forked from jmpsec/osctrl
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Bogdan Peter
committed
Jul 7, 2024
1 parent
e0746dc
commit 91be5a2
Showing
6 changed files
with
199 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,9 +13,6 @@ inputs: | |
commit_sha: | ||
required: true | ||
description: Define the SHA1 git commit hash | ||
docker_tag: | ||
required: true | ||
description: Define the Docker tag | ||
docker_hub_org: | ||
required: true | ||
description: Pass DockerHub org to action | ||
|
@@ -54,13 +51,29 @@ runs: | |
osctrl-${{ inputs.osctrl_component }}-${{ inputs.commit_sha }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin \ | ||
osctrl-${{ inputs.osctrl_component }}-${{ inputs.go_os }}-${{ inputs.go_arch }}.bin | ||
########################### Add meta data for containers ########################### | ||
- name: Docker meta | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }} | ||
labels: | | ||
org.opencontainers.image.title=osctrl-${{ inputs.osctrl_component }} | ||
tags: | | ||
type=sha,prefix=,format=short | ||
type=match,pattern=v(.*),group=1 | ||
########################### Log into Dockerhub ########################### | ||
- name: Login to Docker Hub | ||
uses: docker/[email protected] | ||
with: | ||
username: ${{ inputs.docker_hub_username }} | ||
password: ${{ inputs.docker_hub_access_token }} | ||
|
||
# ########################### Setup QEMU ########################### | ||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
########################### Setup Docker ########################### | ||
- name: Set up Docker Buildx | ||
uses: docker/[email protected] | ||
|
@@ -73,8 +86,27 @@ runs: | |
context: . | ||
file: ./deploy/cicd/docker/Dockerfile-osctrl-${{ inputs.osctrl_component }} | ||
push: true | ||
tags: ${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }}:${{ inputs.docker_tag }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
platforms: "${{ inputs.go_os }}/${{ inputs.go_arch }}" | ||
outputs: type=image,name=${{ inputs.docker_hub_org }}/osctrl-${{ inputs.osctrl_component }},push-by-digest=true,name-canonical=true,push=true | ||
build-args: | | ||
COMPONENT=${{ inputs.osctrl_component }} | ||
GOOS=${{ inputs.go_os }} | ||
GOARCH=${{ inputs.go_arch }} | ||
########################### Export image digest to tmp ########################### | ||
- name: Export digest | ||
shell: bash | ||
run: | | ||
mkdir -p /tmp/digests | ||
digest="${{ steps.docker_build.outputs.digest }}" | ||
touch "/tmp/digests/${digest#sha256:}" | ||
########################### Upload digest ########################### | ||
- name: Upload digest | ||
uses: actions/[email protected] | ||
with: | ||
name: digests-osctrl-${{ inputs.osctrl_component }}-${{ inputs.go_os }}-${{ inputs.go_arch }} | ||
path: /tmp/digests/* | ||
if-no-files-found: error | ||
retention-days: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -48,6 +48,7 @@ runs: | |
OSCTRL_VERSION: ${{ inputs.commit_sha }} | ||
|
||
- name: Create DEB package contents for tagged version | ||
id: create_deb_tagged_pkgs | ||
uses: jiro4989/[email protected] | ||
if: startsWith(github.ref, 'refs/tags/') | ||
with: | ||
|
@@ -59,6 +60,7 @@ runs: | |
desc: "DEB package for osctrl-${OSCTRL_COMPONENT}-${OSCTRL_VERSION} Commit SHA: ${COMMIT_SHA}" | ||
|
||
- name: Create DEB package contents | ||
id: create_deb_pkgs | ||
uses: jiro4989/[email protected] | ||
with: | ||
package: osctrl-${{ inputs.osctrl_component }} | ||
|
@@ -74,12 +76,12 @@ runs: | |
if: startsWith(github.ref, 'refs/tags/') | ||
with: | ||
name: osctrl-${{ inputs.osctrl_component }}_${{ inputs.release_version_tag }}-${{ inputs.commit_sha }}_${{ inputs.go_arch }}.deb | ||
path: osctrl-${{ inputs.osctrl_component }}_${{ inputs.release_version_tag }}-${{ inputs.commit_sha }}_${{ inputs.go_arch }}.deb | ||
path: ${{ steps.create_deb_tagged_pkgs.outputs.file_name }} | ||
retention-days: 10 | ||
|
||
- name: Upload osctrl DEBs | ||
uses: actions/[email protected] | ||
with: | ||
name: osctrl-${{ inputs.osctrl_component }}_${{ inputs.commit_sha }}_${{ inputs.go_arch }}.deb | ||
path: osctrl-${{ inputs.osctrl_component }}_${{ inputs.commit_sha }}_${{ inputs.go_arch }}.deb | ||
path: ${{ steps.create_deb_pkgs.outputs.file_name }} | ||
retention-days: 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -103,7 +103,7 @@ jobs: | |
matrix: | ||
components: ['tls', 'admin', 'api', 'cli'] | ||
goos: ['linux'] | ||
goarch: ['amd64'] | ||
goarch: ['amd64', 'arm64'] | ||
steps: | ||
########################### Checkout code ########################### | ||
- name: Checkout code | ||
|
@@ -131,8 +131,59 @@ jobs: | |
#### Build vars #### | ||
osctrl_component: ${{ matrix.components }} | ||
commit_sha: ${{ steps.vars.outputs.sha_short }} | ||
docker_tag: ${{ steps.vars.outputs.sha_short }} | ||
#### Dockerhub creds #### | ||
docker_hub_org: ${{ secrets.DOCKER_HUB_ORG }} | ||
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
docker_hub_access_token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | ||
|
||
|
||
push_docker_images: | ||
needs: [create_docker_images] | ||
runs-on: ubuntu-22.04 | ||
strategy: | ||
matrix: | ||
components: ['tls', 'admin', 'api', 'cli'] | ||
steps: | ||
########################### Get digests from build ########################### | ||
- name: Download digests | ||
uses: actions/[email protected] | ||
with: | ||
pattern: digests-osctrl-${{ matrix.components }}-* | ||
merge-multiple: true | ||
path: /tmp/digests | ||
|
||
########################### Setup Docker ########################### | ||
- name: Set up Docker Buildx | ||
uses: docker/[email protected] | ||
|
||
########################### Add meta data for containers ########################### | ||
- name: Docker meta | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }} | ||
labels: | | ||
org.opencontainers.image.title=osctrl-${{ matrix.components }} | ||
tags: | | ||
type=sha,prefix=,format=short | ||
type=match,pattern=v(.*),group=1 | ||
########################### Log into Dockerhub ########################### | ||
- name: Login to Docker Hub | ||
uses: docker/[email protected] | ||
with: | ||
username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | ||
|
||
########################### Create and push images ########################### | ||
- name: Create manifest list and push | ||
working-directory: /tmp/digests | ||
run: | | ||
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | ||
$(printf '${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}@sha256:%s ' *) | ||
########################### Inspect new image ########################### | ||
- name: Inspect image | ||
run: | | ||
docker buildx imagetools inspect ${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}:${{ steps.meta.outputs.version }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -84,7 +84,7 @@ jobs: | |
shell: bash | ||
run: | | ||
echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT | ||
echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT | ||
echo "branch=$(echo ${GITHUB_REF_NAME})" >> $GITHUB_OUTPUT | ||
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | ||
########################### Build DEB packages ########################### | ||
|
@@ -96,6 +96,7 @@ jobs: | |
osctrl_component: ${{ matrix.components }} | ||
commit_sha: ${{ steps.vars.outputs.sha_short }} | ||
osquery_version: ${{ env.OSQUERY_VERSION }} | ||
release_version_tag: ${{ steps.vars.outputs.branch }} | ||
|
||
create_docker_images: | ||
needs: [build_and_test] | ||
|
@@ -104,7 +105,7 @@ jobs: | |
matrix: | ||
components: ['tls', 'admin', 'api', 'cli'] | ||
goos: ['linux'] | ||
goarch: ['amd64'] | ||
goarch: ['amd64', 'arm64'] | ||
steps: | ||
########################### Checkout code ########################### | ||
- name: Checkout code | ||
|
@@ -133,31 +134,96 @@ jobs: | |
#### Build vars #### | ||
osctrl_component: ${{ matrix.components }} | ||
commit_sha: ${{ steps.vars.outputs.sha_short }} | ||
docker_tag: ${{ steps.vars.outputs.RELEASE_VERSION }} | ||
#### Dockerhub creds #### | ||
docker_hub_org: ${{ secrets.DOCKER_HUB_ORG }} | ||
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
docker_hub_access_token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | ||
|
||
########################### Sign Docker images ########################### | ||
- name: Sign osctrl Docker containers | ||
uses: ./.github/actions/tagged_release/docker/codesign | ||
with: | ||
#### Docker vars #### | ||
osctrl_component: ${{ matrix.components }} | ||
docker_tag: ${{ steps.vars.outputs.RELEASE_VERSION }} | ||
docker_image_digest: ${{ steps.build_docker_containers.outputs.docker_image_digest }} | ||
#### Dockerhub creds #### | ||
docker_hub_org: ${{ secrets.DOCKER_HUB_ORG }} | ||
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
docker_hub_access_token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | ||
#### Codesign secrets #### | ||
codesign_password: ${{ secrets.COSIGN_PASSWORD }} | ||
codesign_private_key: ${{ secrets.COSIGN_PRIVATE }} | ||
codesign_public_cert: ${{ secrets.COSIGN_PUBLIC }} | ||
|
||
push_docker_images: | ||
needs: [create_docker_images] | ||
runs-on: ubuntu-22.04 | ||
strategy: | ||
matrix: | ||
components: ['tls', 'admin', 'api', 'cli'] | ||
steps: | ||
########################### Checkout code ########################### | ||
- name: Checkout code | ||
uses: actions/[email protected] | ||
with: | ||
fetch-depth: 2 | ||
|
||
########################### Get digests from build ########################### | ||
- name: Download digests | ||
uses: actions/[email protected] | ||
with: | ||
pattern: digests-osctrl-${{ matrix.components }}-* | ||
merge-multiple: true | ||
path: /tmp/digests | ||
|
||
########################### Setup Docker ########################### | ||
- name: Set up Docker Buildx | ||
uses: docker/[email protected] | ||
|
||
########################### Add meta data for containers ########################### | ||
- name: Docker meta | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }} | ||
labels: | | ||
org.opencontainers.image.title=osctrl-${{ matrix.components }} | ||
tags: | | ||
type=sha,prefix=,format=short | ||
type=match,pattern=v(.*),group=1 | ||
########################### Log into Dockerhub ########################### | ||
- name: Login to Docker Hub | ||
uses: docker/[email protected] | ||
with: | ||
username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | ||
|
||
########################### Create and push images ########################### | ||
- name: Create manifest list and push | ||
working-directory: /tmp/digests | ||
run: | | ||
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | ||
$(printf '${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}@sha256:%s ' *) | ||
########################### Generate image tags and digests ########################### | ||
- name: Export digests and tags for cosign | ||
id: docker_vars | ||
working-directory: /tmp/digests | ||
run: | | ||
echo "digests=$(printf '%s ' *)" >> $GITHUB_OUTPUT | ||
echo "tags=$(jq -cr '.tags | map(\"-t \" + .) | join(\" \")' <<< \"$DOCKER_METADATA_OUTPUT_JSON\")" >> $GITHUB_OUTPUT | ||
########################### Sign Docker images ########################### | ||
- name: Sign osctrl Docker containers | ||
uses: ./.github/actions/tagged_release/docker/codesign | ||
with: | ||
#### Docker vars #### | ||
osctrl_component: ${{ matrix.components }} | ||
docker_tags: ${{ steps.docker_vars.outputs.tags }} | ||
docker_image_digests: ${{ steps.digests.outputs.digests }} | ||
#### Dockerhub creds #### | ||
docker_hub_org: ${{ secrets.DOCKER_HUB_ORG }} | ||
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
docker_hub_access_token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | ||
#### Codesign secrets #### | ||
codesign_password: ${{ secrets.COSIGN_PASSWORD }} | ||
codesign_private_key: ${{ secrets.COSIGN_PRIVATE }} | ||
codesign_public_cert: ${{ secrets.COSIGN_PUBLIC }} | ||
|
||
########################### Inspect new image ########################### | ||
- name: Inspect image | ||
run: | | ||
docker buildx imagetools inspect ${{ secrets.DOCKER_HUB_ORG }}/osctrl-${{ matrix.components }}:${{ steps.meta.outputs.version }} | ||
create_release: | ||
needs: [build_and_test,create_deb_packages,create_docker_images] | ||
needs: [build_and_test,create_deb_packages,push_docker_images] | ||
runs-on: ubuntu-22.04 | ||
strategy: | ||
matrix: | ||
|
@@ -184,7 +250,6 @@ jobs: | |
########################### Create release ########################### | ||
- name: Create a new release with binaries and packages | ||
uses: ./.github/actions/tagged_release/github | ||
id: build_docker_containers | ||
with: | ||
go_os: "${{ matrix.goos }}" | ||
go_arch: "${{ matrix.goarch }}" | ||
|