Skip to content

Commit

Permalink
Merge pull request #26 from spacelift-io/future
Browse files Browse the repository at this point in the history
Synchronizing future with main
  • Loading branch information
adamconnelly authored Nov 10, 2022
2 parents 0379838 + 6d958a3 commit ef2cfd8
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 54 deletions.
22 changes: 4 additions & 18 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,34 +5,20 @@ on:
ignore-branches:
- main
- future

jobs:
deployment:
name: Build the image
runs-on: ubuntu-latest
container: docker
steps:
- name: Check out repository code
uses: actions/checkout@main

- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: linux/arm64
uses: actions/checkout@master

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v1

- name: Build and push the image
uses: docker/build-push-action@v3
uses: docker/build-push-action@v2
with:
push: false
platforms: linux/amd64,linux/arm64
tags: runner-terraform:latest

# Can't use the output of the previous step because it's
# a multiplatform build, so we need to build it again.
- name: Test if terragrunt & infracost works
run: |
docker build --build-arg TARGETARCH=amd64 -t runner-terraform-test .
docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version"
tags: terraform-runner:latest
12 changes: 3 additions & 9 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:

steps:
- name: Check out repository code
uses: actions/checkout@main
uses: actions/checkout@master

- name: Install the latest AWS CLI
run: |
Expand All @@ -39,25 +39,19 @@ jobs:
run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

- name: Log in to GitHub registry
uses: docker/login-action@v2
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: linux/arm64

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

- name: Build and push the image
uses: docker/build-push-action@v3
uses: docker/build-push-action@v2
with:
push: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/future' }}
platforms: linux/amd64,linux/arm64
tags: |
${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ github.ref == 'refs/heads/main' && 'latest' || 'future' }}
ghcr.io/spacelift-io/runner-terraform:${{ github.ref == 'refs/heads/main' && 'latest' || 'future' }}
2 changes: 1 addition & 1 deletion .github/workflows/prod-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
create-pr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@main
- uses: actions/checkout@v2

- name: Create Pull Request
uses: vsoch/[email protected]
Expand Down
23 changes: 7 additions & 16 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,36 +10,27 @@ on:

jobs:
build:
strategy:
matrix:
arch: [amd64, arm64]
name: Analyze
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@main
uses: actions/checkout@v2

- name: Set up QEMU
if: matrix.arch == 'arm64'
uses: docker/setup-qemu-action@v2
with:
platforms: linux/arm64

- name: Build an image from Dockerfile (${{ matrix.arch }} image)
- name: Build an image from Dockerfile
run: |
docker build --platform linux/${{ matrix.arch }} --pull --build-arg TARGETARCH=${{ matrix.arch }} -t spacelift:${{ github.sha }}-${{ matrix.arch }} .
docker build -t spacelift:${{ github.sha }} .
- name: Run Trivy vulnerability scanner (${{ matrix.arch }} image)
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "spacelift:${{ github.sha }}-${{ matrix.arch }}"
image-ref: "spacelift:${{ github.sha }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"

- name: Upload Trivy scan results to GitHub Security tab (${{ matrix.arch }} image)
uses: github/codeql-action/upload-sarif@v2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: "trivy-results.sarif"
17 changes: 7 additions & 10 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
FROM alpine:3.16

ARG TARGETARCH
FROM alpine:3.14.0

RUN apk -U upgrade && apk add --no-cache \
aws-cli \
Expand All @@ -14,16 +12,15 @@ RUN apk -U upgrade && apk add --no-cache \
tzdata

# Download infracost
ADD "https://github.com/infracost/infracost/releases/latest/download/infracost-linux-${TARGETARCH}.tar.gz" /tmp/infracost.tar.gz
RUN tar -xzf /tmp/infracost.tar.gz -C /bin && \
mv "/bin/infracost-linux-${TARGETARCH}" /bin/infracost && \
rm /tmp/infracost.tar.gz
RUN curl -s -L https://github.com/infracost/infracost/releases/latest/download/infracost-linux-amd64.tar.gz | \
tar xz -C /tmp && \
mv /tmp/infracost-linux-amd64 /bin/infracost

# Download Terragrunt.
ADD "https://github.com/gruntwork-io/terragrunt/releases/latest/download/terragrunt_linux_${TARGETARCH}" /bin/terragrunt
RUN chmod +x /bin/terragrunt
RUN wget -O /bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/latest/download/terragrunt_linux_amd64 \
&& chmod +x /bin/terragrunt

RUN echo "hosts: files dns" > /etc/nsswitch.conf \
&& adduser --disabled-password --uid=1983 spacelift

USER spacelift
USER spacelift

0 comments on commit ef2cfd8

Please sign in to comment.