Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[EXPERIMENTAL] WIP #143

Closed
wants to merge 2 commits into from
Closed

[EXPERIMENTAL] WIP #143

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3cbea5c
exp work
rafaelbreno Jan 27, 2025
d1f53b0
gha stuff
rafaelbreno Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:
permissions:
contents: read
security-events: write # upload Sarif results
id-token: write

name: Build
jobs:
Expand All @@ -21,13 +22,32 @@ jobs:
id: get-TAG
run: |
echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"

- name: "Read secrets"
id: read-secrets
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/github/release-app-credentials appId | APP_ID ;
secret/data/github/repo/${{ github.repository }}/github/release-app-credentials privateKey | PRIVATE_KEY

- name: "Generate GH App Token"
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ env.APP_ID }}
private-key: ${{ env.PRIVATE_KEY }}

- name: Build container image
uses: docker/build-push-action@v6
with:
context: .
push: false
tags: rancher/hardened-calico:${{ env.TAG }}-amd64
file: Dockerfile
build-args: |
SRC=x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-calico


- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
Expand Down Expand Up @@ -61,6 +81,22 @@ jobs:
id: get-TAG
run: |
echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"

- name: "Read secrets"
id: read-secrets
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/github/release-app-credentials appId | APP_ID ;
secret/data/github/repo/${{ github.repository }}/github/release-app-credentials privateKey | PRIVATE_KEY

- name: "Generate GH App Token"
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ env.APP_ID }}
private-key: ${{ env.PRIVATE_KEY }}

- name: Build container image
uses: docker/build-push-action@v6
with:
Expand All @@ -70,3 +106,5 @@ jobs:
file: Dockerfile
outputs: type=docker
platforms: linux/arm64
build-args: |
SRC=x-access-token:${{ steps.app-token.outputs.token }}@github.com/rancher/release-calico
18 changes: 3 additions & 15 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,6 @@ jobs:
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
Expand All @@ -49,9 +47,7 @@ jobs:
tag: ${{ github.event.release.tag_name }}
platforms: linux/amd64

public-repo: rancher
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}
push-to-public: false

prime-repo: rancher
prime-registry: ${{ env.PRIME_REGISTRY }}
Expand Down Expand Up @@ -94,8 +90,6 @@ jobs:
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
Expand All @@ -110,9 +104,7 @@ jobs:
tag: ${{ github.event.release.tag_name }}
platforms: linux/arm64

public-repo: rancher
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}
push-to-public: false

prime-repo: rancher
prime-registry: ${{ env.PRIME_REGISTRY }}
Expand Down Expand Up @@ -161,8 +153,6 @@ jobs:
uses: rancher-eio/read-vault-secrets@main
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials registry | PRIME_REGISTRY ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials username | PRIME_REGISTRY_USERNAME ;
secret/data/github/repo/${{ github.repository }}/rancher-prime-registry/credentials password | PRIME_REGISTRY_PASSWORD
Expand All @@ -179,9 +169,7 @@ jobs:
image: hardened-calico
tag: ${{ github.event.release.tag_name }}

public-repo: rancher
public-username: ${{ env.DOCKER_USERNAME }}
public-password: ${{ env.DOCKER_PASSWORD }}
push-to-public: false

prime-repo: rancher
prime-registry: ${{ env.PRIME_REGISTRY }}
Expand Down
3 changes: 2 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ FROM ${BCI_IMAGE} AS bci
FROM ${CNI_IMAGE} AS cni
FROM ${GO_IMAGE} AS builder
# setup required packages
ARG SRC=github.com/rancher/release-calico
ARG TAG=v3.29.1
RUN set -x && \
apk --no-cache add \
Expand All @@ -25,7 +26,7 @@ RUN set -x && \
libelf-static \
zstd-static \
zlib-static
RUN git clone --depth=1 https://github.com/projectcalico/calico.git $GOPATH/src/github.com/projectcalico/calico
RUN git clone --depth=1 https://${SRC}.git $GOPATH/src/github.com/projectcalico/calico
WORKDIR $GOPATH/src/github.com/projectcalico/calico
RUN git fetch --all --tags --prune
RUN git checkout tags/${TAG} -b ${TAG}
Expand Down
Loading