Skip to content

Commit

Permalink
Minor improvements (#55)
Browse files Browse the repository at this point in the history 
* update bake-file
- use head_ref instead of base_ref
- don't cache-to if actor is nektos/act
- replace `/` with `-` in ref_name

* update ci:
- validate tags of all targets
- split test and generate-jobs
- re-add PR compare step

* update mega-linter config:
- enable "VALIDATE_ALL_CODEBASE" for local scanning

* small readme update

* update Dockerfile:
- re-order images/copy-jobs

* another try for PR validation

* use tee to write to stdout and github output

* seems comparing images in a pr needs too much ram

* shrink PR-compare step to only the runners arch

* fix arch

* replace slashes with dashes when validating tags
  • Loading branch information
@mauwii
mauwii authored Oct 7, 2023
1 parent dfbdaf5 commit c21efe2
Show file tree
Hide file tree
Showing 5 changed files with 105 additions and 84 deletions.
128 changes: 72 additions & 56 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ name: ci

on:
push:
branches: [main]
paths:
- '**/Dockerfile'
- '**/.github/workflows/ci.yml'
Expand All @@ -25,11 +26,8 @@ env:
jobs:
test:
runs-on: ubuntu-latest
outputs:
targets: ${{ steps.matrix.outputs.targets }}
steps:
- name: Checkout code
# kics-scan ignore-line
uses: actions/[email protected]

- name: Setup Docker Buildx
Expand All @@ -39,34 +37,48 @@ jobs:
# get docker binary path to use it with env -i
- name: Get the docker binary path
id: docker-binary-path
run: echo "DOCKER_BINARY_PATH=$(which docker)" >> "$GITHUB_OUTPUT"
run: echo "docker-bin=$(which docker)" | tee "${GITHUB_OUTPUT}"

- name: Print the bake file with a empty env
id: bake-file-no-env
run: env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print
run: env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print

- name: Verify the tag ends on -local
- name: Verify the tags end on -local
run: |
BAKE_TAG="$(env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | jq -r '[.target[].tags[]][0]')"
[[ "${BAKE_TAG}" == *"-local" ]] || exit 1
while IFS='' read -r container_tag; do
printf "Container tag: %s\n" "${container_tag}"
[[ "${container_tag}" == *"-local" ]] || exit 1
done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]')
- name: Print the bake file with the runner env
run: docker buildx bake --print

- name: Validate tag ends on -${{ github.base_ref || github.ref_name }}
- name: Verify the tags are valid
run: |
BAKE_TAG="$(docker buildx bake --print | jq -r '[.target[].tags[]][0]')"
[[ "${BAKE_TAG}" == *"-${{ github.base_ref || github.ref_name}}" ]] || exit 1
while IFS='' read -r container_tag; do
printf "Container tag: %s\n" "${container_tag}"
[[ "${container_tag}" == *"-${REF//\//-}" ]] || exit 1
done < <(docker buildx bake --print | jq -r '.target[].tags[0]')
env:
REF: ${{ github.head_ref || github.ref_name}}

- name: Create matrix
id: matrix
run: printf "targets=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" >>"${GITHUB_OUTPUT}"
generate-jobs:
needs: [test]
runs-on: ubuntu-latest
outputs:
targets: ${{ steps.targets.outputs.matrix }}
# platforms: ${{ steps.platforms.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/[email protected]

- name: Show matrix
run: "echo '${{ steps.matrix.outputs.targets }}' | jq"
- name: Generate targets matrix
id: targets
run: |
printf "matrix=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" | tee "${GITHUB_OUTPUT}"
build:
needs: test
needs: [generate-jobs]
runs-on: ubuntu-latest
permissions:
contents: read
Expand All @@ -75,25 +87,20 @@ jobs:
security-events: write
strategy:
matrix:
targets: ${{ fromJson(needs.test.outputs.targets) }}
targets: ${{ fromJson(needs.generate-jobs.outputs.targets) }}
steps:
- name: Checkout code
# kics-scan ignore-line
uses: actions/[email protected]

- name: Setup QEMU
# kics-scan ignore-line
uses: docker/[email protected]
# with:
# image: 'tonistiigi/binfmt:buildkit-latest'

- name: Setup Docker Buildx
# kics-scan ignore-line
uses: docker/[email protected]
# with:
# driver-opts: |
# image=moby/buildkit:latest
# # driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }}
with:
driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }}

# Login against a container registry
# https://github.com/docker/login-action
Expand All @@ -114,6 +121,15 @@ jobs:
deleteDotnet: 'true'
deleteAndroid: 'true'

- name: Get meta data
id: meta
run: |
{
printf "arch=linux/%s\n" "$(docker run --rm --quiet ubuntu:22.04 dpkg --print-architecture)";
printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')";
printf "main_tag=%s\n" "$(REF_NAME=main docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')";
} | tee "${GITHUB_OUTPUT}"
# Bake the image
# kics-scan ignore-line
- uses: docker/[email protected]
Expand All @@ -122,51 +138,51 @@ jobs:
with:
files: docker-bake.hcl
targets: ${{ matrix.targets }}
sbom: true
provenance: true
sbom: ${{ github.event_name != 'pull_request' }}
provenance: ${{ github.event_name != 'pull_request' }}
set: |
${{ github.event_name == 'pull_request' && '*.cache-to=' || '' }}
${{ github.event_name == 'pull_request' && format('*.platform={0}', steps.meta.outputs.arch) || '' }}
push: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
load: ${{ github.event_name == 'pull_request' }}

- name: Get the image tag
id: meta
run: |
printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '[.target[].tags[]][0]')" >> "$GITHUB_OUTPUT"
- name: Analyze for critical and high CVEs
# vulnerability scan the image
# kics-scan ignore-line
- uses: docker/[email protected]
name: Analyze for critical and high CVEs
id: docker-scout-cves
if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
# kics-scan ignore-line
uses: docker/[email protected]
with:
command: cves
image: ${{ steps.meta.outputs.tag }}
sarif-file: sarif.output.json
summary: false

- name: Upload SARIF result
# upload the results as a SARIF file to gh security tab
# kics-scan ignore-line
- uses: github/codeql-action/[email protected]
name: Upload SARIF result
id: upload-sarif
if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
# kics-scan ignore-line
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif.output.json

# # vulnerability scanning to verify PRs
# - name: Docker Scout
# id: docker-scout
# uses: docker/[email protected]
# if: github.event_name == 'pull_request'
# with:
# platform: ${{ matrix.platforms }}
# command: quickview
# image: ${{ env.FROM_IMAGE_PATH }}
# type: archive
# to: ${{ env.TO_TAG }}
# ignore-unchanged: true
# only-severities: critical
# write-comment: ${{ github.actor != 'nektos/act' }}
# summary: ${{ github.actor != 'nektos/act' }}
# github-token: ${{ secrets.GITHUB_TOKEN }}
# organization: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }}
# vulnerability scanning to verify PRs
# kics-scan ignore-line
- uses: docker/scout-action@64ca6fb5e6ada64f5febd1a991b499900b29faf0
name: Docker Scout compare
id: pr-quickview
if: ${{ github.event_name == 'pull_request' && steps.meta.outputs.tag != steps.meta.outputs.main_tag && vars.DOCKERHUB_USERNAME != '' }}
with:
command: compare
platform: ${{ steps.meta.outputs.arch }}
image: ${{ steps.meta.outputs.tag }}
to: ${{ steps.meta.outputs.main_tag }}
ignore-unchanged: true
only-fixed: true
only-severities: critical,high
write-comment: ${{ github.actor != 'nektos/act' }}
summary: ${{ github.actor != 'nektos/act' }}
github-token: ${{ secrets.GITHUB_TOKEN }}

approve-pr:
name: Approve PR
Expand Down
4 changes: 3 additions & 1 deletion .mega-linter.yml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,16 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/oxsecurity/megalinter/main/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json

# Configuration file for MegaLinter
# See all available variables at https://megalinter.io/latest/config-file/ and in linters documentation

APPLY_FIXES: 'all' # all, none, or list of linter keys
CLEAR_REPORT_FOLDER: true
DISABLE_LINTERS:
- REPOSITORY_SEMGREP # doesn't work for me currently
FILEIO_REPORTER: false
# FILTER_REGEX_EXCLUDE: '(megalinter-reports)'
IGNORE_GITIGNORED_FILES: true
SHOW_ELAPSED_TIME: true
SPELL_LYCHEE_FILTER_REGEX_EXCLUDE: '(\.github/workflows|\.mega-linter\.yml)'
YAML_V8R_FILTER_REGEX_EXCLUDE: '(\.prettierrc\.yaml)'
VALIDATE_ALL_CODEBASE: true
13 changes: 8 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,8 @@ The easiest way is to add those lines in your `~/.actrc`:
-P ubuntu-20.04=mauwii/ubuntu-act:20.04
```

For further information about [nektos/act][nektosActRepo] and how to use it, take a 👀 at the [nektos
documentation📖][nektosDocs]
For further information about [nektos/act][nektosActRepo] and how to use it, take a 👀 at the
[nektos documentation📖][nektosDocs]

## How I run act on my M2-Max 💻

Expand Down Expand Up @@ -111,9 +111,12 @@ documentation📖][nektosDocs]
## docker-bake file

As always, there are different options to build the images locally. I added `docker-bake.hcl` which
helps with orchestrating builds and needs buildx to be available, which comes out of the box with
docker desktop. Bake Files are still considered experimental, and your results may be totally
different depending on your local docker configuration.
helps with orchestrating builds but needs buildx to be available on the host (it comes out of the
box with docker desktop).

> [!WARNING]
> Bake Files are still considered experimental, and your results may be totally different depending
> on your local docker configuration.
- using the `local` tag:

Expand Down
8 changes: 4 additions & 4 deletions docker-bake.hcl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,14 @@ variable "GITHUB_SHA" {
}

variable "REF_NAME" {
default = and(notequal(GITHUB_BASE_REF, null), notequal(GITHUB_BASE_REF, "")) ? "${GITHUB_BASE_REF}" : and(notequal(GITHUB_REF_NAME, null), notequal(GITHUB_REF_NAME, "")) ? "${GITHUB_REF_NAME}" : "local"
default = and(notequal(GITHUB_HEAD_REF, null), notequal(GITHUB_HEAD_REF, "")) ? "${GITHUB_HEAD_REF}" : and(notequal(GITHUB_REF_NAME, null), notequal(GITHUB_REF_NAME, "")) ? "${GITHUB_REF_NAME}" : "local"
}

variable "GITHUB_REF_NAME" {
default = null
}

variable "GITHUB_BASE_REF" {
variable "GITHUB_HEAD_REF" {
default = null
}

Expand Down Expand Up @@ -128,10 +128,10 @@ target "ubuntu" {
"${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:cache-${release.codename}"
]
cache-to = [
notequal(REF_NAME, "local") ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:cache-${release.codename}" : ""
and(notequal("nektos/act", GITHUB_ACTOR), notequal(REF_NAME, "local")) ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:cache-${release.codename}" : ""
]
tags = [
"${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:${release.major}.${release.minor}-${REF_NAME}",
"${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:${release.major}.${release.minor}-${replace(REF_NAME, "/", "-")}",
and(notequal(GITHUB_SHA, null), equal("${REF_NAME}", "main")) ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:${release.major}.${release.minor}-${substr(GITHUB_SHA, 0, 7)}" : "",
equal("${REF_NAME}", "main") ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:${release.major}.${release.minor}" : "",
and(equal("${REF_NAME}", "main"), equal(release.codename, "jammy")) ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:latest" : "",
Expand Down
36 changes: 18 additions & 18 deletions linux/ubuntu/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,6 @@ ARG FROM_VERSION_MINOR=04
ARG FROM_VERSION=${FROM_VERSION_MAJOR}.${FROM_VERSION_MINOR}
FROM ${FROM_IMAGE}:${FROM_VERSION} as base

FROM base as bicep
ARG TARGETARCH
ARG BICEP_VERSION=v0.21.1
RUN export targetarch="${TARGETARCH}" \
&& if [ "${targetarch}" = "amd64" ]; then export targetarch="x64"; fi \
&& curl -sSLo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VERSION}/bicep-linux-${targetarch}" \
&& chmod +x ./bicep \
&& mv ./bicep /usr/local/bin/bicep \
&& bicep --version

FROM base as golang
ARG TARGETARCH
SHELL [ "/bin/bash", "--login", "-e", "-o", "pipefail", "-c" ]
Expand All @@ -42,6 +32,16 @@ RUN curl -fsSL https://get.pulumi.com \
&& export PATH="$HOME/.pulumi/bin:$PATH" \
&& pulumi version

FROM base as bicep
ARG TARGETARCH
ARG BICEP_VERSION=v0.21.1
RUN export targetarch="${TARGETARCH}" \
&& if [ "${targetarch}" = "amd64" ]; then export targetarch="x64"; fi \
&& curl -sSLo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VERSION}/bicep-linux-${targetarch}" \
&& chmod +x ./bicep \
&& mv ./bicep /usr/local/bin/bicep \
&& bicep --version

FROM base as act-base

# automatic buildx ARGs
Expand Down Expand Up @@ -304,14 +304,6 @@ ARG TARGETARCH
SHELL [ "/bin/bash", "--login", "-e", "-o", "pipefail", "-c" ]
WORKDIR /tmp

# add PowerShell
ARG TOOL_PATH_PWSH=/usr/share/powershell
COPY --from=powershell ${TOOL_PATH_PWSH} ${TOOL_PATH_PWSH}
RUN ln -s "${TOOL_PATH_PWSH}/pwsh" /usr/local/bin/pwsh

# add PowerShell-modules
COPY --from=powershell-modules /usr/local/share/powershell /usr/local/share/powershell

# add go
COPY --from=golang /usr/local/go /usr/local/go
ENV PATH=/usr/local/go/bin:${PATH}
Expand All @@ -323,6 +315,14 @@ COPY --from=pulumi /root/.pulumi/bin /usr/local/bin/
# add bicep
COPY --from=bicep /usr/local/bin/bicep /usr/local/bin/bicep

# add PowerShell
ARG TOOL_PATH_PWSH=/usr/share/powershell
COPY --from=powershell ${TOOL_PATH_PWSH} ${TOOL_PATH_PWSH}
RUN ln -s "${TOOL_PATH_PWSH}/pwsh" /usr/local/bin/pwsh

# add PowerShell-modules
COPY --from=powershell-modules /usr/local/share/powershell /usr/local/share/powershell

ARG RUNNER
USER ${RUNNER}

Expand Down

0 comments on commit c21efe2

Please sign in to comment.