refactor: add github actions for docker image push

- refactor existing github actions for image and binary push
- add exceptions for trivy scanner

.github/workflows/build.yaml

@@ -5,8 +5,7 @@ on:
  tags-ignore:
  - '*'
  branches:
- #- '*'
- - 'KS-*'
+ - '*'
  pull_request:
  branches: ['main', 'master']
 
@@ -43,7 +42,7 @@ jobs:
  - name: Build
  run: go build -v ./...
 
- build-scan-push-image:
+ build-scan-docker-images:
  runs-on: ubuntu-latest
  needs: lint-and-build
  steps:
@@ -58,7 +57,7 @@ jobs:
  - name: Set up Docker Buildx
  uses: docker/setup-buildx-action@v3
 
- - name: Login to Docker Hub # for testing the credentials
+ - name: Login to Docker Hub
  uses: docker/login-action@v2
  with:
  username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -69,16 +68,17 @@ jobs:
  with:
  context: .
  file: ./dev.Dockerfile
- tags: 'controlplane/simulator:dev'
+ tags: |
+ controlplane/simulator:dev
  load: true
- push: false # for testing
+ push: false
 
  - name: Run Trivy vulnerability scanner on the dev image
  uses: aquasecurity/trivy-action@master
  with:
  image-ref: 'controlplane/simulator:dev'
  format: 'table'
- exit-code: '0'
+ exit-code: '1'
  vuln-type: 'os,library'
  severity: 'CRITICAL,HIGH'
 
@@ -96,7 +96,7 @@ jobs:
  with:
  image-ref: controlplane/simulator:${{ github.sha }}
  format: 'table'
- exit-code: '0' # TODO: change to 1 when we have no more vulnerabilities
+ exit-code: '1'
  vuln-type: 'os,library'
  severity: 'CRITICAL,HIGH'
-
+ trivyignores: './.trivy-config/.trivyignore'

.github/workflows/release.yaml

@@ -1,4 +1,4 @@
-name: release-binary
+name: release-binary-docker-images
 
 on:
  push:
@@ -10,13 +10,93 @@ permissions:
  contents: write
 
 jobs:
+ build-push-docker-images:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout source code
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+
+ - name: Login to Docker Hub
+ uses: docker/login-action@v2
+ with:
+ username: ${{ secrets.DOCKERHUB_USERNAME }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+ - name: Build and tag dev image
+ uses: docker/build-push-action@v5
+ with:
+ context: .
+ file: ./dev.Dockerfile
+ tags: |
+ controlplane/simulator:dev
+ load: true
+ push: false
+
+ - name: Run Trivy vulnerability scanner on the dev image
+ uses: aquasecurity/trivy-action@master
+ with:
+ image-ref: 'controlplane/simulator:dev'
+ format: 'table'
+ exit-code: '1'
+ vuln-type: 'os,library'
+ severity: 'CRITICAL,HIGH'
+
+ - name: Build and tag simulator image
+ uses: docker/build-push-action@v5
+ with:
+ context: .
+ file: ./Dockerfile
+ tags: controlplane/simulator:${{ github.ref_name }}
+ load: true
+ push: false
+
+ - name: Run Trivy vulnerability scanner on simulator image
+ uses: aquasecurity/trivy-action@master
+ with:
+ image-ref: controlplane/simulator:${{ github.ref_name }}
+ format: 'table'
+ exit-code: '1'
+ vuln-type: 'os,library'
+ severity: 'CRITICAL,HIGH'
+ trivyignores: './.trivy-config/.trivyignore'
+
+ - name: Build and push dev image ## should use cache image from the previous step
+ uses: docker/build-push-action@v5
+ with:
+ context: .
+ file: ./dev.Dockerfile
+ tags: 'controlplane/simulator:dev'
+ load: false ## push and load cannot be set at the same time
+ push: true
+
+ - name: pull dev image
+ run: |
+ docker images ls
+ docker pull controlplane/simulator:dev
+ docker images ls
+
+ - name: Build and push simulator image ## should use cache image from the previous step
+ uses: docker/build-push-action@v5
+ with:
+ context: .
+ file: ./Dockerfile
+ tags: |
+ controlplane/simulator:${{ github.ref_name }}
+ controlplane/simulator:latest
+ load: false
+ push: true
+
  goreleaser:
  runs-on: ubuntu-latest
+ name: goreleaser
+ needs: build-push-docker-images
  steps:
  - name: Checkout
  uses: actions/checkout@v4
  with:
- fetch-depth: 0 # Shallow clones should be disabled for a releaser
+ fetch-depth: 0
 
  - name: Setup Go
  uses: actions/setup-go@v4

.trivy-config/.trivyignore

@@ -0,0 +1,24 @@
+## these following are not fixed in the upstream yet, so we are ignoring them for now
+# packer-plugin-amazon_v1.2.8_x5.0_linux_amd64 
+# registry.terraform.io/hashicorp/template/2.2.0/linux_amd64/terraform-provider-template_v2.2.0_x4
+CVE-2023-39325
+GHSA-m425-mq94-257g
+CVE-2022-26945
+CVE-2022-30321
+CVE-2022-30322
+CVE-2022-30323
+CVE-2019-19316
+CVE-2020-16845
+CVE-2021-29482
+CVE-2020-29652
+CVE-2020-7919
+CVE-2020-9283
+CVE-2021-43565
+CVE-2022-27191
+CVE-2019-9512
+CVE-2019-9514
+CVE-2021-33194
+CVE-2022-27664
+CVE-2022-41723
+CVE-2021-38561
+CVE-2022-32149

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## Table of Contents
 
+- [2.0.0](#200)
+
+## `2.0.0`
+
+- New scenarios format and API
+
 - [2.0.0-alpha1](#200-alpha1)
 
 ## `2.0.0-alpha1`

Dockerfile

@@ -4,5 +4,5 @@ COPY --chown=ubuntu:ubuntu packer packer
 COPY --chown=ubuntu:ubuntu terraform terraform
 COPY --chown=ubuntu:ubuntu ansible ansible
 
-RUN cd packer && packer init bastion.pkr.hcl && packer init k8s.pkr.hcl
-RUN cd terraform/workspaces/simulator && terraform init -backend=false
+RUN cd packer && packer init -upgrade bastion.pkr.hcl && packer init -upgrade k8s.pkr.hcl
+RUN cd terraform/workspaces/simulator && terraform init -upgrade -backend=false

dev.Dockerfile

@@ -1,6 +1,6 @@
 ARG GOLANG_IMAGE=golang:1.21.5-alpine3.19@sha256:55f716237933c85cee01748700755b4ac8736fb1ca974c9aed051691b68d6dc2
 ARG GOLANGCI_LINT_IMAGE=golangci/golangci-lint:latest@sha256:fb70c9b2e6d0763141f057abcafde7f88d5e4bb3b5882d6b14bc79382f04481c
-ARG PACKER_IMAGE=hashicorp/packer:1.10@sha256:00dcbbc0e5a3346a9d8b7ea97d86d2e1deb5be4191e027499646242fdb1768b6
+ARG PACKER_IMAGE=hashicorp/packer:1.10@sha256:a10638519af09f5ecad52b6eb4eab489377e4e89f30ea46832f1f401a234d783
 ARG TERRAFORM_IMAGE=hashicorp/terraform:1.6@sha256:d593c353357a3db5a795c2ba0b998580cf12bad9125807bd877092c2e813279b
 ARG UBUNTU_IMAGE=ubuntu:mantic@sha256:8d093e0651575a6437cc4a3d561f892a345d263aeac6156ef378fe6a4ccabd4c