Feature/arm64 (#1)

.github/workflows/release.yml

@@ -8,21 +8,26 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
     - name: Install Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v5
       with:
-        go-version: 1.19.x
-    - name: Checkout code
-      uses: actions/checkout@v2
+        go-version-file: './go.mod'
 
     - name: Get tag version
       id: get_version
       run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
 
-    - name: Build Asset (linux)
+    - name: Build Asset (linux amd64)
       run: CGO_ENABLED=0 GOOS=linux   GOARCH=amd64 go build -ldflags="-X 'main.Version=${{ steps.get_version.outputs.VERSION }}'" -o bin/k8s-node-label-linux-amd64 ./cmd/k8s-node-label/...
-    - name: Build Asset (darwin)
+    - name: Build Asset (linux arm64)
+      run: CGO_ENABLED=0 GOOS=linux   GOARCH=arm64 go build -ldflags="-X 'main.Version=${{ steps.get_version.outputs.VERSION }}'" -o bin/k8s-node-label-linux-arm64 ./cmd/k8s-node-label/...
+    - name: Build Asset (darwin amd64)
       run: CGO_ENABLED=0 GOOS=darwin   GOARCH=amd64 go build -ldflags="-X 'main.Version=${{ steps.get_version.outputs.VERSION }}'" -o bin/k8s-node-label-darwin-amd64 ./cmd/k8s-node-label/...
+    - name: Build Asset (darwin arm64)
+      run: CGO_ENABLED=0 GOOS=darwin   GOARCH=arm64 go build -ldflags="-X 'main.Version=${{ steps.get_version.outputs.VERSION }}'" -o bin/k8s-node-label-darwin-arm64 ./cmd/k8s-node-label/...
 
     - name: Create Release
       id: create_release
@@ -38,7 +43,7 @@ jobs:
           Build also available as docker image:
           `daspawnw/k8s-node-label:${{ steps.get_version.outputs.VERSION }}`
 
-    - name: Upload Release Asset (linux)
+    - name: Upload Release Asset (linux amd64)
       uses: actions/upload-release-asset@v1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -47,7 +52,7 @@ jobs:
         asset_path: bin/k8s-node-label-linux-amd64
         asset_name: k8s-node-label-linux-amd64
         asset_content_type: application/x-executable
-    - name: Upload Release Asset (darwin)
+    - name: Upload Release Asset (darwin amd64)
       uses: actions/upload-release-asset@v1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -56,6 +61,24 @@ jobs:
         asset_path: bin/k8s-node-label-darwin-amd64
         asset_name: k8s-node-label-darwin-amd64
         asset_content_type: application/x-mach-binary
+    - name: Upload Release Asset (linux arm64)
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.create_release.outputs.upload_url }}
+        asset_path: bin/k8s-node-label-linux-arm64
+        asset_name: k8s-node-label-linux-arm64
+        asset_content_type: application/x-executable
+    - name: Upload Release Asset (darwin arm64)
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.create_release.outputs.upload_url }}
+        asset_path: bin/k8s-node-label-darwin-arm64
+        asset_name: k8s-node-label-darwin-arm64
+        asset_content_type: application/x-mach-binary
 
   docker:
     name: Docker Build
@@ -66,13 +89,16 @@ jobs:
     needs: release
 
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -83,8 +109,9 @@ jobs:
 
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: daspawnw/k8s-node-label:${{ steps.get_version.outputs.VERSION }}
 
@@ -108,7 +135,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
 #      # Install the cosign tool except on PR
 #      # https://github.com/sigstore/cosign-installer
@@ -118,20 +145,18 @@ jobs:
 #        with:
 #          cosign-release: 'v1.11.0'
 
-#      - name: Set up QEMU
-#        uses: docker/setup-qemu-action@v2
-#        with:
-#          platforms: 'arm64,arm'
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -149,13 +174,13 @@ jobs:
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-#          platforms: linux/amd64,linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: ${{ format('RELEASE_VERSION={0}', github.ref_name) }}
@@ -172,7 +197,7 @@ jobs:
           severity: 'MEDIUM,CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/test.yml

@@ -4,61 +4,123 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.19.x]
         platform: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.platform }}
     steps:
+
+    - name: Checkout code
+      uses: actions/checkout@v4
+
     - name: Install Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v5
       with:
-        go-version: ${{ matrix.go-version }}
-    - name: Checkout code
-      uses: actions/checkout@v2
+        go-version-file: './go.mod'
     - name: Test
       run: go test ./...
 
-  sonarqube:
+  trivy-scan-fs:
+    name: Trivy - scan fs
     runs-on: ubuntu-latest
     steps:
-    - name: Install Go
-      uses: actions/setup-go@v1
-      with:
-        go-version: 1.19.x
-    - name: Checkout code
-      uses: actions/checkout@v2
-    - name: Calculate coverage
-      run: go test -coverprofile=coverage.out ./...
-    - name: SonarCloud Scan
-      uses: sonarsource/sonarcloud-github-action@master
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        SONAR_PROJECT_KEY: ${{ secrets.SONAR_PROJECT_KEY }}
-        SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          severity: 'MEDIUM,CRITICAL,HIGH' #report all severities
+          exit-code: '1'
+          format: 'table'
 
   docker:
     name: Docker Build
 
     runs-on: ubuntu-latest
 
-    if: github.ref == 'refs/heads/master'
-    needs: test
+    if: github.ref == 'refs/heads/master' && github.repository == 'daspawnw/k8s-node-label'
+    needs:
+      - test
+      - trivy-scan-fs
 
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: daspawnw/k8s-node-label:latest
+
+  docker-forks:
+    name: Docker Build (forks)
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    if: github.ref != 'daspawnw/k8s-node-label'
+    needs:
+      - test
+      - trivy-scan-fs
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: ${{ format('RELEASE_VERSION={0}', github.ref_name) }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+          format: 'table'
+          ignore-unfixed: true
+          exit-code: 1
+          severity: 'MEDIUM,CRITICAL,HIGH'

Dockerfile

@@ -1,16 +1,18 @@
-FROM golang:1.18-alpine as builder
+FROM --platform=$BUILDPLATFORM golang:1.19-alpine as builder
 
+ARG TARGETOS
+ARG TARGETARCH
 ARG RELEASE_VERSION=development
 
 # Install our build tools
 RUN apk add --update git make bash ca-certificates
 
 WORKDIR /go/src/github.com/daspawnw/k8s-node-label
 COPY . ./
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-X 'main.Version=${RELEASE_VERSION}'" -o bin/k8s-node-label-linux-amd64 ./cmd/k8s-node-label/...
+RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-X 'main.Version=${RELEASE_VERSION}'" -o bin/k8s-node-label ./cmd/k8s-node-label/...
 
 FROM scratch
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /go/src/github.com/daspawnw/k8s-node-label/bin/k8s-node-label-linux-amd64 /k8s-node-label
+COPY --from=builder /go/src/github.com/daspawnw/k8s-node-label/bin/k8s-node-label /k8s-node-label
 
 ENTRYPOINT ["/k8s-node-label"]

examples/deployment/manifest.yaml

@@ -89,7 +89,7 @@ spec:
     spec:
       serviceAccountName: k8s-node-label
       containers:
-        - image: daspawnw/k8s-node-label:v0.4
+        - image: daspawnw/k8s-node-label:v0.6
           name: k8s-node-label
           env:
             - name: AWS_REGION

go.mod

@@ -29,11 +29,11 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/net v0.5.0 // indirect
+	golang.org/x/net v0.20.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/term v0.4.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/term v0.16.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect