE \ - --pinentry-mode=loopback \ - spacelift.gpg - rm spacelift.gpg - env: - GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - - - name: Sign Spacelift VCS Agent Binary - run: ./scripts/sign.sh $BIN_DIR $BASE_NAME - env: - GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Verify Checksum Spacelift VCS Agent Binary - run: ./scripts/verify.sh $BIN_DIR $BASE_NAME - env: - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Upload the VCS Agent binary - uses: actions/upload-artifact@v3 - with: - name: vcs-agent-binary - path: build/ - retention-days: 1 - - - name: Update deployment status (failure) - uses: chrnorm/deployment-status@releases/v1 - if: failure() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "failure" - deployment_id: ${{ steps.deployment.outputs.deployment_id }} - - publish-preprod-agent-deployment: - name: Upload VCS agent binary and container image - needs: ["preprod-agent-deployment"] - runs-on: ubuntu-latest - - env: - BIN_DIR: build - permissions: - id-token: write - contents: read - deployments: write - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Download the VCS Agent binary - uses: actions/download-artifact@v3 - with: - name: vcs-agent-binary - path: ./build - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - if: ${{ github.ref == 'refs/heads/main' }} - with: - aws-region: eu-west-1 - role-to-assume: ${{ secrets.PREPROD_AWS_ROLE_TO_ASSUME }} - role-duration-seconds: 900 - - - name: Upload the VCS Agent binary to downloads.spacelift.dev - if: ${{ github.ref == 'refs/heads/main' }} - run: >- - aws s3 sync - ${BIN_DIR} s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/ - --no-progress - - - name: Invalidate downloads.spacelift.dev cache - if: ${{ github.ref == 'refs/heads/main' }} - run: >- - aws cloudfront create-invalidation - --distribution-id ${{ secrets.PREPROD_DISTRIBUTION }} - --paths "/*" - - - name: Log in to Amazon public ECR - if: ${{ github.ref == 'refs/heads/main' }} - run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws - - # This will be needed in the future for adding multi architecture build support - # - name: Set up QEMU - # uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and push the image - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64 - push: ${{ github.ref == 'refs/heads/main' }} - tags: | - ${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest - - - name: Update deployment status (success) - uses: chrnorm/deployment-status@releases/v1 - if: success() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "success" - deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }} - - - name: Update deployment status (failure) - uses: chrnorm/deployment-status@releases/v1 - if: failure() && ${{ github.ref == 'refs/heads/main' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.dev/spacelift-vcs-agent - state: "failure" - deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }} + - name: Publish binary & Docker image + uses: ./.github/workflows/publish + with: + aws_role_to_assume: ${{ secrets.PREPROD_AWS_ROLE_TO_ASSUME }} + ecr_repository_url: ${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }} + aws_bucket: ${{ secrets.PREPROD_AWS_S3_BUCKET }} + cloudfront_distribution: ${{ secrets.PREPROD_DISTRIBUTION }} + bugsnag_api_key: ${{ secrets.PREPROD_BUGSNAG_API_KEY }} + gpg_key_id: ${{ secrets.GPG_KEY_ID }} + gpg_base64_key: ${{ secrets.GPG_KEY_BASE64 }} + gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/prod-deployment.yml b/.github/workflows/prod-deployment.yml index 9d8b50a..f15dbb4 100644 --- a/.github/workflows/prod-deployment.yml +++ b/.github/workflows/prod-deployment.yml @@ -1,176 +1,31 @@ name: Prod deployment -on: - push: - branches: - - production +on: [push] + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true jobs: prod-agent-deployment: - name: Build and upload agent + name: Build and upload VCS Agent runs-on: ubuntu-latest - outputs: - deployment_id: ${{ steps.deployment.outputs.deployment_id }} - container: golang:1.20 - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build permissions: id-token: write contents: read - deployments: write steps: - name: Check out repository code uses: actions/checkout@v4 - - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031 - run: git config --global --add safe.directory $GITHUB_WORKSPACE - - - uses: chrnorm/deployment-action@releases/v1 - name: Create GitHub deployment - if: ${{ github.ref == 'refs/heads/production' }} - id: deployment - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.io/spacelift-vcs-agent - environment: prod/vcs-agent - - - name: parse short SHA - id: vars - run: | - echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent - env: - BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }} - CGO_ENABLED: 0 - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Install dependencies - run: | - apt-get update -y - apt-get install -y awscli zip - - - name: Import the PGP key - run: | - echo ${GPG_KEY_BASE64} | base64 -d > spacelift.gpg - gpg --import \ - --passphrase=$GPG_PASSPHRASE \ - --pinentry-mode=loopback \ - spacelift.gpg - rm spacelift.gpg - env: - GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - - - name: Sign Spacelift VCS Agent Binary - run: ./scripts/sign.sh $BIN_DIR $BASE_NAME - env: - GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Verify Checksum Spacelift VCS Agent Binary - run: ./scripts/verify.sh $BIN_DIR $BASE_NAME - env: - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - - name: Upload the VCS Agent binary - uses: actions/upload-artifact@v3 - with: - name: vcs-agent-binary - path: build/ - retention-days: 1 - - - name: Update deployment status (failure) - uses: chrnorm/deployment-status@releases/v1 - if: failure() && ${{ github.ref == 'refs/heads/production' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.io/spacelift-vcs-agent - state: "failure" - deployment_id: ${{ steps.deployment.outputs.deployment_id }} - - publish-prod-agent-deployment: - name: Upload VCS agent binary and container image - needs: ["prod-agent-deployment"] - runs-on: ubuntu-latest - - env: - BIN_DIR: build - permissions: - id-token: write - contents: read - deployments: write - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Download the VCS Agent binary - uses: actions/download-artifact@v3 - with: - name: vcs-agent-binary - path: ./build - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - if: ${{ github.ref == 'refs/heads/production' }} - with: - aws-region: eu-west-1 - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - role-duration-seconds: 900 - - - name: Upload the VCS Agent binary to downloads.spacelift.io - if: ${{ github.ref == 'refs/heads/production' }} - run: >- - aws s3 sync - ${BIN_DIR} s3://${{ secrets.AWS_S3_BUCKET }}/ - --no-progress - - - name: Invalidate downloads.spacelift.io cache - if: ${{ github.ref == 'refs/heads/production' }} - run: >- - aws cloudfront create-invalidation - --distribution-id ${{ secrets.DISTRIBUTION }} - --paths "/*" - - - name: Log in to Amazon public ECR - if: ${{ github.ref == 'refs/heads/production' }} - run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws - - # This will be needed in the future for adding multi architecture build support - # - name: Set up QEMU - # uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and push the image - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64 - push: ${{ github.ref == 'refs/heads/production' }} - tags: | - ${{ secrets.PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest - - - name: Update deployment status (success) - uses: chrnorm/deployment-status@releases/v1 - if: success() && ${{ github.ref == 'refs/heads/production' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.io/spacelift-vcs-agent - state: "success" - deployment_id: ${{ needs.prod-agent-deployment.outputs.deployment_id }} - - - name: Update deployment status (failure) - uses: chrnorm/deployment-status@releases/v1 - if: failure() && ${{ github.ref == 'refs/heads/production' }} - with: - token: "${{ github.token }}" - target_url: https://downloads.spacelift.io/spacelift-vcs-agent - state: "failure" - deployment_id: ${{ needs.prod-agent-deployment.outputs.deployment_id }} + - name: Publish binary & Docker image + uses: ./.github/workflows/publish + with: + aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + ecr_repository_url: ${{ secrets.PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }} + aws_bucket: ${{ secrets.AWS_S3_BUCKET }} + cloudfront_distribution: ${{ secrets.DISTRIBUTION }} + bugsnag_api_key: ${{ secrets.BUGSNAG_API_KEY }} + gpg_key_id: ${{ secrets.GPG_KEY_ID }} + gpg_base64_key: ${{ secrets.GPG_KEY_BASE64 }} + gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/publish/action.yml b/.github/workflows/publish/action.yml new file mode 100644 index 0000000..902763b --- /dev/null +++ b/.github/workflows/publish/action.yml @@ -0,0 +1,142 @@ +name: Publish VCS Agent +description: Builds and pushes the binaries to S3 and to the public ECR. + +inputs: + aws_role_to_assume: + description: The AWS role to assume. Used to authenticate with ECR. + required: true + ecr_repository_url: + description: The ECR repository URL. Used to push the Docker image. + required: true + aws_bucket: + description: The AWS bucket. Used to upload the binaries. + required: true + cloudfront_distribution: + description: The CloudFront distribution. Used to invalidate the cache. + required: true + bugsnag_api_key: + description: The Bugsnag API key. Used to authenticate with Bugsnag. + required: true + gpg_key_id: + description: The GPG key ID. Used to sign the binaries. + required: true + gpg_base64_key: + description: The GPG key. Used to sign the binaries. + required: true + gpg_passphrase: + description: The GPG passphrase. Used to sign the binaries. + required: true + +runs: + using: composite + steps: + - name: Setup Go + uses: actions/setup-go@v4 + with: { go-version: "1.20" } + + - name: Fake tag for GoReleaser + shell: bash + run: | + git config --local user.email "ci@spacelift.io" + git config --local user.name "GitHub Actions" + git tag -a -m "An noop tag to make GoReleaser happy" v0.0.0 + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot=${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/production' }} + env: + BUGSNAG_API_KEY: ${{ inputs.bugsnag_api_key }} + + - name: Import the PGP key + shell: bash + run: | + echo ${GPG_KEY_BASE64} | base64 -d > spacelift.gpg + gpg --import \ + --passphrase=$GPG_PASSPHRASE \ + --pinentry-mode=loopback \ + spacelift.gpg + rm spacelift.gpg + env: + GPG_KEY_BASE64: ${{ inputs.gpg_base64_key }} + GPG_PASSPHRASE: ${{ inputs.gpg_passphrase }} + + - name: Sign Spacelift VCS Agent Binary + shell: bash + run: | + chmod 755 ./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent + ./scripts/sign.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent + ./scripts/verify.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent + + chmod 755 ./dist/vcs-agent_linux_arm64/spacelift-vcs-agent + ./scripts/sign.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent + ./scripts/verify.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent + env: + GPG_KEY_ID: ${{ inputs.gpg_key_id }} + GPG_PASSPHRASE: ${{ inputs.gpg_passphrase }} + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' }} + with: + aws-region: eu-west-1 + role-to-assume: ${{ inputs.aws_role_to_assume }} + role-duration-seconds: 900 + + - name: Put the binaries to the right place + shell: bash + run: | + mkdir -p build + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent build/spacelift-vcs-agent + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent_SHA256SUMS + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent_SHA256SUMS.sig + + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent build/spacelift-vcs-agent-x86_64 + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent-x86_64_SHA256SUMS + cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent-x86_64_SHA256SUMS.sig + + cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent build/spacelift-vcs-agent-aarch64 + cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent-aarch64_SHA256SUMS + cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent-aarch64_SHA256SUMS.sig + + # For easier visibility, here's the list of files we're uploading: + ls -l build + + - name: Upload the VCS Agent binaries to downloads.spacelift.[dev|io] + if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' }} + shell: bash + run: >- + aws s3 sync + build/ s3://${{ inputs.aws_bucket }} + + - name: Invalidate downloads.spacelift.[dev|io] cache + if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' }} + shell: bash + run: >- + aws cloudfront create-invalidation + --distribution-id ${{ inputs.cloudfront_distribution }} + --paths "/*" + + - name: Log in to Amazon public ECR + if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' }} + shell: bash + run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: linux/amd64,linux/arm64 + + - name: Build and push the image + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production' }} + tags: | + ${{ inputs.ecr_repository_url }}:latest + \ No newline at end of file diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 24b011d..93e74d5 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "19 7 * * 0" +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + jobs: codeql: name: CodeQL diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 86e2439..0a21568 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -8,80 +8,76 @@ on: schedule: - cron: "19 7 * * 0" +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + jobs: build: name: Build runs-on: ubuntu-latest - env: - BASE_NAME: spacelift-vcs-agent - BIN_DIR: build - steps: - name: Checkout uses: actions/checkout@v4 with: { fetch-depth: 0 } - - name: Set up Go + - name: Mark source directory as safe. + run: git config --global --add safe.directory $GITHUB_WORKSPACE + + - name: Setup Go uses: actions/setup-go@v4 - with: { go-version: 1.18 } + with: { go-version: "1.20" } - name: parse short SHA id: vars run: | echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }}) - - name: Build Spacelift VCS Agent - run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + version: latest + args: release --snapshot env: BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }} - CGO_ENABLED: 0 - SHORT_SHA: ${{ steps.vars.outputs.sha }} - - name: Archive artifacts for use in Docker build - uses: actions/upload-artifact@v3 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 with: - name: build - path: | - build - - analyze: - name: Analyze with Trivy - needs: build - runs-on: ubuntu-latest + platforms: "linux/amd64,linux/arm64" - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download build artifacts - uses: actions/download-artifact@v3 - with: - name: build - path: build - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Build Docker image + run: | + docker build --platform linux/amd64 -t spacelift-vcs-agent:${{ github.sha }}-amd64 . + docker build --platform linux/arm64 -t spacelift-vcs-agent:${{ github.sha }}-arm64 . - - name: Build and push the image - uses: docker/build-push-action@v5 + - name: Run Trivy vulnerability scanner (amd64) + uses: aquasecurity/trivy-action@master with: - context: . - push: false - load: true - tags: "spacelift-vcs-agent:${{ github.sha }}" + image-ref: "spacelift-vcs-agent:${{ github.sha }}-amd64" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results-amd64.sarif" + severity: "CRITICAL,HIGH" - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner (arm64) uses: aquasecurity/trivy-action@master with: - image-ref: "spacelift-vcs-agent:${{ github.sha }}" + image-ref: "spacelift-vcs-agent:${{ github.sha }}-arm64" format: "template" template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" + output: "trivy-results-arm64.sarif" severity: "CRITICAL,HIGH" - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Trivy scan results to GitHub Security tab (amd64) + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results-amd64.sarif" + category: "Trivy (amd64)" + + - name: Upload Trivy scan results to GitHub Security tab (arm64) uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: "trivy-results.sarif" - category: "Trivy" + sarif_file: "trivy-results-arm64.sarif" + category: "Trivy (arm64)" diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml index c1905ba..1d6561a 100644 --- a/.github/workflows/unit-testing.yml +++ b/.github/workflows/unit-testing.yml @@ -2,6 +2,10 @@ name: Unit testing on: { push: { branches-ignore: [main, production] } } +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + jobs: unit-testing: name: Test the code diff --git a/.gitignore b/.gitignore index 723794d..f9e1b13 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,5 @@ # Binary cmd/spacelift-vcs-agent/spacelift-vcs-agent + +dist/ diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..91cd20c --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,17 @@ +builds: + - main: ./cmd/spacelift-vcs-agent + binary: spacelift-vcs-agent + env: [CGO_ENABLED=0] + goos: [linux] + goarch: [amd64, arm64] + flags: [-trimpath] + tags: [netgo] + ldflags: + - "-s -w -extldflags '-static' -X main.VERSION={{.ShortCommit}} -X main.BugsnagAPIKey={{.Env.BUGSNAG_API_KEY}}" + +changelog: + skip: true + +archives: + # This disables the archive step entirely + - format: binary diff --git a/Dockerfile b/Dockerfile index 51df8c4..44f4e58 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,15 @@ FROM alpine:3.18 +ARG TARGETARCH RUN apk add --no-cache ca-certificates RUN apk upgrade --update-cache --available RUN adduser --disabled-password --no-create-home --uid=1983 spacelift -COPY build/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent +COPY dist/vcs-agent_linux_${TARGETARCH}*/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent RUN chmod +x /usr/bin/spacelift-vcs-agent -CMD ["/usr/bin/spacelift-vcs-agent", "serve"] +USER spacelift -USER spacelift \ No newline at end of file +CMD ["/usr/bin/spacelift-vcs-agent", "serve"]