From 2622468ef687303666f4755e69b8d20393179184 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki Date: Tue, 13 Feb 2024 16:24:52 +0100 Subject: [PATCH 01/10] arm support --- .github/workflows/push.yaml | 21 +++++++++++++++++---- Dockerfile | 24 ++++++++++++++++++------ 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 263e86d..0e447dc 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -29,27 +29,40 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: actions/download-artifact@v3 - with: - name: bin - path: bin/ + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + - name: Login to Quay.io uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_PASSWORD }} + - id: meta + if: github.repository == 'uswitch/vault-creds' uses: docker/metadata-action@v4 with: images: quay.io/uswitch/vault-creds tags: | type=semver,pattern=v{{version}} type=sha,prefix=,format=long, + + - id: meta (forks) + if: github.repository != 'uswitch/vault-creds' + uses: docker/metadata-action@v4 + with: + images: ghcr.io/${{ github.repository }} + tags: | + type=semver,pattern=v{{version}} + type=sha,prefix=,format=long, + - uses: docker/build-push-action@v4 with: context: . labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} diff --git a/Dockerfile b/Dockerfile index a157e4d..73b5515 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,24 @@ -FROM alpine:3 as base +FROM --platform=$BUILDPLATFORM golang:1.20-alpine AS builder -RUN apk add -U --no-cache ca-certificates +ARG TARGETOS +ARG TARGETARCH -FROM scratch +# Install our build tools +RUN apk add --update ca-certificates -COPY --chmod=755 bin/vaultcreds /vaultcreds +WORKDIR /go/src/app -COPY --from=base /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY . ./ + +RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="$LDFLAGS" -o bin/vaultcreds cmd/main.go + +RUN echo "nonroot:x:1337:1337:nonroot:/nonroot:/usr/sbin/nologin" > /etc_passwd + +FROM --platform=$BUILDPLATFORM scratch +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=builder /go/src/app/bin/* / +COPY --from=builder /etc_passwd /etc/passwd + +USER nonroot ENTRYPOINT ["/vaultcreds"] -CMD [] From 9b56cb7e9c2120ce033b3bad4a820b9aefc2bd77 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki <12999736+camaeel@users.noreply.github.com> Date: Tue, 13 Feb 2024 16:30:19 +0100 Subject: [PATCH 02/10] Update push.yaml --- .github/workflows/push.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 0e447dc..657653e 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -49,7 +49,7 @@ jobs: type=semver,pattern=v{{version}} type=sha,prefix=,format=long, - - id: meta (forks) + - id: meta-forks if: github.repository != 'uswitch/vault-creds' uses: docker/metadata-action@v4 with: @@ -59,6 +59,7 @@ jobs: type=sha,prefix=,format=long, - uses: docker/build-push-action@v4 + if: github.repository == 'uswitch/vault-creds' with: context: . labels: ${{ steps.meta.outputs.labels }} @@ -66,3 +67,12 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} + - uses: docker/build-push-action@v4 + if: github.repository != 'uswitch/vault-creds' + with: + context: . + labels: ${{ steps.meta-forks.outputs.labels }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta-forks.outputs.tags }} + From 155b30d3d8201d36bff8f053f5b7cd5fd2177f33 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki <12999736+camaeel@users.noreply.github.com> Date: Tue, 13 Feb 2024 16:34:02 +0100 Subject: [PATCH 03/10] Update Dockerfile --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 73b5515..3689480 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,7 @@ FROM --platform=$BUILDPLATFORM golang:1.20-alpine AS builder ARG TARGETOS ARG TARGETARCH +ARG LDFLAGS # Install our build tools RUN apk add --update ca-certificates From bd3e4afe82eaf37fd6d24ac99176f4949ab1def0 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki <12999736+camaeel@users.noreply.github.com> Date: Tue, 13 Feb 2024 16:37:44 +0100 Subject: [PATCH 04/10] Update push.yaml --- .github/workflows/push.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 657653e..6fadb75 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -66,6 +66,7 @@ jobs: platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} + build-args: LDFLAGS="-X main.SHA=${{ github.sha }}" - uses: docker/build-push-action@v4 if: github.repository != 'uswitch/vault-creds' @@ -75,4 +76,5 @@ jobs: platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta-forks.outputs.tags }} + build-args: LDFLAGS="-X main.SHA=${{ github.sha }}" From 83231c408a7332fcb572dd266ca534a26f7f6b5d Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki Date: Tue, 13 Feb 2024 16:42:57 +0100 Subject: [PATCH 05/10] fix --- .github/workflows/push.yaml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 6fadb75..55b3595 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -34,6 +34,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Login to Quay.io + if: github.repository == 'uswitch/vault-creds' uses: docker/login-action@v3 with: registry: quay.io @@ -49,15 +50,6 @@ jobs: type=semver,pattern=v{{version}} type=sha,prefix=,format=long, - - id: meta-forks - if: github.repository != 'uswitch/vault-creds' - uses: docker/metadata-action@v4 - with: - images: ghcr.io/${{ github.repository }} - tags: | - type=semver,pattern=v{{version}} - type=sha,prefix=,format=long, - - uses: docker/build-push-action@v4 if: github.repository == 'uswitch/vault-creds' with: @@ -68,6 +60,23 @@ jobs: tags: ${{ steps.meta.outputs.tags }} build-args: LDFLAGS="-X main.SHA=${{ github.sha }}" + - name: Log into registry ghcr.io + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - id: meta-forks + if: github.repository != 'uswitch/vault-creds' + uses: docker/metadata-action@v4 + with: + images: ghcr.io/${{ github.repository }} + tags: | + type=semver,pattern=v{{version}} + type=sha,prefix=,format=long, + - uses: docker/build-push-action@v4 if: github.repository != 'uswitch/vault-creds' with: From d1f0f4a8d30587040c8a58a35b968c3f9c366acb Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki <12999736+camaeel@users.noreply.github.com> Date: Tue, 13 Feb 2024 16:54:45 +0100 Subject: [PATCH 06/10] Update push.yaml --- .github/workflows/push.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 55b3595..0c30af9 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -58,7 +58,7 @@ jobs: platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} - build-args: LDFLAGS="-X main.SHA=${{ github.sha }}" + build-args: LDFLAGS=-X main.SHA=${{ github.sha }} - name: Log into registry ghcr.io if: github.event_name != 'pull_request' @@ -85,5 +85,5 @@ jobs: platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta-forks.outputs.tags }} - build-args: LDFLAGS="-X main.SHA=${{ github.sha }}" + build-args: LDFLAGS=-X main.SHA=${{ github.sha }} From fe0dafade74d8d17bf48d1bacaf04919fe913563 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki <12999736+camaeel@users.noreply.github.com> Date: Tue, 13 Feb 2024 16:55:19 +0100 Subject: [PATCH 07/10] Update push.yaml --- .github/workflows/push.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 0c30af9..29d6f15 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -24,7 +24,7 @@ jobs: name: bin path: bin/ docker-build-push: - if: github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v') + #if: github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v') needs: [test, build] runs-on: ubuntu-latest steps: From 25a53de3768d7514f12b4e5adff83d54a6d45262 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki <12999736+camaeel@users.noreply.github.com> Date: Tue, 13 Feb 2024 17:00:45 +0100 Subject: [PATCH 08/10] Update push.yaml --- .github/workflows/push.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 29d6f15..db42a48 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -24,6 +24,9 @@ jobs: name: bin path: bin/ docker-build-push: + permissions: + contents: read + packages: write #if: github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v') needs: [test, build] runs-on: ubuntu-latest From 7b477dc65ec9253cd8b3fdbc0c012ae5eee6d528 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki Date: Wed, 14 Feb 2024 07:57:52 +0100 Subject: [PATCH 09/10] one pipelien for forks and main repo --- .github/workflows/push.yaml | 44 +++++++------------------------------ 1 file changed, 8 insertions(+), 36 deletions(-) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index db42a48..2c9b6d8 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -27,6 +27,9 @@ jobs: permissions: contents: read packages: write + env: + REGISTRY: "${{ github.repository == 'uswitch/vault-creds' && 'quay.io' || 'ghcr.io' }}" + IMAGE_NAME: "${{ github.repository == 'uswitch/vault-creds' && 'uswitch/vault-creds' || github.repository }}" #if: github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v') needs: [test, build] runs-on: ubuntu-latest @@ -36,25 +39,22 @@ jobs: - name: Setup Docker buildx uses: docker/setup-buildx-action@v3 - - name: Login to Quay.io - if: github.repository == 'uswitch/vault-creds' + - name: Login to registry uses: docker/login-action@v3 with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD }} + registry: ${{ env.REGISTRY }} + username: ${{ env.REGISTRY == 'quay.io' && secrets.QUAY_USERNAME || github.actor }} + password: ${{ env.REGISTRY == 'quay.io' && secrets.QUAY_PASSWORD || secrets.GITHUB_TOKEN }} - id: meta - if: github.repository == 'uswitch/vault-creds' uses: docker/metadata-action@v4 with: - images: quay.io/uswitch/vault-creds + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=semver,pattern=v{{version}} type=sha,prefix=,format=long, - uses: docker/build-push-action@v4 - if: github.repository == 'uswitch/vault-creds' with: context: . labels: ${{ steps.meta.outputs.labels }} @@ -62,31 +62,3 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} build-args: LDFLAGS=-X main.SHA=${{ github.sha }} - - - name: Log into registry ghcr.io - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - id: meta-forks - if: github.repository != 'uswitch/vault-creds' - uses: docker/metadata-action@v4 - with: - images: ghcr.io/${{ github.repository }} - tags: | - type=semver,pattern=v{{version}} - type=sha,prefix=,format=long, - - - uses: docker/build-push-action@v4 - if: github.repository != 'uswitch/vault-creds' - with: - context: . - labels: ${{ steps.meta-forks.outputs.labels }} - platforms: linux/amd64,linux/arm64 - push: true - tags: ${{ steps.meta-forks.outputs.tags }} - build-args: LDFLAGS=-X main.SHA=${{ github.sha }} - From 21ae12fbcc68bbebbe3a53bad3048caef30996b8 Mon Sep 17 00:00:00 2001 From: Kamil Krzywicki Date: Wed, 14 Feb 2024 08:00:59 +0100 Subject: [PATCH 10/10] docker container will be build on every run, but pushed only on tags --- .github/workflows/push.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 2c9b6d8..1b108e7 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -30,7 +30,6 @@ jobs: env: REGISTRY: "${{ github.repository == 'uswitch/vault-creds' && 'quay.io' || 'ghcr.io' }}" IMAGE_NAME: "${{ github.repository == 'uswitch/vault-creds' && 'uswitch/vault-creds' || github.repository }}" - #if: github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v') needs: [test, build] runs-on: ubuntu-latest steps: @@ -59,6 +58,6 @@ jobs: context: . labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64 - push: true + push: ${{ github.ref_name == 'master' || startsWith(github.ref, 'refs/tags/v') }} tags: ${{ steps.meta.outputs.tags }} build-args: LDFLAGS=-X main.SHA=${{ github.sha }}