diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 443c559..aabcb07 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,7 +5,6 @@ on: ignore-branches: - main - future - jobs: deployment: name: Build the image @@ -13,26 +12,13 @@ jobs: container: docker steps: - name: Check out repository code - uses: actions/checkout@main - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - with: - platforms: linux/arm64 + uses: actions/checkout@master - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v1 - name: Build and push the image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v2 with: push: false - platforms: linux/amd64,linux/arm64 - tags: runner-terraform:latest - - # Can't use the output of the previous step because it's - # a multiplatform build, so we need to build it again. - - name: Test if terragrunt & infracost works - run: | - docker build --build-arg TARGETARCH=amd64 -t runner-terraform-test . - docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version" + tags: terraform-runner:latest diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 048b692..6579c02 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Check out repository code - uses: actions/checkout@main + uses: actions/checkout@master - name: Install the latest AWS CLI run: | @@ -39,25 +39,19 @@ jobs: run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws - name: Log in to GitHub registry - uses: docker/login-action@v2 + uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - with: - platforms: linux/arm64 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 - name: Build and push the image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v2 with: push: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/future' }} - platforms: linux/amd64,linux/arm64 tags: | ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ github.ref == 'refs/heads/main' && 'latest' || 'future' }} ghcr.io/spacelift-io/runner-terraform:${{ github.ref == 'refs/heads/main' && 'latest' || 'future' }} diff --git a/.github/workflows/prod-pr.yml b/.github/workflows/prod-pr.yml index 220c74d..18f7268 100644 --- a/.github/workflows/prod-pr.yml +++ b/.github/workflows/prod-pr.yml @@ -8,7 +8,7 @@ jobs: create-pr: runs-on: ubuntu-latest steps: - - uses: actions/checkout@main + - uses: actions/checkout@v2 - name: Create Pull Request uses: vsoch/pull-request-action@1.0.22 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 69c73b3..9936ba5 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -10,36 +10,27 @@ on: jobs: build: - strategy: - matrix: - arch: [amd64, arm64] name: Analyze runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@main + uses: actions/checkout@v2 - - name: Set up QEMU - if: matrix.arch == 'arm64' - uses: docker/setup-qemu-action@v2 - with: - platforms: linux/arm64 - - - name: Build an image from Dockerfile (${{ matrix.arch }} image) + - name: Build an image from Dockerfile run: | - docker build --platform linux/${{ matrix.arch }} --pull --build-arg TARGETARCH=${{ matrix.arch }} -t spacelift:${{ github.sha }}-${{ matrix.arch }} . + docker build -t spacelift:${{ github.sha }} . - - name: Run Trivy vulnerability scanner (${{ matrix.arch }} image) + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: - image-ref: "spacelift:${{ github.sha }}-${{ matrix.arch }}" + image-ref: "spacelift:${{ github.sha }}" format: "template" template: "@/contrib/sarif.tpl" output: "trivy-results.sarif" severity: "CRITICAL,HIGH" - - name: Upload Trivy scan results to GitHub Security tab (${{ matrix.arch }} image) - uses: github/codeql-action/upload-sarif@v2 + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 with: sarif_file: "trivy-results.sarif" diff --git a/Dockerfile b/Dockerfile index e2a68c2..382b4cc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,4 @@ -FROM alpine:3.16 - -ARG TARGETARCH +FROM alpine:3.14.0 RUN apk -U upgrade && apk add --no-cache \ aws-cli \ @@ -14,16 +12,15 @@ RUN apk -U upgrade && apk add --no-cache \ tzdata # Download infracost -ADD "https://github.com/infracost/infracost/releases/latest/download/infracost-linux-${TARGETARCH}.tar.gz" /tmp/infracost.tar.gz -RUN tar -xzf /tmp/infracost.tar.gz -C /bin && \ - mv "/bin/infracost-linux-${TARGETARCH}" /bin/infracost && \ - rm /tmp/infracost.tar.gz +RUN curl -s -L https://github.com/infracost/infracost/releases/latest/download/infracost-linux-amd64.tar.gz | \ + tar xz -C /tmp && \ + mv /tmp/infracost-linux-amd64 /bin/infracost # Download Terragrunt. -ADD "https://github.com/gruntwork-io/terragrunt/releases/latest/download/terragrunt_linux_${TARGETARCH}" /bin/terragrunt -RUN chmod +x /bin/terragrunt +RUN wget -O /bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/latest/download/terragrunt_linux_amd64 \ + && chmod +x /bin/terragrunt RUN echo "hosts: files dns" > /etc/nsswitch.conf \ && adduser --disabled-password --uid=1983 spacelift -USER spacelift \ No newline at end of file +USER spacelift