ci update (#21)

* updates to kubectl-shell Dockerfile

* cleanup

* cleanup task names

* docker scout action

* updating workflow

.github/workflows/base.yaml

@@ -1,12 +1,16 @@
 name: "base"
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: "0 0 * * *" # 00:00 UTC Everyday
-  workflow_dispatch:
+
+env:
+  DOCKER_HUB_REPO: portainer/base
+  IMAGE_TAG: latest
 
 jobs:
-  base-ci:
+  build_images:
     runs-on: ubuntu-latest
     steps:
       - name: "[preparation] checkout"
@@ -31,11 +35,11 @@ jobs:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_PASSWORD }}
 
-      - name: Build and push
+      - name: "build and push images"
         uses: docker/build-push-action@v6.7.0
         with:
           context: base/ 
-          tags: portainer/base:latest
+          tags: ${{ env.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}
           platforms: |
             linux/amd64
             linux/arm64

.github/workflows/kubectl-shell.yaml

@@ -0,0 +1,86 @@
+name: "kubectl-shell"
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - develop
+    paths:
+      - 'kube-shell/**'
+  pull_request:
+    branches:
+      - develop
+    paths:
+      - 'kube-shell/**'
+
+env:
+  DOCKER_HUB_REPO: portainerci/kubectl-shell
+  GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
+
+jobs:
+  build_images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "[preparation] checkout"
+        uses: actions/checkout@v4.1.1
+
+      - name: "[preparation] set up qemu"
+        uses: docker/setup-qemu-action@v3.2.0
+
+      - name: "[preparation] set up docker context for buildx"
+        run: docker context create builders
+
+      - name: "[preparation] set up docker buildx"
+        uses: docker/setup-buildx-action@v3.6.1
+        with:
+          endpoint: builders
+          driver-opts: image=moby/buildkit:v0.16.0
+          platforms: linux/amd64,linux/arm64,linux/arm,linux/ppc64le
+
+      - name: "[preparation] docker login"
+        uses: docker/login-action@v3.3.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: "set image tag for pull request"
+        run: |
+          echo "IMAGE_TAG=pr${{ github.event.pull_request.number }}" >> $GITHUB_ENV
+        if: ${{ github.event_name == 'pull_request' }}
+
+      - name: "set image tag for develop"
+        run: |
+          echo "IMAGE_TAG=latest" >> $GITHUB_ENV
+        if: ${{ github.event_name == 'push' }}
+
+      - name: "build and push images"
+        uses: docker/build-push-action@v6.7.0
+        with:
+          context: kubectl-shell/ 
+          tags: ${{ env.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}
+          build-args: |
+            KUBERNETES_RELEASE=v1.31.0
+            ALPINE=alpine:latest
+            HELM_VERSION=v3.15.4
+          platforms: |
+            linux/amd64
+            linux/arm64
+            linux/arm
+            linux/ppc64le
+          attests: |
+            type=sbom,generator=docker/scout-sbom-indexer:latest
+            type=provenance,mode=max
+          push: true
+
+      - name: "docker scout scan"
+        id: docker-scout
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ env.DOCKER_HUB_REPO }}:${{ env.IMAGE_TAG }}
+          to: portainer/base:latest
+          ignore-unchanged: true
+          only-severities: critical,high
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}

kube-shell/Dockerfile → kubectl-shell/Dockerfile

@@ -1,21 +1,20 @@
 ARG ALPINE=alpine:latest
-FROM ${ALPINE} as alpine
-ARG ARCH
-
+FROM ${ALPINE} AS alpine
+ARG TARGETARCH
 ARG KUBECTL_VERSION=v1.31.0
 ARG HELM_VERSION=v3.15.4
 
 RUN apk add -U --no-cache bash bash-completion curl jq
 
 # Kubectl CLI
-RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl && \
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl && \
     chmod +x ./kubectl && \
     mv ./kubectl /usr/local/bin/kubectl && \
     echo -e 'source /usr/share/bash-completion/bash_completion\nsource <(kubectl completion bash)' >>~/.bashrc
 
 # Helm
-RUN curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz | tar xvzf - && \
-    mv ./linux-${ARCH}/helm . && \
+RUN curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz | tar xvzf - && \
+    mv ./linux-${TARGETARCH}/helm . && \
     chmod +x ./helm && \
     mv ./helm /usr/local/bin/helm