feat: harden image using apko and wolfi #550
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| test-unit: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: golang:1.22.5-bookworm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: actions/cache@v4 | |
| with: | |
| path: /go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Run unit tests | |
| env: | |
| TEST_GIT_CLIENT_WITH_AUTH: true | |
| run: make test-unit | |
| - name: Upload coverage reports | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| lint: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: golang:1.22.5-bookworm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - uses: actions/cache@v4 | |
| with: | |
| path: /go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v6 | |
| env: | |
| GOFLAGS: -buildvcs=false | |
| with: | |
| version: v1.57.2 | |
| build-image: | |
| needs: [test-unit, lint] | |
| runs-on: ubuntu-latest | |
| services: | |
| registry: | |
| image: registry:2 | |
| ports: | |
| - 5000:5000 | |
| steps: | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: network=host | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Build base image | |
| run: | | |
| make build-base-image | |
| docker tag kargo-render-base:latest-arm64 localhost:5000/kargo-render-base:latest-arm64 | |
| docker push localhost:5000/kargo-render-base:latest-arm64 | |
| docker tag kargo-render-base:latest-amd64 localhost:5000/kargo-render-base:latest-amd64 | |
| docker push localhost:5000/kargo-render-base:latest-amd64 | |
| - name: Build final image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| build-args: | | |
| BASE_IMAGE=localhost:5000/kargo-render-base | |
| platforms: linux/amd64,linux/arm64 | |
| push: false | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |