release vulnerability scanner

.github/workflows/build-push.yml

@@ -1,9 +1,10 @@
 name: Build & push
-
 on:
   push:
-    branches: [ main, release ]
-
+    branches:
+    - main
+    - release
+  workflow_dispatch:
 permissions:
   id-token: write
   contents: read
@@ -15,89 +16,144 @@ jobs:
       fail-fast: false
       matrix:
         target:
-          - name: "dev"
-            ref: "refs/heads/main"
-            acr-name: "radixdev"
-            client-id: "9f25e2ad-13ef-4fd5-b661-ab97687d548a"
-            subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
-
-          - name: "playground"
-            ref: "refs/heads/release"
-            acr-name: "radixdev"
-            client-id: "e0b5929a-ebe5-4a35-927c-97184cbed120"
-            subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
-
-          - name: "platform"
-            ref: "refs/heads/release"
-            acr-name: "radixprod"
-            client-id: "1a7cba57-f0e4-48af-8520-3c98349d6465"
-            subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
-
-          - name: "c2"
-            ref: "refs/heads/release"
-            acr-name: "radixc2prod"
-            client-id: "5d1aca8b-7b54-4a4d-b8ee-754b842e9fbe"
-            subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
+        - name: "dev"
+          ref: "refs/heads/master"
+          acr-name: "radixdev"
+          client-id: "2bfe6984-f5e3-4d09-a0b2-4dd96de3f21e"
+          subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
+
+        - name: "playground"
+          ref: "refs/heads/release"
+          acr-name: "radixplayground"
+          client-id: "7c000a42-1edb-4491-a241-4ac77bf7dd6d"
+          subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
+
+        - name: "platform"
+          ref: "refs/heads/release"
+          acr-name: "radixprod"
+          client-id: "044f760d-aabb-4d29-a879-e774f16e3bcc"
+          subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
+
+        - name: "c2"
+          ref: "refs/heads/release"
+          acr-name: "radixc2prod"
+          client-id: "581bb747-7b9f-4e80-a843-249eafb0a5fa"
+          subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
 
     steps:
-      - uses: actions/checkout@v4
-        if: matrix.target.ref == github.ref
-
-      - uses: azure/login@v2
-        if: matrix.target.ref == github.ref
-        with:
-          client-id: ${{matrix.target.client-id}}
-          tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
-          subscription-id: ${{matrix.target.subscription-id}}
-
-      - name: Get GitHub Public IP
-        if: matrix.target.ref == github.ref
-        id: github_public_ip
-        run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
-
-      - name: Add GitHub IP to ACR
-        if: matrix.target.ref == github.ref
-        id: update_firewall
-        run: az acr network-rule add
-          --name ${{matrix.target.acr-name}}
-          --subscription ${{matrix.target.subscription-id}}
-          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
-
-      - name: Generate image tag
-        if: matrix.target.ref == github.ref
-        id: tag
-        run: |
-          sha=${GITHUB_SHA::8}
-          ts=$(date +%s)
-          echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT
-
-      - name: Build image
-        if: matrix.target.ref == github.ref
-        env:
-          AZURE_SUBSCRIPTION_ID: ${{matrix.target.subscription-id}}
-          ACR_NAME: ${{matrix.target.acr-name}}
-          IMAGE_NAME: radix-vulnerability-scanner
-          TAG: ${{steps.tag.outputs.tag}}
-        run: |
-          az acr task run \
-             --subscription ${AZURE_SUBSCRIPTION_ID} \
-             --name radix-image-builder-internal \
-             --registry ${ACR_NAME} \
-             --context ${GITHUB_WORKSPACE} \
-             --file ${GITHUB_WORKSPACE}/Dockerfile \
-             --set DOCKER_REGISTRY=${ACR_NAME} \
-             --set BRANCH=${GITHUB_REF_NAME} \
-             --set TAGS="--tag ${ACR_NAME}.azurecr.io/${IMAGE_NAME}:${TAG}" \
-             --set DOCKER_FILE_NAME=Dockerfile \
-             --set PUSH="--push" \
-             --set REPOSITORY_NAME=${IMAGE_NAME} \
-             --set CACHE="" \
-             --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max"
-
-
-      - name: Revoke GitHub IP on ACR
-        if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
-        run: az acr network-rule remove
-          --name ${{matrix.target.acr-name}}
-          --subscription ${{matrix.target.subscription-id}}
-          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
+    - uses: actions/checkout@v4
+      if: matrix.target.ref == github.ref
+
+    - uses: azure/login@v2
+      if: matrix.target.ref == github.ref
+      with:
+        client-id: ${{matrix.target.client-id}}
+        tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
+        subscription-id: ${{matrix.target.subscription-id}}
+
+    - name: Get GitHub Public IP
+      if: matrix.target.ref == github.ref
+      id: github_public_ip
+      run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
+
+    - name: Add GitHub IP to ACR
+      if: matrix.target.ref == github.ref
+      id: update_firewall
+      run: az acr network-rule add
+        --name ${{matrix.target.acr-name}}
+        --subscription ${{matrix.target.subscription-id}}
+        --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
+
+    - name: Wait for 2 minutes while the network rule to take effect
+      if: matrix.target.ref == github.ref
+      run: |
+        sleep 120
+
+    - name: Wait for Specific IP in ACR Network Rules
+      if: matrix.target.ref == github.ref
+      run: |
+        MAX_ATTEMPTS=10
+        ATTEMPT=0
+        TARGET_IP="${{ steps.github_public_ip.outputs.ipv4 }}"
+        echo "Waiting for IP $TARGET_IP to be allowed in ACR network rules..."
+        while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do
+          NETWORK_RULES=$(az acr network-rule list --name ${{matrix.target.acr-name}} --subscription ${{ matrix.target.subscription-id }}   --query "ipRules[]|[?contains(ipAddressOrRange, '$TARGET_IP')]"  --output tsv)
+          if [ -n "$NETWORK_RULES" ]; then
+            echo "IP $TARGET_IP is allowed."
+            break
+          fi
+          echo "Attempt $((ATTEMPT+1)) of $MAX_ATTEMPTS. Retrying in 10 seconds..."
+          ATTEMPT=$((ATTEMPT+1))
+          sleep 10
+        done
+        if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
+          echo "IP $TARGET_IP was not allowed after $MAX_ATTEMPTS attempts. Exiting."
+          exit 1
+        fi
+
+    - name: Get ACR Login Server
+      if: matrix.target.ref == github.ref
+      id: get-acr-login-server
+      run: |
+        echo "login_server=$(az acr show --name ${{ matrix.target.acr-name }} --query loginServer --output tsv)" >> $GITHUB_OUTPUT
+
+    - name: Get ACR Access Token
+      if: matrix.target.ref == github.ref
+      id: get-acr-token
+      run: |
+        echo "Getting ACR access token"
+        access_token=$(az acr login --name ${{ matrix.target.acr-name }} --expose-token --output tsv --query accessToken)
+        echo "::add-mask::$access_token"
+        echo "access_token=$access_token" >> $GITHUB_OUTPUT
+
+    - name: Log in to ACR
+      if: matrix.target.ref == github.ref
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ steps.get-acr-login-server.outputs.login_server }}
+        username: "00000000-0000-0000-0000-000000000000"
+        password: ${{ steps.get-acr-token.outputs.access_token }}
+
+    - name: Set up Docker Buildx
+      if: matrix.target.ref == github.ref
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build an image name
+      if: matrix.target.ref == github.ref
+      id: build-image-name
+      run: |
+        echo "image-name=${{ matrix.target.acr-name }}.azurecr.io/radix-vulnerability-scanner" >> $GITHUB_OUTPUT
+
+    - name: Build an image tag
+      if: matrix.target.ref == github.ref
+      id: build-tag
+      run: |
+        sha=${GITHUB_SHA::8}
+        ts=$(date +%s)
+        echo "tag=${GITHUB_REF_NAME}-${sha}-${ts}" >> $GITHUB_OUTPUT
+
+    - name: Extract labels from metadata for Docker
+      if: matrix.target.ref == github.ref
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ steps.build-image-name.outputs.image-name }}
+
+    - name: Build and push Docker image
+      if: matrix.target.ref == github.ref
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        platforms: |
+          linux/amd64
+          linux/arm64
+        tags: "${{ steps.build-image-name.outputs.image-name }}:${{ steps.build-tag.outputs.tag }}"
+        labels: ${{ steps.meta.outputs.labels }}
+
+    - name: Revoke GitHub IP on ACR
+      if: ${{ matrix.target.ref == github.ref && steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+      run: az acr network-rule remove
+        --name ${{matrix.target.acr-name}}
+        --subscription ${{matrix.target.subscription-id}}
+        --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}

.github/workflows/deploy-database.yml

@@ -56,39 +56,39 @@ jobs:
           tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
           allow-no-subscriptions: true
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/sql-scripts/predeploy.sql'
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/sql-scripts/roles.sql'
           arguments: '--variables RADIX_ZONE=${{matrix.target.name}}'
 
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/sql-scripts/types.sql'
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/sql-scripts/tables.sql'
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/sql-scripts/views.sql'
 
-      - uses: azure/sql-action@v2.2.1
+      - uses: azure/sql-action@v2.3
         if: matrix.target.ref == github.ref
         with:
           connection-string: ${{env.connection}}

.github/workflows/pr.yml

@@ -1,47 +1,49 @@
-name: Pull request
+name: radix-acr-cleanup-pr
 on:
   pull_request:
     branches:
     - main
-
 jobs:
   build:
-    name: Build
+    name: pull-request-check
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - name: Build docker image
-      env:
-        REF: ${{ github. sha }}
-      run: make build
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Build Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        platforms: |
+          linux/amd64
+          linux/arm64
 
-  lint:
-    name: Lint
+  test:
+    name: Unit Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-      - name: Install dependencies
-        run: go mod download
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          version: v1.59.1
-          args: --timeout=30m --max-same-issues=0
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+    - name: Install dependencies
+      run: go mod download
+    - name: Run Tests
+      run: go test -cover `go list ./...`
 
-  test:
-    name: Unit Test
+  lint:
+    name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-      - name: Install dependencies
-        run: go mod download
-      - name: Run Tests
-        run: go test -cover `go list ./... | grep -v 'pkg/client'`
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 2
+    - uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+    - name: golangci-lint
+      uses: golangci/golangci-lint-action@v6
+      with:
+        version: v1.58.2

.gitignore

@@ -18,4 +18,5 @@
 
 __debug_bin
 
-.vscode/*.log
+.vscode/*.log
+.idea