diff --git a/.drone.star b/.drone.star deleted file mode 100644 index 5aaa6cb..0000000 --- a/.drone.star +++ /dev/null @@ -1,120 +0,0 @@ -def main(ctx): - archs = ["amd64", "arm64"] ## arm - alpine_version = "3.19" - - out = [] - for arch in archs: - out += onpush(ctx, alpine_version, arch) - - for arch in archs: - out += build_publish(ctx, alpine_version, arch) - - out += manifest_publish(ctx, archs) - - return out - -def onpush(ctx, alpine_version, arch): - return [{ - "kind": "pipeline", - "type": "docker", - "name": "build-onpush-%s" % (arch), - "platform": { - "arch": arch, - "os": "linux", - }, - "steps": [{ - "name": "build_on_push", - "image": "plugins/docker:linux-%s" % (arch), - "settings": { - "context": ".", - "dockerfile": "Dockerfile", - "dry_run": True, - "repo": "docker.asperti.com/paspo/dnscache", - "build_args": [ - "ALPINE_VERSION=%s" % (alpine_version) - ], - }, - }], - "trigger": { - "event": ['push'], - } - }] - -def build_publish(ctx, alpine_version, arch): - return [{ - "kind": "pipeline", - "type": "docker", - "name": "build-publish-%s" % (arch), - "platform": { - "arch": arch, - "os": "linux", - }, - "steps": [{ - "name": "build_on_push", - "image": "plugins/docker:linux-%s" % (arch), - "settings": { - "context": ".", - "dockerfile": "Dockerfile", - "build_args": [ - "ALPINE_VERSION=%s" % (alpine_version) - ], - "username": { - "from_secret": "docker_username", - }, - "password": { - "from_secret": "docker_password", - }, - "registry": "docker.asperti.com", - "repo": "docker.asperti.com/paspo/dnscache", - "tags": [ - "latest-%s" % (arch) - ], - "auto_tag": False, - "force_tag": True, - "daemon_off": False, - }, - }], - "trigger": { - "ref": [ - "refs/heads/master", - "refs/tags/**", - ], - }, - }] - -def manifest_publish(ctx, archs): - return [{ - "kind": "pipeline", - "type": "docker", - "name": "manifest", - "platform": { - "arch": archs[0], - "os": "linux", - }, - "steps": [{ - "name": "manifest", - "image": "plugins/manifest", - "settings": { - "spec": "manifest.tmpl", - "username": { - "from_secret": "docker_username", - }, - "password": { - "from_secret": "docker_password", - }, - "tags": [ - "latest" - ], - "ignore_missing": True, - "force_tag": True, - }, - }], - "trigger": { - "ref": [ - "refs/heads/master", - "refs/tags/**", - ], - }, - "depends_on": ["build-publish-%s" % (arch) for arch in archs] - }] - diff --git a/.gitea/workflows/build_and_publish.yaml b/.gitea/workflows/build_and_publish.yaml new file mode 100644 index 0000000..72aafec --- /dev/null +++ b/.gitea/workflows/build_and_publish.yaml @@ -0,0 +1,77 @@ +--- +name: Container Publish + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/dnscache + ALPINE_VERSION: "3.19" + +on: + push: + tags: + - '*' + schedule: + - cron: "0 12 3 * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [vulnscan.yaml] + types: [completed] + +jobs: + on-success-skip: + runs-on: + labels: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - run: exit_with_success + + build-image: + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] + + steps: + - uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Build and publish + run: | + docker build \ + --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \ + --build-arg "ALPINE_VERSION=${{ env.ALPINE_VERSION }}" \ + --platform linux/${{ matrix.arch }} -f Dockerfile . + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} + + manifest: + name: update docker manifest + needs: build-image + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + + steps: + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: latest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64 + docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml index 0f841d8..4dcf57f 100644 --- a/.gitea/workflows/vulnscan.yaml +++ b/.gitea/workflows/vulnscan.yaml @@ -1,20 +1,33 @@ +--- name: Vulnerability Scan +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/dnscache + on: schedule: - cron: "0 14 * * *" workflow_dispatch: + workflow_call: + workflow_run: + workflows: [build_and_publish.yaml] + types: [completed] jobs: scan: name: Daily Vulnerability Scan - runs-on: ubuntu-latest + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] container: image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] steps: - name: Pull docker image - run: docker pull docker.asperti.com/paspo/dnscache:latest + run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest - name: Setup trivy run: | @@ -31,7 +44,7 @@ jobs: - name: Run Trivy vulnerability scanner id: scan run: | - trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/dnscache:latest > trivy-results.json + trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json # if some vulnerability is found, we fail - name: check output diff --git a/manifest.tmpl b/manifest.tmpl deleted file mode 100644 index 921f4b6..0000000 --- a/manifest.tmpl +++ /dev/null @@ -1,25 +0,0 @@ -image: docker.asperti.com/paspo/dnscache:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}} -{{#if build.tags}} -tags: -{{#each build.tags}} - - {{this}} -{{/each}} -{{/if}} -manifests: - - - image: docker.asperti.com/paspo/dnscache:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-amd64 - platform: - architecture: amd64 - os: linux - - - image: docker.asperti.com/paspo/dnscache:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm64 - platform: - variant: v8 - architecture: arm64 - os: linux - - - image: docker.asperti.com/paspo/dnscache:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm - platform: - variant: v7 - architecture: arm - os: linux