From 34135d618c9b69f401e6c4a4e601c7ce38b18251 Mon Sep 17 00:00:00 2001 From: Jesse Kempf Date: Mon, 29 Jan 2024 10:46:41 -0800 Subject: [PATCH] Get CI/CD working again by switching to standard VSCO workflow (VPS-11003) --- .github/workflows/dcdr.yml | 18 ++++ .github/workflows/main.yml | 44 ---------- .github/workflows/package.yml | 146 +++++++++++++++++++++++++++++++++ .github/workflows/pipeline.yml | 24 ++++++ Dockerfile.archlinux | 4 - script/install | 1 - 6 files changed, 188 insertions(+), 49 deletions(-) create mode 100644 .github/workflows/dcdr.yml delete mode 100644 .github/workflows/main.yml create mode 100644 .github/workflows/package.yml create mode 100644 .github/workflows/pipeline.yml delete mode 100644 Dockerfile.archlinux diff --git a/.github/workflows/dcdr.yml b/.github/workflows/dcdr.yml new file mode 100644 index 0000000..ee6bd1c --- /dev/null +++ b/.github/workflows/dcdr.yml @@ -0,0 +1,18 @@ +name: DCDR + +on: + pull_request: + branches: + - 'master' + push: + branches: + - 'master' + +jobs: + dcdr: + uses: ./.github/workflows/pipeline.yml + with: + APP_NAME: 'dcdr' + REGISTRY: 'docker.vsco.co' + IMAGE_NAME: 'dcdr' + secrets: inherit diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 25b334f..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Main Workflow - -on: - push: - branches: [master] - pull_request: - branches: [master] - -env: - IMAGE_SHA: ${{ github.event.pull_request.head.sha || github.sha }} - # If you want your CI build to push images to a Docker repository, define these - # for "Secrets" in your CI settings for the repository: - # private registry to push to - DOCKER_REGISTRY: ${{ secrets.VSCO_DOCKER_REGISTRY }} - # username at the registry - DOCKER_USERNAME: ${{ secrets.VSCO_DOCKER_REGISTRY_USERNAME }} - # the registry password for DOCKER_USERNAME - DOCKER_PASSWORD: ${{ secrets.VSCO_DOCKER_REGISTRY_PASSWORD }} - # repo to push to - DOCKER_REPO: ${{ secrets.DOCKER_REPO }} - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-go@v2 - with: - go-version: 1.14 - - name: Run tests - run: script/test - - name: Build dcdr - run: script/build - - name: Build and push Docker image - uses: docker/build-push-action@v1 - with: - registry: ${{ env.DOCKER_REGISTRY }} - username: ${{ env.DOCKER_USERNAME }} - password: ${{ env.DOCKER_PASSWORD }} - repository: ${{ env.DOCKER_REPO }} - dockerfile: Dockerfile.archlinux - tag_with_ref: true - tags: ${{ env.IMAGE_SHA }} - push: true diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml new file mode 100644 index 0000000..f207c10 --- /dev/null +++ b/.github/workflows/package.yml @@ -0,0 +1,146 @@ +name: Package + +on: + workflow_call: + inputs: + REGISTRY: + required: true + type: string + IMAGE_NAME: + required: true + type: string + APP_NAME: + required: true + type: string + STAGE: + required: true + type: string + +permissions: + packages: write + contents: write + id-token: write + +jobs: + package: + name: Docker Package, CVE Scan and Push + runs-on: self-hosted + environment: + name: ${{ inputs.STAGE }} + concurrency: + group: ${{ inputs.STAGE }}-${{ inputs.APP_NAME }} + cancel-in-progress: true + steps: + - name: Enable Branch Features + env: + MAIN_BRANCH_FEATURES: ${{ github.ref_name == 'main' }} + run: | + if [[ ${MAIN_BRANCH_FEATURES} == true ]]; then + echo "prerelease_enabled=false" >> $GITHUB_ENV + else + echo "prerelease_enabled=true" >> $GITHUB_ENV + fi + + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.head_ref || github.ref_name }} + + - name: Setup QEMU + uses: docker/setup-qemu-action@v2 + with: + platforms: all + + - name: Setup Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ${{ inputs.REGISTRY }} + username: ${{ secrets.VSCO_DOCKER_REGISTRY_USERNAME }} + password: ${{ secrets.VSCO_DOCKER_REGISTRY_PASSWORD }} + + - name: Generate Version + id: version + uses: anothrNick/github-tag-action@master + env: + GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + WITH_V: 'false' + RELEASE_BRANCHES: 'main' + TAG_CONTEXT: 'repo' + DEFAULT_BUMP: 'patch' + DRY_RUN: 'true' + INITIAL_VERSION: '0.0.3' + PRERELEASE: ${{ env.prerelease_enabled }} + PRERELEASE_SUFFIX: 'rc' + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ inputs.REGISTRY }}/vsco/${{ inputs.IMAGE_NAME }} + tags: | + type=raw,value=${{ steps.version.outputs.new_tag }} + type=raw,value=latest + + - name: Build & Publish Docker Image + id: build + uses: docker/build-push-action@v5 + with: + push: true + builder: ${{ steps.buildx.outputs.name }} + platforms: linux/amd64 + context: . + file: ./Dockerfile + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha,scope=${{ inputs.STAGE }} + cache-to: type=gha,mode=max,scope=${{ inputs.STAGE }} + + - name: Run Vulnerability Scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "${{ inputs.REGISTRY }}/vsco/${{ inputs.IMAGE_NAME }}:${{ steps.version.outputs.new_tag }}" + format: table + exit-code: "0" + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH + env: + TRIVY_USERNAME: ${{ secrets.VSCO_DOCKER_REGISTRY_USERNAME }} + TRIVY_PASSWORD: ${{ secrets.VSCO_DOCKER_REGISTRY_PASSWORD }} + + - name: Create Tag + if: ${{ inputs.STAGE == 'dev' && inputs.APP_NAME == 'dcdr' }} + uses: anothrNick/github-tag-action@master + env: + GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + WITH_V: 'false' + RELEASE_BRANCHES: 'main' + TAG_CONTEXT: 'repo' + DEFAULT_BUMP: 'patch' + DRY_RUN: 'false' + INITIAL_VERSION: '0.0.3' + PRERELEASE: ${{ env.prerelease_enabled }} + PRERELEASE_SUFFIX: 'rc' + + - name: Create Release + if: ${{ inputs.STAGE == 'dev' && inputs.APP_NAME == 'dcdr' }} + uses: softprops/action-gh-release@v1 + with: + draft: false + tag_name: ${{ steps.version.outputs.new_tag }} + prerelease: ${{ env.prerelease_enabled }} + + - name: Delete Old Releases and Tags + if: ${{ github.ref_name == 'master' && inputs.STAGE == 'dev' && inputs.APP_NAME == 'dcdr' }} + uses: Nats-ji/delete-old-releases@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + keep-count: 5 + keep-old-minor-releases: false + include-prerelease: true + remove-tags: true + semver-loose: true diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml new file mode 100644 index 0000000..ecd28b6 --- /dev/null +++ b/.github/workflows/pipeline.yml @@ -0,0 +1,24 @@ +name: Pipeline + +on: + workflow_call: + inputs: + REGISTRY: + required: true + type: string + IMAGE_NAME: + required: true + type: string + APP_NAME: + required: true + type: string + +jobs: + package: + uses: ./.github/workflows/package.yml + with: + REGISTRY: ${{ inputs.REGISTRY }} + IMAGE_NAME: ${{ inputs.IMAGE_NAME }} + APP_NAME: ${{ inputs.APP_NAME }} + STAGE: dev + secrets: inherit diff --git a/Dockerfile.archlinux b/Dockerfile.archlinux deleted file mode 100644 index d164a0a..0000000 --- a/Dockerfile.archlinux +++ /dev/null @@ -1,4 +0,0 @@ -FROM archlinux/base -ADD ./bin/dcdr /usr/bin/dcdr -ENTRYPOINT ["/usr/bin/dcdr"] - diff --git a/script/install b/script/install index d61461e..893d655 100755 --- a/script/install +++ b/script/install @@ -1,6 +1,5 @@ #!/bin/bash set -e -./script/bootstrap ./script/test go install