refactor: add github actions for docker image push

- refactor existing github actions for image and binary push - add exceptions for trivy scanner
controlplaneio · Dec 21, 2023 · 771cc35 · 771cc35
1 parent b257843
commit 771cc35
Show file tree

Hide file tree

Showing 6 changed files with 124 additions and 14 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -5,8 +5,7 @@ on:
     tags-ignore:
       - '*'
     branches:
-      #- '*'
-      - 'KS-*'
+      - '*'
   pull_request:
     branches: ['main', 'master']
 
@@ -43,7 +42,7 @@ jobs:
       - name: Build
         run: go build -v ./...
 
-  build-scan-push-image:
+  build-scan-docker-images:
     runs-on: ubuntu-latest
     needs: lint-and-build
     steps:
@@ -58,7 +57,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to Docker Hub # for testing the credentials
+      - name: Login to Docker Hub
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -69,16 +68,17 @@ jobs:
         with:
           context: .
           file: ./dev.Dockerfile
-          tags: 'controlplane/simulator:dev'
+          tags: |
+            controlplane/simulator:dev
           load: true
-          push: false # for testing
+          push: false
 
       - name: Run Trivy vulnerability scanner on the dev image
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'controlplane/simulator:dev'
           format: 'table'
-          exit-code: '0'
+          exit-code: '1'
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
 
@@ -96,7 +96,7 @@ jobs:
         with:
           image-ref: controlplane/simulator:${{ github.sha }}
           format: 'table'
-          exit-code: '0' # TODO: change to 1 when we have no more vulnerabilities
+          exit-code: '1'
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
-
+          trivyignores: './.trivy-config/.trivyignore'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,4 +1,4 @@
-name: release-binary
+name: release-binary-docker-images
 
 on:
   push:
@@ -10,13 +10,93 @@ permissions:
   contents: write
 
 jobs:
+  build-push-docker-images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and tag dev image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./dev.Dockerfile
+          tags: |
+            controlplane/simulator:dev
+          load: true
+          push: false
+
+      - name: Run Trivy vulnerability scanner on the dev image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'controlplane/simulator:dev'
+          format: 'table'
+          exit-code: '1'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Build and tag simulator image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          tags: controlplane/simulator:${{ github.ref_name }}
+          load: true
+          push: false
+
+      - name: Run Trivy vulnerability scanner on simulator image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: controlplane/simulator:${{ github.ref_name }}
+          format: 'table'
+          exit-code: '1'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          trivyignores: './.trivy-config/.trivyignore'
+
+      - name: Build and push dev image ## should use cache image from the previous step
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./dev.Dockerfile
+          tags: 'controlplane/simulator:dev'
+          load: false ## push and load cannot be set at the same time
+          push: true
+
+      - name: pull dev image
+        run: |
+          docker images ls
+          docker pull controlplane/simulator:dev
+          docker images ls
+
+      - name: Build and push simulator image ## should use cache image from the previous step
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          tags: |
+            controlplane/simulator:${{ github.ref_name }}
+            controlplane/simulator:latest
+          load: false
+          push: true
+
   goreleaser:
     runs-on: ubuntu-latest
+    name: goreleaser
+    needs: build-push-docker-images
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0 # Shallow clones should be disabled for a releaser
+          fetch-depth: 0
 
       - name: Setup Go
         uses: actions/setup-go@v4

diff --git a/.trivy-config/.trivyignore b/.trivy-config/.trivyignore
@@ -0,0 +1,24 @@
+## these following are not fixed in the upstream yet, so we are ignoring them for now
+# packer-plugin-amazon_v1.2.8_x5.0_linux_amd64 
+# registry.terraform.io/hashicorp/template/2.2.0/linux_amd64/terraform-provider-template_v2.2.0_x4
+CVE-2023-39325
+GHSA-m425-mq94-257g
+CVE-2022-26945
+CVE-2022-30321
+CVE-2022-30322
+CVE-2022-30323
+CVE-2019-19316
+CVE-2020-16845
+CVE-2021-29482
+CVE-2020-29652
+CVE-2020-7919
+CVE-2020-9283
+CVE-2021-43565
+CVE-2022-27191
+CVE-2019-9512
+CVE-2019-9514
+CVE-2021-33194
+CVE-2022-27664
+CVE-2022-41723
+CVE-2021-38561
+CVE-2022-32149
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## Table of Contents
 
+- [2.0.0](#200)
+
+## `2.0.0`
+
+- New scenarios format and API
+
 - [2.0.0-alpha1](#200-alpha1)
 
 ## `2.0.0-alpha1`

diff --git a/Dockerfile b/Dockerfile
@@ -4,5 +4,5 @@ COPY --chown=ubuntu:ubuntu packer packer
 COPY --chown=ubuntu:ubuntu terraform terraform
 COPY --chown=ubuntu:ubuntu ansible ansible
 
-RUN cd packer && packer init bastion.pkr.hcl && packer init k8s.pkr.hcl
-RUN cd terraform/workspaces/simulator && terraform init -backend=false
+RUN cd packer && packer init -upgrade bastion.pkr.hcl && packer init -upgrade k8s.pkr.hcl
+RUN cd terraform/workspaces/simulator && terraform init -upgrade -backend=false
diff --git a/dev.Dockerfile b/dev.Dockerfile
@@ -1,6 +1,6 @@
 ARG GOLANG_IMAGE=golang:1.21.5-alpine3.19@sha256:55f716237933c85cee01748700755b4ac8736fb1ca974c9aed051691b68d6dc2
 ARG GOLANGCI_LINT_IMAGE=golangci/golangci-lint:latest@sha256:fb70c9b2e6d0763141f057abcafde7f88d5e4bb3b5882d6b14bc79382f04481c
-ARG PACKER_IMAGE=hashicorp/packer:1.10@sha256:00dcbbc0e5a3346a9d8b7ea97d86d2e1deb5be4191e027499646242fdb1768b6
+ARG PACKER_IMAGE=hashicorp/packer:1.10@sha256:a10638519af09f5ecad52b6eb4eab489377e4e89f30ea46832f1f401a234d783
 ARG TERRAFORM_IMAGE=hashicorp/terraform:1.6@sha256:d593c353357a3db5a795c2ba0b998580cf12bad9125807bd877092c2e813279b
 ARG UBUNTU_IMAGE=ubuntu:mantic@sha256:8d093e0651575a6437cc4a3d561f892a345d263aeac6156ef378fe6a4ccabd4c