Add separate image with gcloud cli (#31)

spacelift-io · Dec 15, 2022 · f8ac41d · f8ac41d
1 parent 3fa0d98
commit f8ac41d
Show file tree

Hide file tree

Showing 7 changed files with 102 additions and 15 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,8 +5,15 @@ on:
     ignore-branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   deployment:
+    strategy:
+      matrix:
+        base_image: ["alpine:3.17", "gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine"]
     name: Build the image
     runs-on: ubuntu-latest
     container: docker
@@ -26,17 +33,25 @@ jobs:
         uses: docker/build-push-action@v3
         with:
           push: false
+          args: |
+            BASE_IMAGE=${{ matrix.base_image }}
           platforms: linux/amd64,linux/arm64
           tags: runner-terraform:latest
 
       # Can't use the output of the previous step because it's
       # a multiplatform build, so we need to build it again.
-      - name: Test if terragrunt & infracost are executable (AMD64)
+      - name: Test if terragrunt & infracost & gcloud are executable (AMD64)
         run: |
-          docker build --build-arg TARGETARCH=amd64 -t runner-terraform-test .
+          docker build --build-arg TARGETARCH=amd64 --build-arg BASE_IMAGE=${{ matrix.base_image }} -t runner-terraform-test .
           docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version"
+          if [ ${{ matrix.base_image }} = "gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine" ]; then
+            docker run --rm runner-terraform-test sh -c "gcloud --version"
+          fi
 
-      - name: Test if terragrunt & infracost are executable (ARM64)
+      - name: Test if terragrunt & infracost & gcloud are executable (ARM64)
         run: |
-          docker build --build-arg TARGETARCH=arm64 -t runner-terraform-test .
+          docker build --build-arg TARGETARCH=arm64 --build-arg BASE_IMAGE=${{ matrix.base_image }} -t runner-terraform-test .
           docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version"
+          if [ ${{ matrix.base_image }} = "gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine" ]; then
+            docker run --rm runner-terraform-test sh -c "gcloud --version"
+          fi
diff --git a/.github/workflows/publish/action.yml b/.github/workflows/publish/action.yml
@@ -2,6 +2,9 @@ name: Publish
 description: Builds and pushes the Docker image to the public ECR and GitHub registry
 
 inputs:
+  base_image:
+    description: Base image to use for the Dockerfile
+    required: true
   aws_role_to_assume:
     description: The AWS role to assume. Used to authenticate with ECR.
     required: true
@@ -75,6 +78,8 @@ runs:
         with:
           push: true
           context: .
+          args: |
+            BASE_IMAGE=${{ inputs.base_image }}
           platforms: linux/amd64,linux/arm64
           tags: ${{ inputs.image_tags }}
 

diff --git a/.github/workflows/publish_future.yml b/.github/workflows/publish_future.yml
@@ -21,12 +21,24 @@ jobs:
         with:
           files: .github/workflows/publish/action.yml
 
-      - name: Build and push future image
+      - name: Build and push future image without gcloud
         uses: ./.github/workflows/publish
         with:
+          base_image: 'alpine:3.17'
           aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_release: false
           image_tags: |
             ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:future
             ghcr.io/spacelift-io/runner-terraform:future
+
+      - name: Build and push future image with gcloud
+        uses: ./.github/workflows/publish
+        with:
+          base_image: 'gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine'
+          aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_release: false
+          image_tags: |
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}-gcp:future
+            ghcr.io/spacelift-io/runner-terraform-gcp:future
diff --git a/.github/workflows/publish_scheduled.yml b/.github/workflows/publish_scheduled.yml
@@ -33,9 +33,10 @@ jobs:
         with:
           files: .github/workflows/publish/action.yml
 
-      - name: Build and push weekly image
+      - name: Build and push weekly image without gcloud
         uses: ./.github/workflows/publish
         with:
+          base_image: 'alpine:3.17'
           aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           git_tag: ${{ steps.latest-tag.outputs.tag }}
@@ -45,9 +46,36 @@ jobs:
             ## Weekly rebuild
             This is a weekly rebuild of the latest image (`${{ steps.latest-tag.outputs.tag }}`).
             The image is rebuilt to ensure that it is up to date with the latest security patches.
+            ## Updated images
+            ### Without gcloud CLI
+            - `${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:latest`
+            - `${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}`
+            - `ghcr.io/spacelift-io/runner-terraform:latest`
+            - `ghcr.io/spacelift-io/runner-terraform:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}`
+
+            ### With gcloud CLI
+            - `${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}-gcp:latest`
+            - `${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}-gcp:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}`
+            - `ghcr.io/spacelift-io/runner-terraform-gcp:latest`
+            - `ghcr.io/spacelift-io/runner-terraform-gcp:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}`
           checkout_ref: ${{ steps.latest-tag.outputs.tag }}
           image_tags: |
             ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:latest
             ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}
             ghcr.io/spacelift-io/runner-terraform:latest
             ghcr.io/spacelift-io/runner-terraform:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}
+
+      - name: Build and push weekly image with gcloud
+        uses: ./.github/workflows/publish
+        with:
+          base_image: 'gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine'
+          aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_tag: ${{ steps.latest-tag.outputs.tag }}
+          publish_release: false
+          checkout_ref: ${{ steps.latest-tag.outputs.tag }}
+          image_tags: |
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}-gcp:latest
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}-gcp:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}
+            ghcr.io/spacelift-io/runner-terraform-gcp:latest
+            ghcr.io/spacelift-io/runner-terraform-gcp:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}
diff --git a/.github/workflows/publish_tagged.yml b/.github/workflows/publish_tagged.yml
@@ -28,9 +28,10 @@ jobs:
         with:
           files: .github/workflows/publish/action.yml
 
-      - name: Build and push latest image
+      - name: Build and push latest image without gcloud
         uses: ./.github/workflows/publish
         with:
+          base_image: 'alpine:3.17'
           aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           git_tag: ${{ steps.latest-tag.outputs.tag }}
@@ -40,4 +41,18 @@ jobs:
             ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:latest
             ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ steps.latest-tag.outputs.tag }}
             ghcr.io/spacelift-io/runner-terraform:latest
-            ghcr.io/spacelift-io/runner-terraform:${{ steps.latest-tag.outputs.tag }}
+            ghcr.io/spacelift-io/runner-terraform:${{ steps.latest-tag.outputs.tag }}
+
+      - name: Build and push latest image with gcloud
+        uses: ./.github/workflows/publish
+        with:
+          base_image: 'gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine'
+          aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_tag: ${{ steps.latest-tag.outputs.tag }}
+          publish_release: false
+          image_tags: |
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}-gcp:latest
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}-gcp:${{ steps.latest-tag.outputs.tag }}
+            ghcr.io/spacelift-io/runner-terraform-gcp:latest
+            ghcr.io/spacelift-io/runner-terraform-gcp:${{ steps.latest-tag.outputs.tag }}
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -8,13 +8,20 @@ on:
   schedule:
     - cron: "19 7 * * 0"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
     strategy:
       matrix:
         arch: [amd64, arm64]
+        base_image: ["alpine:3.17", "gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine"]
     name: Analyze
     runs-on: ubuntu-latest
+    env:
+      IMAGE_TAG: spacelift:${{ github.sha }}-${{ matrix.arch }}
 
     steps:
       - name: Checkout code
@@ -26,20 +33,23 @@ jobs:
         with:
           platforms: linux/arm64
 
-      - name: Build an image from Dockerfile (${{ matrix.arch }} image)
+      - name: Build an image from Dockerfile (${{ matrix.base_image }} ${{ matrix.arch }} image)
+        env:
+          PLATFORM: linux/${{ matrix.arch }}
+          DOCKERFILE: ${{ matrix.base_image }}
         run: |
-          docker build --platform linux/${{ matrix.arch }} --pull --build-arg TARGETARCH=${{ matrix.arch }} -t spacelift:${{ github.sha }}-${{ matrix.arch }} .
+          docker build --platform $PLATFORM --pull --build-arg TARGETARCH=${{ matrix.arch }} --build-arg BASE_IMAGE=${{ matrix.base_image }} -t $IMAGE_TAG .
 
-      - name: Run Trivy vulnerability scanner (${{ matrix.arch }} image)
+      - name: Run Trivy vulnerability scanner (${{ matrix.base_image }} ${{ matrix.arch }} image)
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "spacelift:${{ github.sha }}-${{ matrix.arch }}"
+          image-ref: ${{ env.IMAGE_TAG }}
           format: "template"
           template: "@/contrib/sarif.tpl"
           output: "trivy-results.sarif"
           severity: "CRITICAL,HIGH"
 
-      - name: Upload Trivy scan results to GitHub Security tab (${{ matrix.arch }} image)
+      - name: Upload Trivy scan results to GitHub Security tab (${{ matrix.base_image }} ${{ matrix.arch }} image)
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: "trivy-results.sarif"
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,6 @@
-FROM alpine:3.16
+ARG BASE_IMAGE=alpine:3.17
+
+FROM ${BASE_IMAGE}
 
 ARG TARGETARCH
 
@@ -27,4 +29,4 @@ RUN chmod 755 /bin/terragrunt
 RUN echo "hosts: files dns" > /etc/nsswitch.conf \
     && adduser --disabled-password --uid=1983 spacelift
 
-USER spacelift
+USER spacelift