Skip to content

Commit

Permalink
Merge pull request #28 from spacelift-io/future
Browse files Browse the repository at this point in the history
Synchronizing future with main
  • Loading branch information
peterdeme authored Nov 15, 2022
2 parents ef2cfd8 + d22c71b commit e1a2f9a
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 22 deletions.
27 changes: 23 additions & 4 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,39 @@ on:
ignore-branches:
- main
- future

jobs:
deployment:
name: Build the image
runs-on: ubuntu-latest
container: docker
steps:
- name: Check out repository code
uses: actions/checkout@master
uses: actions/checkout@main

- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: linux/arm64

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@v2

- name: Build and push the image
uses: docker/build-push-action@v2
uses: docker/build-push-action@v3
with:
push: false
tags: terraform-runner:latest
platforms: linux/amd64,linux/arm64
tags: runner-terraform:latest

# Can't use the output of the previous step because it's
# a multiplatform build, so we need to build it again.
- name: Test if terragrunt & infracost works (AMD64)
run: |
docker build --build-arg TARGETARCH=amd64 -t runner-terraform-test .
docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version"
- name: Test if terragrunt & infracost works (ARM64)
run: |
docker build --build-arg TARGETARCH=arm64 -t runner-terraform-test .
docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version"
12 changes: 9 additions & 3 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:

steps:
- name: Check out repository code
uses: actions/checkout@master
uses: actions/checkout@main

- name: Install the latest AWS CLI
run: |
Expand All @@ -39,19 +39,25 @@ jobs:
run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

- name: Log in to GitHub registry
uses: docker/login-action@v1
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: linux/arm64

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

- name: Build and push the image
uses: docker/build-push-action@v2
uses: docker/build-push-action@v3
with:
push: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/future' }}
platforms: linux/amd64,linux/arm64
tags: |
${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ github.ref == 'refs/heads/main' && 'latest' || 'future' }}
ghcr.io/spacelift-io/runner-terraform:${{ github.ref == 'refs/heads/main' && 'latest' || 'future' }}
2 changes: 1 addition & 1 deletion .github/workflows/prod-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
create-pr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@main

- name: Create Pull Request
uses: vsoch/[email protected]
Expand Down
23 changes: 16 additions & 7 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,27 +10,36 @@ on:

jobs:
build:
strategy:
matrix:
arch: [amd64, arm64]
name: Analyze
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@main

- name: Build an image from Dockerfile
- name: Set up QEMU
if: matrix.arch == 'arm64'
uses: docker/setup-qemu-action@v2
with:
platforms: linux/arm64

- name: Build an image from Dockerfile (${{ matrix.arch }} image)
run: |
docker build -t spacelift:${{ github.sha }} .
docker build --platform linux/${{ matrix.arch }} --pull --build-arg TARGETARCH=${{ matrix.arch }} -t spacelift:${{ github.sha }}-${{ matrix.arch }} .
- name: Run Trivy vulnerability scanner
- name: Run Trivy vulnerability scanner (${{ matrix.arch }} image)
uses: aquasecurity/trivy-action@master
with:
image-ref: "spacelift:${{ github.sha }}"
image-ref: "spacelift:${{ github.sha }}-${{ matrix.arch }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
- name: Upload Trivy scan results to GitHub Security tab (${{ matrix.arch }} image)
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
18 changes: 11 additions & 7 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
FROM alpine:3.14.0
FROM alpine:3.16

ARG TARGETARCH

RUN apk -U upgrade && apk add --no-cache \
aws-cli \
Expand All @@ -12,15 +14,17 @@ RUN apk -U upgrade && apk add --no-cache \
tzdata

# Download infracost
RUN curl -s -L https://github.com/infracost/infracost/releases/latest/download/infracost-linux-amd64.tar.gz | \
tar xz -C /tmp && \
mv /tmp/infracost-linux-amd64 /bin/infracost
ADD "https://github.com/infracost/infracost/releases/latest/download/infracost-linux-${TARGETARCH}.tar.gz" /tmp/infracost.tar.gz
RUN tar -xzf /tmp/infracost.tar.gz -C /bin && \
mv "/bin/infracost-linux-${TARGETARCH}" /bin/infracost && \
chmod 755 /bin/infracost && \
rm /tmp/infracost.tar.gz

# Download Terragrunt.
RUN wget -O /bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/latest/download/terragrunt_linux_amd64 \
&& chmod +x /bin/terragrunt
ADD "https://github.com/gruntwork-io/terragrunt/releases/latest/download/terragrunt_linux_${TARGETARCH}" /bin/terragrunt
RUN chmod 755 /bin/terragrunt

RUN echo "hosts: files dns" > /etc/nsswitch.conf \
&& adduser --disabled-password --uid=1983 spacelift

USER spacelift
USER spacelift

0 comments on commit e1a2f9a

Please sign in to comment.